Portuguese DPA orders suspension of data transfers to US by agency that relied on CCS
On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfer of personal data to the United States or other third countries which have not been recognized as providing an adequate level of data protection.
INE collects data of Portuguese residents from the 2021 census surveys and transfers it to Cloudfare, Inc. (“Cloudfare”), a service provider in the United States that assists in the operation of the surveys. EU Standard Contractual Clauses (“CSC”) are in place with the US service provider to legitimize data transfers.
After receiving a number of complaints, the CNPD opened an investigation into INE’s data transfers outside the EU. The CNPD concluded that Cloudfare is directly subject to US surveillance laws for national security purposes. According to the CNPD, these surveillance laws impose a legal obligation on companies like Cloudfare to give unlimited access to personal data to US public authorities without notifying the persons concerned.
In its decision, the CNPD referred to the Schrems II stop of the Court of Justice of the European Union (“CJEU”) which concluded that the limitations to the protection of personal data arising from American domestic law on the access and use of data transferred by American public authorities do not were not circumscribed in a way which satisfies requirements which are essentially equivalent to those required by Union law by the principle of proportionality, insofar as the monitoring programs based on these provisions are not limited to not to what is strictly necessary.
As a result, the CNPD decided that personal data transferred to the United States by INE did not benefit from a level of data protection essentially equivalent to that guaranteed by EU law. The CNPD also underlined that, in accordance with the Schrems II decision, data protection authorities are obliged to suspend or prohibit data transfers, even when such transfers are based on the European Commission’s CCPs, if there is no guarantee that these can be respected in the recipient country. In ordering the suspension of data transfers to the United States, the CNPD took into account that the data transferred included sensitive data (including data related to religion or the state of health of individuals) d ‘a large number of individuals.