CNIL Weighs in On GDPR Applicability to US Company

Liisa Thomas
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLP

 

[co-author: Kathryn Smith*]

The French Data Protection Authority capped off 2022 by terminating an investigation into Lusha Systems, Inc.’s compliance with GDPR. CNIL concluded that the law did not apply to the US company’s activities. As many know, since GDPR was passed US companies have been concerned about the extent the law applies outside of the EU: it applies not only to those entities with operations in the EU, but also those outside of the region who are either offering goods or services to people in the EU or monitoring individuals in the EU. Here, CNIL concluded that Lusha was not offering goods or services to those in the EU, nor was it monitoring those in the EU.

The European Data Protection Board has issued guidance and examples on the scope of CNIL. These include “monitoring” situations, perhaps the trickiest fact pattern. However, the guidance gives examples of when GDPR would apply but not situations where it would not apply. The Lusha case is thus helpful to companies as they consider GDPR applicability.

The activities in question surrounded the company’s browser extension, which let users append phone numbers and email addresses to contacts on LinkedIn or Salesforce. To accomplish this, Lusha matched LinkedIn and Salesforce user profiles with contact information it had previously obtained from other users’ address books. (Specifically, users of its browser extension were prompted to share their address book data, the email addresses and phone numbers of which would go into Lusha’s database). Some of those individuals (from the users’ address books) resided in the EU.

In concluding that GDPR was inapplicable, CNIL noted that the users of the service were in the US, not the EU, and thus the services were not offered to EU individuals (even if some EU individuals’ information was being obtained by the service). With respect to the question of monitoring those in the EU, CNIL concluded that the pulling of contact information was not “monitoring.”

*Kathryn Smith is a fellow in the firm’s Chicago office.

Putting it Into Practice: For US companies with no EU operations, this case is a good reminder that simply because your organization has information about EU individuals does not automatically mean GDPR applies. Instead, an analysis needs to be made of the extent to which you are offering goods or services to people in the EU, or are monitoring EU residents.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide