July 29, 2021

Volume XI, Number 210

Advertisement

July 28, 2021

Subscribe to Latest Legal News and Analysis

July 27, 2021

Subscribe to Latest Legal News and Analysis

July 26, 2021

Subscribe to Latest Legal News and Analysis

Portuguese DPA Orders Suspension of U.S. Data Transfers by Agency That Relied on SCCs

On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfers of personal data to the U.S. or other third countries that have not been recognized as providing an adequate level of data protection.

The INE gathers data from Portuguese residents from 2021 Census surveys and transfers it to Cloudfare, Inc. (“Cloudfare”), a service provider in the U.S. that assists the surveys’ operation. EU Standard Contractual Clauses (“SCCs”) are in place with the U.S. service provider to legitimize the data transfers.

Upon receiving a number of complaints, the CNPD started an investigation into the INE’s data transfers outside of the EU. The CNPD concluded that Cloudfare is directly subject to U.S. surveillance laws for national security purposes. According to the CNPD, those surveillance laws impose a legal obligation on companies like Cloudfare to give unrestricted access to personal data to U.S. public authorities without informing data subjects.

In its decision, the CNPD referred to the Schrems II ruling of the Court of Justice of the European Union (“CJEU”) which concluded that the limitations on the protection of personal data arising from U.S. domestic law on the access and use of the transferred data by U.S. public authorities were not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law by the principle of proportionality, in so far as the surveillance programs based on those provisions are not limited to what is strictly necessary.

Accordingly, the CNPD decided that personal data transferred to the U.S. by the INE was not afforded a level of data protection essentially equivalent to that guaranteed under EU law. The CNPD also highlighted that, pursuant to the Schrems II ruling, data protection authorities are obliged to suspend or prohibit data transfers, even when those transfers are based on the European Commission’s SCCs, if there are no guarantees that these can be complied with in the recipient country. In ordering the suspension of the data transfers to the U.S., the CNPD took into account the fact that the data transferred included sensitive data (including data related to individuals’ religion or health condition) of a large number of individuals.

Read the decision and press release (in Portuguese).

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 118
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement