June 13, 2021

Volume XI, Number 164

Advertisement

June 11, 2021

Subscribe to Latest Legal News and Analysis

June 10, 2021

Subscribe to Latest Legal News and Analysis

Portugal Puts Halt on Data Transfers Between INE and Cloudflare

The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide “adequate” levels of data protection. Among those countries are the United States.

Prompting the resolution was the INE’s use of the US company Cloudflare, Inc. The parties had standard contractual clauses in place, and relying on those, the INE transferred Portuguese resident data from the 2021 census surveys to Cloudflare. Citing the Schrems II decision, the Portuguese data protection authority (CNPD) concluded that the SCCs were not sufficient, since Cloudflare is subject to US surveillance laws, which could require the company to share personal information with US authorities.

Noting that as a data protection authority, it was required to stop data transfers if there were insufficient guarantees that the transferred information was protected, the CNPD made the decision to order the data transfers to be stopped. The parties had only 12 hours to comply.

Putting it Into Practice: This resolution, which comes just a month after a similar decision from Bavarian authorities, signals that EU data protection authorities are watching data transfers to the US closely. While we await updated SCCs, recommendations from the EDPB about data transfers can be helpful.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 130
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement