The Portuguese Data Protection Authority (known as the CNPD) has ordered the National Institute of Statistics (NIS) in Portugal to stop sending census data to the U.S. or other third countries, that do not provide an adequate level of data protection.
NIS used Cloudfare Inc. (a U.S. based company) to assist it with the collection of personal data from Portuguese citizens in 2021 Census Surveys. Following receipt of complaints about the collection of census data via the internet, the CNPD carried out an investigation into NIS. The CNPD found that NIS had a contract in place with Cloudfare Inc ., which provided for the transfer of the census data to the U.S., using the Standard Contractual Clauses (SCCs). It noted that Cloudfare Inc., as a U.S. company, is directly subject to U.S. surveillance legislation for national security purposes, which provides U.S. public authorities with unrestricted access to personal data in its possession, without informing data subjects.