On October 23rd, 2015, the Portuguese Data Protection Authority (CNPD) issued a statement on transfers of personal data to the US, following the judgment of the EU Court of Justice (ECJ) on Case C-362/14 (Judgment of October 6, 2015, in the case of Maximilian Schrems vs. the Irish National Data Protection Authority) which invalidated the European Commission decision 2000/520 / EC (Safe Harbor Decision), deciding that from now on it will only issue provisional authorizations for the transfer of personal data to the US conducted via alternative mechanisms to the Safe Harbor Principles, having also prohibited data flows under Safe Harbor.

According to this statement, in Portugal, the Safe Harbor was the instrument most commonly used for transferring data to the US. However, following the ECJ judgment, Safe Harbor has ceased to be legitimate grounds for transfers of data to the US, so the CNPD decided to prohibit data transfers under the Safe Harbor.

The DPA, together with their European counterparts, the Article 29 Data Protection Working Party, is now studying the impact of the ECJ's judgment in other instruments used for international transfers, such as the standard contractual clauses, contracts between companies of the same group or other ad hoc agreements. 

However, according to the CNPD, “to the extent that the analysis of the ECJ is based on the existence of the US national legislation, prevailing over any agreements or contracts previously established, and requiring companies obliged to provide data to law enforcement authorities and information from massive and indiscriminate way beyond what is strictly necessary in a democratic society” and that the “the inability of citizens to appeal to the courts to see guaranteed their rights to protection data” was deemed contrary to the European Charter of Fundamental Rights, there is a risk that, due to current US legislation, other instruments that can legitimize the transfer of personal data (such as EU standard contractual clauses) are also not sufficient to ensure an adequate data protection level and, therefore, any data flows based upon them would be considered infringing of the fundamental rights of European citizens.

In light of the above, the CNPD will only issue provisional authorizations for the transfer of data to the US, subject to possible revision in the near future. Also, the authorizations of data transfers to the US, issued by CNPD since 2000, under the Safe Harbor Decision, will be formally reviewed following the judgment of the CJEU, and data controllers based in Portugal should suspend forthwith the personal data flows to the US.

CNPD’s decision may be accessed at:https://www.cnpd.pt/bin/relacoes/comunicados/Comunicado_CNPD_SafeHarbor.pdf.