Decision SAN-2022-024 of 20 December 2022 concerning LUSHA SYSTEMS INC.

The American Company, LUSHA SYSTEMS INC (“LUSHA“), markets an extension to the Google Chrome browser called “Lusha”. The latter allows its users to obtain the professional contact information of people whose profiles they visit on the LinkedIn and Salesforce networks using the LUSHA database. Three mobile applications – developed by Israeli subsidiaries owned by LUSHA – allow the Lusha extension to feed its database giving access to the address books of people downloading those applications on their smartphone. These mobile applications are, at this time, no longer accessible from the European Union. Thus, the Lusha extension allows the collection, storage, structuring, cross-referencing and dissemination of personal data, including “raw” contact data of users of the applications, which constitutes a single processing of personal data for the purposes of combating online fraud and making available contact information of data subjects.

The question then becomes: is the GDPR applicable to LUSHA?

In the first part of its analysis, the CNIL distinguishes between three distinct categories of persons:

  • First, mobile application users, i.e., the people whose address books feed the Lusha database;
  • Then, data subjects, also called target persons, i.e., the persons whose contact data are in the LUSHA database;
  • Finally, Lusha extension users, i.e., the company’s customers, using the Lusha extension.

The CNIL deems that the users of the Lusha extension are therefore not data subjects.

It goes on to announce that Article 3 of the GDPR regarding territorial scope does not apply because the following criteria are not met:

  1. The GDPR applies to the processing of personal data carried out by an organization established in the Union – LUSHA is located in the United States and its subsidiaries, which enable the database to be enhanced, are located in Israel.
  2. The GDPR applies to organizations outside the Union offering goods or services to data subjects located in the Union – LUSHA offers its services only to Lusha users and not to “data subjects” which, for the CNIL, are the persons whose contact data are in the database, if one refers to the distinction explained above.
  3. The GDPR applies to organizations tracking the behavior of data subjects, as long as the behavior takes place within the Union – matching business contact data (phone, email address) with the identities of people whose profiles are visited on LinkedIn and Salesforce is not processing that consists of analyzing or predicting behavior, a person’s personal preferences or movements, interests, economic situation, or health status.

As a result, the CNIL deems that the GDPR and its obligations are not applicable to LUSHA.

What conclusions can be drawn from this?

 The CNIL’s decision seems to comply with the letter of the GDPR, but what about the spirit and the teleological approach of the Regulation?

LUSHA’s customers, who are targeting B2B relationships, will most certainly be subject to the GDPR via its Articles 3.1 or 3.2(b). The act of collecting data would still be excluded from the protection offered by the GDPR, which seems far from its objectives. There is therefore still room for improvement in the text of the GDPR and its interpretation to protect the data of European citizens.

Moreover, we find it regrettable that the CNIL does not expand on the criterion of offering goods or services to persons located in the Union by explaining that it considers that the RGPD does not apply to LUSHA in the context of some of its activities only.

Indeed, the text of EDPS Opinion 3/2018 on the territorial scope of the GDPR indicate that an organization may be subject to the GDPR for some of its activities but not for others.

This could explain why the CNIL does not consider that the users of the Lusha extension are data subjects in this specific case (processing of their data as soon as they register and create an account and when they use the services).

For more information, you can find the decision here: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046775564?isSuggest=true