The decision of the Portuguese Data Protection Authority

On 27 April 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD) issued a Deliberation (only available in Portuguese) addressed to the National Statistics Institute (Instituto Nacional de Estatística – INE) ordering this entity to suspend, within 12 hours, all data transfers to the United States of America (USA) or to other third countries that do not ensure an adequate level of protection.

CNPD’s intervention follows the use by INE of the internet security services and content delivery network of the service provider Cloudflare Inc., in the context of the Census 2021 support website. CNPD considered that the use of such services could involve mass transit of personal data through third countries, including the USA, and that the control of INE and of the data subjects over these transfers would be severely limited.

CNPD based its decision on the Schrems II Judgment of the Court of Justice of the European Union (CJEU), that determines the invalidity of the Privacy Shield data transfer mechanism as well as the need to investigate whether countries outside the European Economic Area (EEA) offer a level of protection essentially equivalent to the one offered in the EU or if it is necessary to apply supplementary measures before initiating such transfers.

During the investigation, which included the analysis of the data protection agreement between INE and Cloudfare, CNPD has considered that there were insufficient guarantees in terms of privacy by design and risk minimisation for data subjects, pointing out other shortcomings, such as the failure to carry out a data protection impact assessment of the specific processing operation underlying the 2021 Census.

The supervisory authority is still investigating the possibility of imposing further corrective measures to INE (which may include the imposition of fines). We recall that breaches of the rules on data transfers to third countries may result in fines up to EUR 20 million or, in the case of an enterprise, up to 4% of its annual worldwide turnover in the preceding business year, whichever is higher. In addition, there is the reputational impact that a sanction of this nature can have for an organisation.

Measures to be taken by organisations transferring data outside the European Economic Area

Even though the Deliberation in question is addressed to INE, it reveals the focus and the position of CNPD on the matter, thus, it should be carefully considered by organisations transferring data to third countries. The Deliberation shall be read together with the Schrems II Judgment and with Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and Recommendations 02/2020 on European Essential Guarantees for surveillance measures, both of the European Data Protection Board (EDPB).

In light of this scenario, organisations shall – to avoid both a sudden disruption of their services resulting from an order of termination of transfers by CNPD and/or the application of high value sanctions – reassess the instruments used for transfers of data to third countries and, in accordance with the principle of accountability, identify the additional supplementary measures appropriate to the specific case. Such measures may be contractual, technical, organisational or a combination of several. To this end, the EDPB presents a 6 Step Plan for organisations to properly carry a Data Transfer Assessment: a) map data transfers; b) identify the data transfer tool under the GDPR; c) assess the effectiveness of the data transfer tool; d) adopt supplementary measures if necessary; e) take formal procedures to put in place the supplementary measures; and f) re-evaluate the level of protection on an ongoing basis.

For further details on the above steps, please see our Flash on “News on International Data Transfers“. The VdA Team is also prepared to support our clients in the process of reviewing and reassessing their data transfers as well as in the identification of appropriate supplementary measures, so that they can ensure a high level of compliance with minimal risk of disruption to their activities.

More from VdA