On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfers of personal data to the U.S. or other third countries that have not been recognized as providing an adequate level of data protection.
The INE gathers data from Portuguese residents from 2021 Census surveys and transfers it to Cloudfare, Inc. (“Cloudfare”), a service provider in the U.S. that assists the surveys’ operation. EU Standard Contractual Clauses (“SCCs”) are in place with the U.S. service provider to legitimize the data transfers.
Upon receiving a number of complaints, the CNPD started an investigation into the INE’s data transfers outside of the EU. The CNPD concluded that Cloudfare is directly subject to U.S. surveillance laws for national security purposes. According to the CNPD, those surveillance laws impose a legal obligation on companies like Cloudfare to give unrestricted access to personal data to U.S. public authorities without informing data subjects.
In its decision, the CNPD referred to the Schrems II ruling of the Court of Justice of the European Union (“CJEU”) which concluded that the limitations on the protection of personal data arising from U.S. domestic law on the access and use of the transferred data by U.S. public authorities were not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law by the principle of proportionality, in so far as the surveillance programs based on those provisions are not limited to what is strictly necessary.
Accordingly, the CNPD decided that personal data transferred to the U.S. by the INE was not afforded a level of data protection essentially equivalent to that guaranteed under EU law. The CNPD also highlighted that, pursuant to the Schrems II ruling, data protection authorities are obliged to suspend or prohibit data transfers, even when those transfers are based on the European Commission’s SCCs, if there are no guarantees that these can be complied with in the recipient country. In ordering the suspension of the data transfers to the U.S., the CNPD took into account the fact that the data transferred included sensitive data (including data related to individuals’ religion or health condition) of a large number of individuals.