CNIL (France) - SAN-2022-024

From GDPRhub
CNIL - SAN-2022-024
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 3 GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided:
Published: 26.12.2022
Fine: n/a
Parties: Lusha Systems INC
National Case Number/Name: SAN-2022-024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA investigated a controller who offered a browser-extension, which allowed its users to obtain and verify professional contact details of data subjects who had a profile on LinkedIn and Salesforce.com. The DPA held that the GDPR was not applicable according to Article 3 GDPR.

English Summary

Facts

The controller was a company based in the United States without an establishment in the European Union (EU). This controller offered an extension for computer browsers, which allowed users of this extension to obtain and verify professional contact details (telephone number and e-mail address) of a data subject who had a profile on LinkedIn or Salesforce.com. Users of the extension had to navigate to the profile of the data subject in order to get the contact data. The controller stated that the purpose of this extension was to prevent online fraud. Besides retrieving the contact information, the extension checked whether the profiles belonged to real people and whether these people actually practised the profession described in their profiles. For this purpose, the controller used its own database with professional contact data to double check if the results produced by the extension matched with contact data in this database.

The controller had collected the data for this database from its three smartphone applications that it also offered. When users installed any of these apps on their smartphone, the controller was able to collect the contacts saved on the smartphone for its database. The controller stated that it had mechanisms in place to only collect and store 'professional' contact data and to filter out contact data of a personal nature.

The French DPA (DPA) started an investigation into the controller. It also later received two complaints regarding the controller, received on 22 October 2018 and 14 February 2019.

Holding

The DPA started by clarifying that the data subjects in this decision were the people whose profiles were visited by users of the controller’s extension. The DPA also stated that the ‘professional’ nature of the data stored by the controller did not take away the personal nature of this personal data (CJEU, 9 November 2010, Volker and Others, Case C-92/09 and C-93/09, pt. 59). The DPA confirmed that the controller was processing personal data and was responsible for the processing operations regarding the browser extension and the smartphone applications.

Despite the fact that the DPA acknowledged that the controller was processing personal data of data subjects in France, it determined that the GDPR was not applicable. The controller did not have an establishment in the EU (Article 3(1) GDPR) and the controller did not offer services to data subjects in the EU (Article 3(2)(a) GDPR).

The DPA concluded that Article 3(2)(b) GDPR was also not applicable. The DPA mentioned that the online collection or analysis of personal data of data subjects in the EU was not enough to automatically be considered 'monitoring'. It was necessary to take into account the purpose for which the data was processed by the controller and, in particular, if there were any subsequent behavioural analysis or profiling techniques conducted by the controller. According to the DPA, the monitoring of data subjects on the internet, including the potential further use of profiling techniques (Article 4(4) GDPR) was an important factor for determining whether data subject's behaviour was monitored (Recital 24 and Guidelines 3/2018).

The DPA concluded that it was not established that the behaviour of data subjects was monitored by the controller. According to the DPA, the creation of a database with professional contact data (telephone and e-mail address), for the purpose of the identification of data subjects on LinkedIn and Salesforce.com, was not a form of processing that consisted of analysing or predicting a person's behaviour. The controller also did not use personal data processing techniques that consisted in profiling of data subjects.

The DPA concluded that the GDPR was not applicable and that the DPA was therefore not able to impose a penalty.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.


Deliberation of the restricted formation n°SAN-2022-024 of 20 December 2022 concerning the company LUSHA SYSTEMS INC.

The Commission nationale de l'informatique et des libertés, meeting in its restricted formation composed of Mr Alexandre LINDEN, president, Mrs Christine MAUGÜÉ and Messrs Bertrand du MARAIS and Alain DRU, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the free movement of such data;

Having regard to Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, in particular Articles 20 et seq;

Having regard to Decree No. 2019-536 of 29 May 2019 taken for the application of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms;

Having regard to Deliberation No. 2013-175 of 4 July 2013 adopting the internal rules of procedure of the Commission nationale de l'informatique et des libertés;

Having regard to Decision No. 2018-020C of 24 January 2018 of the President of the Commission nationale de l'informatique et des libertés (French Data Protection Authority) to instruct the Secretary General to carry out or have carried out a mission to verify any processing relating to the "lusha.co" domain and/or the extension for Chrome and Chromium browsers known as "Lusha";

Having regard to decisions no. 2019-228C, 2019-231C and 2019-232C of 17 December 2019 of the President of the Commission nationale de l'informatique et des libertés to instruct the Secretary General to carry out or have carried out a verification mission of any processing accessible from the "Simpler", "Mailbook" and "Cleaner Pro" applications;

Having regard to the report of Mr François PELLEGRINI, reporting commissioner, notified to the company LUSHA SYSTEMS INC. on 15 June 2022;

Having regard to the written observations submitted by counsel for the company LUSHA SYSTEMS INC. on 30 August 2022;

Having regard to the reply of the rapporteur to these observations, notified to LUSHA SYSTEMS INC. on 30 September 2022;

Having regard to the new written observations submitted by counsel for LUSHA SYSTEMS INC. received on 7 November 2022;

Having regard to the oral observations made at the meeting of the restricted panel on 24 November 2022;

Having regard to the other documents in the file;

Having regard to the other documents in the file; The following were present at the meeting of the restricted formation:

- Mr François PELLEGRINI, Commissioner, heard his report;

As representatives of LUSHA SYSTEMS INC:

- [...] ;

The company LUSHA SYSTEMS INC. having spoken last ;

The restricted formation adopted the following decision:

I. Facts and procedure

1. LUSHA SYSTEMS INC (hereinafter "the Company") was established in April 2016 and has its registered office at 800 Boylston Street, Suite 1410 in Boston (United States), and is a wholly owned subsidiary of YT DEV LTD, located in Israel. It does not have an establishment in the European Union. In 2021, the company had a turnover of [...] dollars.

2. The company markets an extension (hereinafter "the Lusha extension"), available from the "lusha.co" website, running on the Chrome and Chromium browsers and allowing its users to obtain the professional contact details (telephone number and email address) of people whose profiles they visit on the LinkedIn social network or on the Salesforce.com customer relations platform (hereinafter "Salesforce").

3. The company also publishes, through its wholly owned companies SIMPLER APPS INC, LOBSTER APPS INC and TOP FLOOR INC, the applications for mobile phones called "Simpler", "Mailbook" and "Cleaner Pro", which were available in France on Android and iOS systems until August 2022 and which presented themselves as offering a "contact management" service to the user

4. On 24 January and 1 February 2018, following an alert received in January 2018, a CNIL delegation carried out an online check on the "lusha.co" website pursuant to Decision No. 2018-020C of 24 January 2018 of the President of the French National Commission for Information Technology and Civil Liberties (hereinafter "CNIL" or "the Commission").

5. The purpose of this mission was to verify the company's compliance with the provisions of Law No. 78-17 of 6 January 1978, as amended, relating to information technology, files and freedoms (hereinafter "the Data Protection Act" or "the Act of 6 January 1978"), in connection with processing relating to the "lusha.co" domain and/or the extension for Chrome and Chromium browsers known as "Lusha".

6. On 6 March 2019, the supervisory delegation carried out a new online check to verify the compliance of the processing operations relating to the "lusha.co" domain and the Lusha extension, in particular for the purpose of verifying the investigation of two complaints received by the CNIL services on 22 October 2018 and 14 February 2019 respectively.

7. Representatives of the company were interviewed at the Commission's premises on 18 July 2019.

8. On 19 and 20 December 2019, pursuant to Decisions No. 2019-228C, 2019-231C and 2019-232C of 17 December 2019 of the President of the CNIL, the Commission's services carried out three online checks on the "Simpler", "Mailbook" and "Cleaner Pro" applications from a mobile terminal.

9. The purpose of these checks was to verify the compliance of the processing operations accessible from these mobile applications, or relating to personal data collected from them from any organisation concerned by their implementation, with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data (hereinafter "the GDPR" or "the Regulation") and the Data Protection Act.

10. By emails sent between July 2019 and May 2020, the company sent the CNIL several documents and elements of response requested by the Commission's services in the context of the investigations.

11. On 29 March 2021, on the basis of Article 22 of the Act of 6 January 1978, the President of the Commission appointed Mr François PELLEGRINI as rapporteur for the purpose of investigating these elements.

12. On 15 June 2022, at the end of his investigation, the rapporteur notified the company of a report detailing the breaches of the RGPD that he considered to have occurred in this case. The letter notifying the company of the report indicated that it had a period of one month to submit its written observations under the provisions of Article 40 of Decree no. 2019-536 of 29 May 2019, as amended, taken for the application of the Data Protection Act (hereinafter "the Decree of 29 May 2019").

13. This report proposed that the restricted panel impose an administrative fine on the company, as well as an injunction to bring the processing into compliance with Articles 6 and 15 of the RGPD on a principal basis and Articles 14 to 15 on a subsidiary basis, together with a penalty payment at the end of a period of three months following notification of the decision. It also proposed that the decision be made public and that the company no longer be identified by name after a period of two years from its publication.

14. By letter dated 22 June 2022, the company requested additional time from the chairman of the restricted panel to produce its observations in response to the rapporteur's report, which was granted on 24 June, on the basis of Article 40(4) of the Decree of 29 May 2019.

15. On 30 August 2022, the company submitted its observations in response.

16. On 30 September 2022, the rapporteur replied to the company's comments.

17. On 7 November 2022, the company submitted new observations in response to the rapporteur's comments.

18. By letter dated 8 November 2022, the rapporteur informed the company's counsel that the investigation was closed, pursuant to Article 40, III, of amended Decree no. 2019-536 of 29 May 2019.

19. By letter of the same date, the company was informed that the case had been placed on the agenda of the restricted formation of 24 November 2022.

20. The rapporteur and the company presented oral observations at the meeting of the restricted formation.

II. Reasons for the decision

A. On the processing operation at issue and the status of Lusha with regard to this processing operation

1. On the personal data processing at issue: the Lusha extension

21. According to Article 4(2) of the GDPR, processing of personal data is "any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".

22. In the present case, the restricted formation notes that once installed on a Chrome or Chromium browser and after creating a "Lusha" account, the extension marketed by the company allows a user browsing the LinkedIn social network or the Salesforce.com platform to obtain information on a person whose profile is visited by the user (hereinafter "the target person"), namely the professional contact details of this person (telephone number(s) and/or e-mail address(es)), which will be displayed in a floating window on the visited page.

23. When the user visits the target person's LinkedIn profile or Salesforce page, the extension will compare the target person's name with any identical names stored in the company's database. In the event that at least one result is returned, the extension will verify that the company listed as the target person's employer on the visited LinkedIn or Salesforce profile matches the one in its database. If the above criteria return a result and the phone number and/or email address associated with the target person appear in the digital address books of at least two distinct people registered in the company's database, the associated number and/or email address will be displayed in the floating window of the user visiting the target person's page.

24. The company representatives clarified at the hearing on 18 July 2019 that the extension works in a free version, with a credit of five contacts, and in a paid version, with a number of contacts depending on the amount of credits subscribed.

25. Between 2016 and August 2022, the data constituting the company's contact database was collected through the three mobile contact management applications "Simpler", "Mailbook" and "Cleaner Pro", developed by subsidiaries of the company, which sucked up the digital address books of their users and transferred them to Lusha.

26. More specifically, when the applications were first opened, a pop-up window appeared informing users that by creating their account they were about to share their contacts with the "community of applications to assist in identity verification". The company then filtered the transmitted data to keep only "professional" contact data (phone number(s) and/or email address(es)), excluding contact data for personal use. To carry out this filtering, the company used publicly available information to understand the structure of a company's e-mail address and/or telephone number (e.g.: prenom.nom@societe.com and for a French company based in Paris: + 33 1) and, on the other hand, a white list of professional contact names drawn up by the CRUNCHBASE company comprising, at the time of the checks, the contacts of 5 to 7 million companies. Only the contacts on this white list were included in the Lusha database.

27. Since the above-mentioned applications were withdrawn from the French market in August 2022, the operation of the extension previously involved three distinct categories of people:

- First, the users of the mobile applications, i.e. the people whose address books containing the contact data of the persons concerned were sucked in by the mobile applications and then transmitted into the Lusha database;

- secondly, the data subjects, also known as target persons, i.e. the persons whose contact data are present in the Lusha database and who are subject to the processing at stake;

- finally, the users of the Lusha extension, i.e. the company's customers, using the extension in a free or paid version, who visit the LinkedIn or Salesforce profiles of the target persons in order, in particular, to obtain their professional contact details in order to approach them.

28. Thus, the data subjects (in the sense in which this term will be used below), whose data are consulted by Lusha's customers, are neither users of the Lusha extension, nor users of the applications developed by the company's subsidiaries, their presence in the Lusha database being explained solely by the fact that their contact details appeared in the address book of one or more of their contacts (friend, family, colleague, etc.) who had downloaded the "Simpler", "Mailbook" or "Cleaner Pro" applications.

29. The restricted formation notes that the fact that the database in question used for the operation of the Lusha extension is, in principle, only made up of the "professional" contact details of individuals remains without bearing on the "personal" nature of those data, according to the well-established case law of the Court of Justice of the European Union (see, in particular, CJEU, 9 November 2010, Volker and Others, Case C-92/09 and C-93/09, pt. 59).

30. It notes, moreover, that it is clear from the foregoing that the operations of collecting the address books of the users of the mobile applications and then filtering that data necessarily lead the company also to process the so-called 'personal' details of the contacts appearing in the collected address books (personal details and other data such as contact notes), even though those data are not subsequently entered in the database used for the operation of the Lusha extension.

31. The company states that the purpose of the extension is to combat online fraud by allowing its users to ensure that the target person whose profile they are visiting "is the person they claim to be or works for the company they claim to belong to" (hearing 18 July 2019).

32. The Panel also notes that it was noted on the company's website during the online inspection on 6 March 2019 that the company presents its service as allowing its users to "meet the challenge of enabling real contact with your customers, by knowing [their] correct phone numbers, email address and company details. Access the data you need to contact your prospects via social networks, the web, Saleforces or the API" and quotes one of its users as saying that it is "the best app for finding phone numbers and information about individuals, fast and easy to use".

33. It follows from the above that all the different processing operations mentioned above, all of which are essential for the functioning of the Lusha extension, and which consist, in particular, in collecting, storing, structuring, combining and disseminating personal data, in particular the "raw" contact data of users of the "Simpler", "Mailbook" and "Cleaner Pro" applications and data from the CRUNCHBASE white list, are part of one and the same processing of personal data for the purposes of combating online fraud and providing contact details of prospective customers (hereinafter "the processing in question").

2. On the status of the company Lusha

34. Under Article 4(7) of the GDPR, a controller is "the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing".

35. 35. In this case, the company declared to the CNIL that it was "responsible for the processing operations resulting from the use of [the Lusha extension]" and that SIMPLER APPS INC, LOBSTER APPS INC and TOP FLOOR INC were responsible for the processing of the mobile applications that they develop (i.e. the "Simpler", "Mailbook" and "Cleaner Pro" applications)

36. Regardless of this division, the Panel considers that the company should be considered responsible for all processing operations necessary for the functioning of its extension.

37. 37. Thus, the company's liability also extends to the collection of contact data of persons appearing in the address books of users of mobile applications and the transmission of these data to the Lusha database, since these two operations were, at the time of the checks, essential to the supply of the contact database without which the Lusha extension could not function.

38. If, in fact, these two processing operations were carried out within the mobile applications developed by the company's subsidiaries, the restricted formation emphasises that the company was necessarily at the origin of them via the decision-making power it exercises over these three companies, which it wholly owns and which have no employees. Consequently, and without the need to determine whether the subsidiaries are solely responsible for processing the data collection operation, while Lusha is solely responsible for the data transmission operation to its database, or whether they are jointly responsible for processing with Lusha for both operations, or whether they are subcontractors of Lusha for both operations, the restricted formation considers that the parent company determines, at least in part, the purposes and means of these processing operations and is therefore responsible for processing.

39. It follows from the above that the company is responsible for the processing at issue.

B. On the applicability of the GDPR

40. 40. The rapporteur maintains that the CNIL was competent under the Data Protection Act, and then under the GDPR, to initiate a control procedure and then a sanction procedure against the company. More specifically, he considers that the RGPD is applicable to the processing at issue under Article 3(2)(b), since the processing concerns personal data relating to data subjects in the territory of the European Union and is linked to the monitoring of the behaviour of those data subjects.

41. The company considers that the CNIL has no jurisdiction since the initiation of the monitoring procedure. In particular, it considers that the GDPR is not applicable to it insofar as it does not process personal data linked to the "behaviour" of the data subjects and does not implement "monitoring" or "profiling" activities, and attaches to this support the conclusions of an expert report commissioned on its initiative. It added that the inapplicability of the GDPR to its activities had been confirmed by the National Commission for Data Protection, the Luxembourg data protection authority (hereinafter "the CNPD"), which had issued a statement on the subject in an e-mail dated 9 June 2022.

42. Article 3 of the GDPR, relating to the territorial scope, provides that the GDPR applies to: "1. [...] the processing of personal data carried out in the course of the activities of an establishment of a controller or processor on the territory of the Union, whether or not the processing takes place within the Union. (2) [...] the processing of personal data relating to data subjects within the Union by a controller or processor who is not established in the Union, where the processing activities relate to: (a) the supply of goods or services to those data subjects within the Union, whether or not payment is required from them; or (b) the monitoring of the conduct of those data subjects, insofar as that conduct takes place within the Union.

43. According to Article 4(4) of the GDPR, profiling is defined as "any form of automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict factors concerning that natural person's work performance, economic situation, health, personal preferences, interests, reliability, conduct, location or movements".

44. Recital 24 of the GDPR states in this respect that "The processing of personal data of data subjects within the Union by a controller or processor not established in the Union should also be subject to this Regulation where such processing relates to the monitoring of the behaviour of those individuals insofar as it concerns their behaviour within the Union. In order to determine whether a processing activity can be considered as monitoring the behaviour of data subjects, it should be established whether individuals are being monitored on the Internet, including the possible further use of personal data processing techniques consisting of profiling of an individual, in particular for the purpose of making decisions about him or her or analysing or predicting his or her preferences, behaviour and state of mind.

45. By way of illustration, in its Guidelines 3/2018 on the territorial scope of the GDPR in their version of 12 November 2019, the European Data Protection Committee (hereinafter "EDPS") notes that, "contrary to the provision of Article 3(2)(a), neither Article 3(2)(b) nor Recital 24 expressly introduces a necessary degree of 'intent to target' on the part of the controller or processor to determine whether the monitoring activity would trigger the application of the GDPR to the processing activities. However, the use of the word 'monitoring' implies that the controller has a specific purpose for the collection and subsequent re-use of relevant data relating to the behaviour of an individual within the Union. The Committee does not consider that the online collection or analysis of personal data of individuals in the Union would automatically be considered as 'monitoring'. It will be necessary to take into account the purpose for which the data is processed by the controller and, in particular, any subsequent behavioural analysis or profiling techniques involving such data. The Committee takes into account the wording of Recital 24, which states that in determining whether the processing involves the monitoring of a data subject's behaviour, the monitoring of individuals on the Internet, including the potential further use of profiling techniques, is an important factor.

46. In the present case, since the company has no establishment in the European Union and the Lusha extension is not linked to an offer of goods or services to "data subjects" as defined in § 28 of this decision, the restricted formation notes that neither the criterion of establishment provided for in paragraph 1 of Article 3 of the RGPD, nor the criterion relating to the offer of services to data subjects in the Union provided for in paragraph 2, a) of the same article are applicable.

47. As regards the criterion relating to the monitoring of the behaviour of data subjects, provided for in paragraph 2(b) of the same Article 3, the applicability of which is invoked by the rapporteur, the restricted formation notes that although the company does indeed process the personal data of persons located in the European Union and, in particular, in France, it is not established that these persons are subject to monitoring of their behaviour by the company. Indeed, the restricted panel noted that the company's creation of the database was based solely on the reconciliation of professional contact data (telephone, e-mail address) with the identity of persons whose profiles were visited on LinkedIn in order to verify their veracity. It is therefore not, in this case, processing that consists of analysing or predicting a person's behaviour, personal preferences or movements, interests, economic situation or state of health. The panel considered that the company did not use personal data processing techniques that consisted in profiling a natural person.

48. It follows from the above that the GDPR is not applicable to the processing at issue. Consequently, it is not within the powers of the restricted panel to impose a penalty.

49. It seems appropriate that all users of the applications in question should be informed that the processing operations implemented by the company Lusha are not subject to the GDPR. It is therefore appropriate to order the publication of this decision.

FOR THESE REASONS

The CNIL's restricted formation, after having deliberated, decides :

- that there are no grounds for imposing a penalty;

- to make its decision public on the CNIL website and on the Légifrance website, which will no longer allow the company to be identified by name after a period of two years from its publication.

The Chairman

Alexandre LINDEN

This decision may be appealed to the Council of State within four months of its notification.