What does this cover?
In light of the recent decision by the CJEU regarding the US Safe Harbor regime the Portuguese Data Protection Authority (the CNPD) has issued a deliberation which clarifies the practical implications on data transfers from Portugal to the US (Deliberation).
In the Deliberation, the CNPD decided that: (i) it will review all authorisations for transfers under the US Safe Harbour regime issued by the CNPD since 2000; and (ii) companies should promptly suspend all international data flows in this context.
The CNPD also opined that US law forces companies to supply data to police and other authorities in a massive, indiscriminate manner beyond what is strictly necessary in a democratic society and that, as a result, the remaining instruments associated with personal data transfers to the US (for example, EU Model Clauses) are also not entirely adequate. Going forward, the CNPD shall start to issue only temporary authorisations for the transfer of personal data to the US under these alternative instruments.
This decision has a huge impact on the day-to-day operation of companies that transfer data to the US on a daily basis. Such companies should promptly review the underlying procedures being used for such transfers. In any case, developments are likely to follow after 31 January 2016 (the CJEU’s informal deadline for the EU and the US to reach an agreement on the Safe Harbor issue).
The CNPD's Deliberation is available here (Portuguese).
What action could be taken to manage risks that may arise from this development?
Financial services companies should continue to monitor Safe Harbor developments at a national and EU level and should review the measures in place to govern the transfer of data from Portugal to the US.
Submitted by Inês Antas de Barros and Isabel Ornelas of Vieira de Almeida & Associados – Lisbon, Portuga in partnership with DAC Beachcroft.