On December 20th, 2022, the French Data Protection Authority (“CNIL”) closed down an investigation against a US company providing a browser extension (the “Company”), after finding that its activities were not subject to the GDPR. The CNIL’s decision is available here in French.

The Company provides a browser extension (the “Extension”) allowing users to obtain the professional contact details (telephone number and email address) of people whose profile they visit on LinkedIn or Salesforce’s customer platform. After receiving complaints between 2018 and 2021, the CNIL launched an investigation into the Extension. While it confirmed that the Company was the controller of all the processing activities related to the use of the Extension, the CNIL concluded that such processing activities fell outside the scope of the GDPR, and therefore halted its proceedings against the Company.

According to the CNIL, none of the criteria from Article 3 of the GDPR applied, insofaras:

  • The Company is not established in the European Union, therefore the criterion of establishment in Article 3(1) of the GDPR does not apply;
  • The Company does not offer goods or services to EU data subjects through its Extension. Indeed, the data subjects in the case at hand are the people whose profile users visit, and these data subjects do not receive any goods or services from the Company. The criterion set out in Article 3(2)(a) of the GDPR is therefore not applicable;
  • The Company does not collect or process personal data linked to the behavior of the data subjects, its Extension only enabling users to check professional contact details and identify fraudulent profiles. The CNIL found no evidence of any “tracking”, “monitoring” or “profiling” activities, thus concluding that the criterion relating to the monitoring of the behavior of data subjects, provided for in Article 3(2)(b) of the GDPR, is not applicable to the Company.

The CNIL’s decision illustrates the limits of the GDPR’s extra-territorial scope and in particular of the criterion set out in Article 3(2) of the GDPR. Citing the European Data Protection Board (“EDPB”)’s previous guidelines on the GDPR’s territorial scope (available here), the CNIL emphasized that the mere collection or analysis of personal data of individuals in the EU could not automatically count as “monitoring” or “profiling”, for instance. Rather, it is only where the controller has a specific purpose in mind for the collection and subsequent reuse of the personal data (including in particular, any subsequent behavioral analysis or profiling techniques involving said data) that Article 3(2)(b) of the GDPR would apply.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.

Diane Valat

Diane Valat is a trainee who attended IE University.