On yet another application of the principles contained in the Schrems II case, on the 27th of April 2021, the Portuguese Data Protection Authority (“CNPD”) issued a decision ordering the suspension, within 12 hours, of any transfer of personal data resulting from the Census 2021 to the US, or to other third countries outside the EU not ensuring an adequate level of protection for the data.

Background

The National Institute of Statics (“INE”) collects personal data from the Portuguese Census 2021 surveys. The Census 2021 data include personal data of potentially more than 10 million data subjects (the entire population of Portugal), including health and religious data. Completing the Census 2021 is mandatory for Portuguese residents. INE engages Cloudflare, Inc. (“Cloudflare”), a U.S. service provider, for the operation of the Census 2021 surveys. Under Cloudflare’s terms and conditions of service, as well as being transferred to the U.S., the personal data may transit to any of the 200 servers used by Cloudflare in different countries, that are neither identified nor identifiable by INE or by the data subjects. Cloudflare is also authorized to use sub-processors from outside their group, including companies from third countries. European Commission approved Standard Contractual Clauses (“SCCs”) are relied upon for the transfer of data from INE to Cloudflare.

CNPD Decision

Following several complaints, the CNPD launched an investigation into the transfer of personal data from INE to Cloudflare. The CNPD concluded that, even though the transfer of personal data outside of the EEA is based on the SCCs, INE had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards when using the SCCs.

Schrems II

The CNPD concluded that as Cloudflare is a U.S. company, it is directly subject to U.S. surveillance laws for national security purposes. Those U.S. surveillance laws impose a legal obligation on Cloudflare to give unrestricted access to personal data to U.S. public authorities without informing data subjects, and therefore the SCCs cannot guarantee an adequate level of protection for the personal data transferred.

In its decision, the CNPD referred to the ruling by the European Court of Justice in Schrems II which held that US surveillance legislation implies a disproportionate interference in the fundamental rights of data subjects and therefore does not ensure a level of data protection essentially equivalent to that guaranteed in the EU. The CNPD also concluded that, pursuant to the Schrems II ruling, data protection authorities are required to suspend or prohibit data transfers, even when those transfers are based on the SCCs, if there are no guarantees that these SCCs can be complied with in the third country.

Suspension of transfer

The CNPD ordered the INE to suspend the transfer of Census 2021 data to the U.S. or other third countries without adequate safeguards. In ordering the suspension of the data transfers to the U.S., the CNPD took into account the fact that the data transferred included special category personal data of a large number of individuals.

Following similar decisions by other European data protection authorities, this decision is another indication that, pursuant to Schrems II, supervisory authorities are willing to suspend transfers of personal data, especially where these involve more sensitive data such as health data.

The global data protection, privacy & security team at DLA Piper has developed a standardised data transfer methodology to assist its clients in navigating the impact of the Schrems II judgment and carrying out the required assessment when relying on SCCs or other transfer mechanisms. The methodology includes a five step assessment process, comprising a proprietary scoring matrix and weighted assessment criteria to help manage effective decision making.