The French Data Protection Authority CNIL has closed its inquiry into Lusha Systems, Inc.’s adherence to GDPR after concluding that the US-based company was exempt from complying with the law. Generally, GDPR applies not just to entities resident in the European Union but also to those located outside the region who either provide goods or services to EU citizens or monitor them in some way. However, CNIL determined that Lusha’s activities did not fit either criteria, as it is neither delivering goods or services nor monitoring persons in the EU.
The controversy revolved around Lusha’s browser extension, which allows users to add phone numbers and email addresses to contacts linked to LinkedIn or Salesforce. To do this, Lusha correlates information derived from these user profiles with contact data obtained from other users’ address books. These address books often contain personal details belonging to EU citizens.
Ultimately, CNIL ruled that GDPR did not apply in this case because: 1) the users of Lusha’s service were based in the US and so their products were not being directed towards a European audience; and 2) they concluded that extracting contact information did not constitute monitoring.