Liisa Thomas & Kathryn Smith of Sheppard Mullin write:
The French Data Protection Authority capped off 2022 by terminating an investigation into Lusha Systems, Inc.’s compliance with GDPR. CNIL concluded that the law did not apply to the US company’s activities. As many know, since GDPR was passed US companies have been concerned about the extent the law applies outside of the EU: it applies not only to those entities with operations in the EU, but also those outside of the region who are either offering goods or services to people in the EU or monitoring individuals in the EU. Here, CNIL concluded that Lusha was not offering goods or services to those in the EU, nor was it monitoring those in the EU.
The European Data Protection Board has issued guidance and examples on the scope of CNIL. These include “monitoring” situations, perhaps the trickiest fact pattern. However, the guidance gives examples of when GDPR would apply but not situations where it would not apply. The Lusha case is thus helpful to companies as they consider GDPR applicability.
Read more at Eye on Privacy.