On 27 April, the Comissão Nacional de Proteção de Dados (CNPD), Portugal’s national data protection authority ordered the National Institue of Statistics (INE) to suspend, within 12 hours, all personal data transfers to the United States or any other third country not guaranteeing security measures equivalent to those under EU law.
A three-step decision
In 2021, the INE carried out an online census of the Portuguese population. After the collection of personal data (including sensitive data on health conditions and religion) of over 6.5 million people, a complaint was filed with the CNPD. The harm was caused by the transfer of this data onto the servers of Cloudfare, an American company. In making its decision, the CNPD relied on three points.
The contract entered into between the INE and Cloudfare contained standard contractual clauses, pursuant to Article 46, paragraph 2, c) of the GDPR. The CNPD deemed that the insertion of such clauses alone was not enough to constitute sufficient guarantees. The INE had no means of knowing through where the data really transited. Should the data transit through the server closest to Portugal, subject to the requests it receives, the data could be redirected towards one of the company’s 200 other servers. In addition, Cloudfare holds the public and private encryption keys for recording.
The CNPD noted that the analysis carried out of the impact did not concern the collection process, but solely the system’s performance and security. The CNPD affirms that there are other means that could have been put in place which would have given the INE greater control over the collection of the data.
The decision refers to the European Union Court of Justice’s 16 July 2020 Schrems II judgment. The contract required Cloudfare to inform the INE of requests for access to the data. That clause was apparently invalid pursuant to the Foreign Intelligence Surveillance Act. The contract did not include additional measures ensuring sufficient guarantees for the personal data of Portuguese citizens.
For these reasons, the CNPD decided to suspend the transfer of data within 12 hours. It added that it would verify, in the context of outsourcing contracts, the adequacy with respect to the GDPR of the subcontractors.
The consequences of the decision
This decision provides a new interpretation of the Schrems II judgment’s foreseeable consequences. The judgment, followed by EDPB recommendations on additional measures for transfer devices, rendered the transfer of personal data to American companies unclear. Entering into standard contractual clauses alone does not ensure a transfer compliant with the GDPR. They are only binding on and empowering for the parties to the contract, not state authorities.
The CNPD recalls that standard contractual clauses must be completed by other measures to effectively ensure the level of protection required by the GDPR. If nothing of that sort can be put in place, or if no other solution is possible, then the transfer must be suspended. The Portuguese decision requires all European companies to rethink their personal data transfer strategy and perform systematic analyses accompanied by appropriate measures.