Lambda Scientifica

Main Menu

  • Home
  • Amazon AWS
  • amazon EC2
  • Cloudfare
  • Cloud hosting
  • Money management

Lambda Scientifica

Header Banner

Lambda Scientifica

  • Home
  • Amazon AWS
  • amazon EC2
  • Cloudfare
  • Cloud hosting
  • Money management
Cloudfare
Home›Cloudfare›Portuguese DPA orders suspension of data transfers to the United States

Portuguese DPA orders suspension of data transfers to the United States

By Margaret Lawrence
April 28, 2021
0
0


Wednesday April 28, 2021

On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfer of personal data to the United States or to other third country that has not been recognized as providing an adequate level of data protection.

INE collects data from Portuguese residents from the 2021 census surveys and transfers it to Cloudfare, Inc. (“Cloudfare”), a service provider in the United States that assists in the operation of the surveys. EU Standard Contractual Clauses (“SCC”) are in place with the US service provider to legitimize data transfers.

After receiving a number of complaints, the CNPD opened an investigation into INE’s data transfers outside the EU. The CNPD concluded that Cloudfare is directly subject to US surveillance laws for national security purposes. According to the CNPD, these surveillance laws impose a legal obligation on companies like Cloudfare to give unlimited access to personal data to US public authorities without informing the persons concerned.

In its decision, the CNPD referred to the Schrems II stop of the Court of Justice of the European Union (“CJEU”) which concluded that the limitations of the protection of personal data arising from American domestic law concerning the access and use of data transferred by American public authorities were not circumscribed in such a way as to satisfy requirements which are essentially equivalent to those required by Union law under the principle of proportionality, insofar as surveillance programs based on these provisions are not limited to what is strictly necessary.

As a result, the CNPD decided that personal data transferred to the United States by INE did not benefit from a level of data protection essentially equivalent to that guaranteed by EU law. The CNPD also underlined that, in accordance with the Schrems II decision, data protection authorities are obliged to suspend or prohibit data transfers, even when such transfers are based on the CSCs of the European Commission, if there is no guarantee that these can be respected in the recipient country. In ordering the suspension of data transfers to the United States, the CNPD took into account that the data transferred included sensitive data (including data relating to the religion or state of health of individuals) of a large number of individuals.

Read it decision and Press release (in Portuguese).

Copyright © 2021, Hunton Andrews Kurth LLP. All rights reserved.Review of national legislation, volume XI, number 118

Related posts:

  1. EasyJet offers more flights to Green List destinations
  2. Portugal extends its “state of calamity” until May 30
  3. One for twitchers
  4. Madame Tussauds wax figures of Meghan Markle and Prince Harry removed those of Meghan Markle Prince Harry
Tagsunited states

Archives

  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • December 2020
  • November 2020
  • September 2020
  • August 2020
  • July 2020
  • Privacy Policy
  • Terms and Conditions