Portuguese Data Protection Authority suspends transfers of Census 2021 data to the U.S.

Portuguese Data Protection Authority suspends transfers of Census 2021 data to the U.S.

On April 27, 2021, CNPD- the Portuguese Data Protection Authority, ordered a suspension of any transfer of personal data from the Census 2021 questionnaire to the U.S., or any other third countries, without an adequate level of protection.

Interestingly, the CNPD ordered an almost immediate suspension (within 12 hours), basing their decision on the principles contained in the Schrems II case.

[RELATED TOPIC: Schrems II - The EU Court of Justice invalidates EU-US Privacy Shield]

Backstory

The National Institute of Statics (INE) collects and process personal data from the Portuguese Census surveys.

The Census data includes personal data of the entire Portuguese population (more than 10 million data subjects), including sensitive personal data like data about religious beliefs and health data.

The INE outsourced the operation of the census questionnaire to Cloudflare– U.S. based company, which by itself would not be problematic since there were SCCs put in place.

However, by the type of service it provides, Cloudflare is directly subjected to U.S. surveillance legislation for national security purposes, which imposes a legal obligation to unrestricted access to personal data to the US authorities, without any obligation to inform their clients about it.

CNPD investigation & conlusion

Following several complaints regarding the way personal data was collected online, CNPD carried out a quick investigation, concluding that such legislation implies a disproportionate interference in the fundamental rights of data subjects, not ensuring a level of data protection equivalent to that guaranteed in the EU.

The CNPD heavily relied on the Schrems II case and concluded that, even though the transfer of personal data outside of the EEA is based on the SCCs, the INE had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards when using the SCCs.

[RELATED TOPIC: EDPB recommendations for transferring personal data to non-EU countries] 

Resources

Get your free Data Privacy Manager trial

Try Data Privacy Manager and experience how you can simplify managing records of processing activities, third-parties, or data subject requests!

Scroll to Top