The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide “adequate” levels of data protection. Among those countries are the United States.
Prompting the resolution was the INE’s use of the US company Cloudflare, Inc. The parties had standard contractual clauses in place, and relying on those, the INE transferred Portuguese resident data from the 2021 census surveys to Cloudflare. Citing the Schrems II decision, the Portuguese data protection authority (CNPD) concluded that the SCCs were not sufficient, since Cloudflare is subject to US surveillance laws, which could require the company to share personal information with US authorities.
Noting that as a data protection authority, it was required to stop data transfers if there were insufficient guarantees that the transferred information was protected, the CNPD made the decision to order the data transfers to be stopped. The parties had only 12 hours to comply.
Putting it Into Practice: This resolution, which comes just a month after a similar decision from Bavarian authorities, signals that EU data protection authorities are watching data transfers to the US closely. While we await updated SCCs, recommendations from the EDPB about data transfers can be helpful.