The French data protection authority ('CNIL') announced, on 23 December 2022, that it had decided, on 20 December 2022, to dismiss the case against Lusha Systems Ltd., outlining that it was outside the scope of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Background to the case In particular, CNIL noted that a number of complaints had been received between 2018 and 2021 regarding the use of the web browser extension to access information, such as professional contact details. Findings of CNIL Upon inspection, CNIL found that no sanction should be issued against Lusha due to the following: the company has no establishment in the EU, so that the criterion of est