On December 20th, 2022, the French Data Protection Authority (“CNIL”) closed down an investigation against a US company providing a browser extension (the “Company”), after finding that its activities were not subject to the GDPR. The CNIL’s decision is available here in French.
The Company provides a browser extension (the “Extension”) allowing users to obtain the professional contact details (telephone number and email address) of people whose profile they visit on LinkedIn or Salesforce’s customer platform. After receiving complaints between 2018 and 2021, the CNIL launched an investigation into the Extension. While it confirmed that the Company was the controller of all the processing activities related to the use of the Extension, the CNIL concluded that such processing activities fell outside the scope of the GDPR, and therefore halted its proceedings against the Company.
According to the CNIL, none of the criteria from Article 3 of the GDPR applied, insofaras:
- The Company is not established in the European Union, therefore the criterion of establishment in Article 3(1) of the GDPR does not apply;
- The Company does not offer goods or services to EU data subjects through its Extension. Indeed, the data subjects in the case at hand are the people whose profile users visit, and these data subjects do not receive any goods or services from the Company. The criterion set out in Article 3(2)(a) of the GDPR is therefore not applicable;
- The Company does not collect or process personal data linked to the behavior of the data subjects, its Extension only enabling users to check professional contact details and identify fraudulent profiles. The CNIL found no evidence of any “tracking”, “monitoring” or “profiling” activities, thus concluding that the criterion relating to the monitoring of the behavior of data subjects, provided for in Article 3(2)(b) of the GDPR, is not applicable to the Company.
The CNIL’s decision illustrates the limits of the GDPR’s extra-territorial scope and in particular of the criterion set out in Article 3(2) of the GDPR. Citing the European Data Protection Board (“EDPB”)’s previous guidelines on the GDPR’s territorial scope (available here), the CNIL emphasized that the mere collection or analysis of personal data of individuals in the EU could not automatically count as “monitoring” or “profiling”, for instance. Rather, it is only where the controller has a specific purpose in mind for the collection and subsequent reuse of the personal data (including in particular, any subsequent behavioral analysis or profiling techniques involving said data) that Article 3(2)(b) of the GDPR would apply.