The Portuguese Data Protection Agency ordered the suspension of US data transfers by an agency that relied on SCCs
On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, CNPD) ordered the National Statistics Institute (INE) to suspend the international transfer of personal data to the United States or other third countries that are not recognized within 12 hours that they offer an adequate level of data protection.
The INE gathers data from Portuguese residents from 2021 census surveys and transmits it to Cloudfare, Inc. (“Cloudfare”), a service provider in the United States that helps run the surveys. EU standard contractual clauses (“SCCs”) exist with the US service provider to legitimize the data transfer.
After receiving a number of complaints, the CNPD opened an investigation into the INE’s data transfers outside the EU. The CNPD concluded that cloudfare is directly subject to US surveillance laws for national security reasons. According to the CNPD, these surveillance laws require companies like Cloudfare to give US authorities unrestricted access to personal data without informing the data subjects.
In its decision, the CNPD referred to the Schrems II judgment of the Court of Justice of the European Union (“ECJ”), which found that the restrictions on the protection of personal data that result from domestic US law, access and the use of the transferred data pertaining to data from US authorities have not been described in such a way that they meet the requirements that essentially correspond to the requirements of EU law according to the principle of proportionality, unless the surveillance programs based on these provisions are limited to this what is absolutely necessary.
Accordingly, the CNPD decided that personal data transmitted by the INE to the USA do not receive a level of data protection that essentially corresponds to that guaranteed under EU law. The CNPD also stressed that, according to the Schrems II decision, data protection authorities are obliged to suspend or prohibit data transfers, even if these transfers are based on the European Commission’s SCCs, if there are no guarantees that these can be complied with in the EU Recipient country. In ordering the suspension of data transfers to the United States, the CNPD took into account the fact that the data transferred contained sensitive information (including information about religion or the state of health of people) of a large number of people.
Read the decision and the press release (in Portuguese).