The Portuguese Data Protection Authority (known as the CNPD) has ordered the National Institute of Statistics (NIS) in Portugal to stop sending census data to the U.S. or other third countries, that do not provide an adequate level of data protection.
NIS used Cloudfare Inc. (a U.S. based company) to assist it with the collection of personal data from Portuguese citizens in 2021 Census Surveys. Following receipt of complaints about the collection of census data via the internet, the CNPD carried out an investigation into NIS. The CNPD found that NIS had a contract in place with Cloudfare Inc ., which provided for the transfer of the census data to the U.S., using the Standard Contractual Clauses (SCCs). It noted that Cloudfare Inc., as a U.S. company, is directly subject to U.S. surveillance legislation for national security purposes, which provides U.S. public authorities with unrestricted access to personal data in its possession, without informing data subjects.
In its decision, the CNPD referred to the Court of Justice of the European Union (CJEU) decision in Schrems II, which found that the U.S. does not provide an essentially equivalent level of data protection to that guaranteed by EU law, in light of its mass surveillance laws. The CNPD noted that following Schrems II, data protection authorities are obliged to suspend or prohibit data transfers, even when based on the SCCs, if there are no guarantees that these can be respected in the third country.
Bearing in mind the volume and nature of the personal data, which concerned more that 6.5 million Portuguese citizens, and included sensitive data such as religious and health data, the CNPD ruled that the transfer of the data to the U.S. or other third countries without adequate protections in place was unlawful. The CNPD ordered NIS to suspend transfers of the census data within 12 hours.