On 23 October 2015, the Portuguese Data Protection Authority (the "CNPD") issued a statement (available in Portuguese only) outlining its position on transfers of personal data to the U.S. following the Schrems judgement. Businesses that are subject to Portuguese data protection law and engage in transatlantic data transfers would be prudent to assess and adapt those data transfers in light of the statement.
What Does The CNPD Say?
The CNPD makes the following key statements:
- Data flows under the Safe Harbour Framework are prohibited.
- CNPD will formally review data transfers previously authorised under Safe Harbour and is asking data controllers based in Portugal to suspend those data flows.
- From now on, CNPD will only issue provisional authorisations for data transfers to the U.S. which might be subject to review in the near future.
- CNPD warns businesses that in light of the Schrems judgement, other mechanisms for legitimising data transfers (in particular Standard Contractual Clauses) may also not provide an adequate level of data protection. Together with its counterparts across the EU, CNPD will study the impact of the Schrems ruling on alternative transfer mechanisms.
Where Does That Leave Businesses Subject To Portuguese Data Protection Law?
The suspension of transatlantic data transfers is clearly not a feasible option for most businesses. Reliance on Safe Harbor only in Portugal would appear to carry significant risks given that CNPD has announced a formal review of transfers previously authorised under Safe Harbor (of which it would have a registry). Thus, businesses subject to Portuguese data protection law that transfer data to the U.S. would be prudent to:
- assess those data flows;
- consider and implement alternative transfer mechanisms to the extent those transfers are based on Safe Harbour; and
- update any required notifications to CNPD in a timely manner of alternative transfer mechanisms implemented (as this is an obligation under Portuguese law).
When considering alternative mechanisms, it should be remembered that those might only be interim solutions depending on further developments such as the implementation of Safe Harbour 2.0 or findings of (in)adequacy in relation to alternative transfer mechanisms.
What Alternative Transfer Mechanisms Are Currently Available?
The transfer mechanisms currently available under Portuguese law are Standard Contractual Clauses and ad hoc contractual arrangements on the one hand, and derogations (typically consent or performance of a contract) on the other hand. Binding Corporate Rules are not an option under Portuguese law as Portugal (as the only EEA country) does not recognise BCRs as a data transfer tool.
Importantly, in Portugal, notification and authorisation requirements apply to international data transfers. Data transfers to the U.S. (like transfers to any countries outside the EEA that are not whitelisted) must not only be notified to the CNPD, they also require the CNPD’s authorisation unless they are based on one of the derogations available. From the above follows that data transfers to the U.S. on the basis of Standard Contractual Clauses or ad hoc contracts will, for the time being, only receive provisional authorisations and therefore risk being revoked at a later stage.
In light of this, relying on the available derogations for data transfers to the U.S. might be a more practical option in the interim but would need to be carefully considered on a case-by-case basis. While not requiring official authorisation, such transfers would still need to be notified to CNPD.