This week has seen the Portuguese Data Protection Authority, the Comissão Nacional de Proteção de Dados (CNPD), order the National Institute of Statistics (INE) to suspend within 12 hours international transfers of personal data to the US and third countries that do not have an adequacy decision in their favour. This case involves census data that is being collected online across the whole of Portugal in the 2021 census survey, and by its very nature includes sensitive data, e.g. health data or data related to religion.
The CNPD received a number of complaints and began an investigation which showed the INE was using Cloudflare, a Californian based service provider, and had a provision in the contract whereby personal data could be transferred to the US. The basis for the transfers was the EU’s model clauses, also known as the standard contractual clauses (SCCs). The CNPD stated that Cloudflare “are directly subject to US national security surveillance legislation, which imposes a legal obligation on you [Cloudflare] to give US authorities unrestricted access to personal data you hold in your possession or custody or custody of them, without being able to give your clients any knowledge.” The CNPD concluded that in light of the Schrems II judgment the personal data that was being transferred by the INE to the US was not given the equivalent level of protection guaranteed under EU law.
The CNPD went on to say that in line with Schrems II it was “obliged to suspend or prohibit data transfers, even when based on contracts based on the model approved by the European Commission, as is the case with the clauses signed by the INE, if there are no guarantees that they can be respected in the third country.” Given the large amount of data involved and the nature of the data being transferred the CNPD took the decision to suspend the transfers “with almost immediate effect”, i.e. within 12 hours.
This is the latest decision to involve the Schrems II judgment (see our earlier article Schrems II – a differing view in Europe of reinforcing the need for supplementary measures?).
It is another clear indication that relying solely on the SCCs without undertaking the required 6 step roadmap as set out in the first EDPB recommendation and then considering the essential guarantees in the second EDPB recommendation increases your risk profile and could lead to a suspension of international data transfers and all the headaches that come with that! The EDPB recommendations are only draft and it will be interesting to see if they change at all when finalised.
Further, we are still awaiting the finalised version of the new SCCs that were issued in draft form in November 2020 (see Tamsin Hoque’s article Finally - long awaited draft SCCs have arrived!), will they go some way to addressing these concerns? We will only be able to answer that once we see what, if any, amendments have been made to the proposed SCCs.
Finally, this again highlights the benefits of an adequacy decision in favour of a third country. If the EU grants the UK such a decision within the required timeframe then issues such as those raised above would be resolved at the out-set, at least for the initial 4 years.
Given that personal data from an almost total universe of nationals residing in national territory, including sensitive data such as those relating to religion or health status, the CNPD considered that it should suspend with almost immediate effect the transfer of data to the USA or any other third country without adequate protection.