The Portuguese Data Protection Agency ordered the suspension of US data transfers by an agency that relied on SCCs
On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, “CNPD”) ordered the National Institute of Statistics (“INE”) to suspend international transfers of personal data to the US or others within 12 hours Third countries that have not been recognized as offering an adequate level of data protection.
The INE collects data from Portuguese residents from 2021 census surveys and transmits it to Cloudfare, Inc. (“Cloudfare”), a service provider in the United States that supports the operation of the surveys. EU standard contractual clauses (“SCCs”) exist with the US service provider to legitimize the transfer of data.
After receiving a number of complaints, the CNPD opened an investigation into the INE’s data transfers outside the EU. The CNPD concluded that cloudfare is directly subject to US surveillance laws for national security reasons. According to the CNPD, these surveillance laws legally require companies like Cloudfare to give US authorities unrestricted access to personal data without informing the data subjects.
In its decision, the CNPD referred to the Schrems II judgment of the Court of Justice of the European Union (“ECJ”), which found that the restrictions on the protection of personal data that result from domestic US law, access and the use of the transferred data pertaining to data from US authorities have not been described in such a way that they meet the requirements that essentially correspond to the requirements of EU law according to the principle of proportionality, provided that the surveillance programs based on these provisions are not limited to this what is absolutely necessary.
Accordingly, the CNPD decided that personal data transmitted by the INE to the USA do not receive a level of data protection that essentially corresponds to that guaranteed under EU law. The CNPD also stressed that under the Schrems II decision, data protection authorities are required to suspend or prohibit data transfers, even if these transfers are based on the European Commission’s SCCs, if there are no guarantees that these can be complied with in the EU Recipient country. In ordering the suspension of data transfers to the United States, the CNPD took into account the fact that the data transferred contained sensitive information (including information about religion or the state of health of people) of a large number of people.
Read the decision and the press release (in Portuguese).