On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfer of personal data to the United States or to other third country that has not been recognized as providing an adequate level of data protection.

INE collects data from Portuguese residents from the 2021 census surveys and transfers it to Cloudfare, Inc. (“Cloudfare”), a service provider in the United States that assists in the operation of the surveys. EU Standard Contractual Clauses (“SCC”) are in place with the US service provider to legitimize data transfers.

After receiving a number of complaints, the CNPD opened an investigation into INE’s data transfers outside the EU. The CNPD concluded that Cloudfare is directly subject to US surveillance laws for national security purposes. According to the CNPD, these surveillance laws impose a legal obligation on companies like Cloudfare to give unlimited access to personal data to US public authorities without informing the persons concerned.

In its decision, the CNPD referred to the Schrems II stop of the Court of Justice of the European Union (“CJEU”) which concluded that the limitations of the protection of personal data arising from American domestic law concerning the access and use of data transferred by American public authorities were not circumscribed in such a way as to satisfy requirements which are essentially equivalent to those required by Union law under the principle of proportionality, insofar as surveillance programs based on these provisions are not limited to what is strictly necessary.

As a result, the CNPD decided that personal data transferred to the United States by INE did not benefit from a level of data protection essentially equivalent to that guaranteed by EU law. The CNPD also underlined that, in accordance with the Schrems II decision, data protection authorities are obliged to suspend or prohibit data transfers, even when such transfers are based on the CSCs of the European Commission, if there is no guarantee that these can be respected in the recipient country. In ordering the suspension of data transfers to the United States, the CNPD took into account that the data transferred included sensitive data (including data relating to the religion or state of health of individuals) of a large number of individuals.

Read it decision and Press release (in Portuguese).