On April 27, 2021, CNPD- the Portuguese Data Protection Authority, ordered a suspension of any transfer of personal data from the Census 2021 questionnaire to the U.S., or any other third countries, without an adequate level of protection.
Interestingly, the CNPD ordered an almost immediate suspension (within 12 hours), basing their decision on the principles contained in the Schrems II case.
The National Institute of Statics (INE) collects and process personal data from the Portuguese Census surveys.
However, by the type of service it provides, Cloudflare is directly subjected to U.S. surveillance legislation for national security purposes, which imposes a legal obligation to unrestricted access to personal data to the US authorities, without any obligation to inform their clients about it.
CNPD investigation & conlusion
Following several complaints regarding the way personal data was collected online, CNPD carried out a quick investigation, concluding that such legislation implies a disproportionate interference in the fundamental rights of data subjects, not ensuring a level of data protection equivalent to that guaranteed in the EU.
The CNPD heavily relied on the Schrems II case and concluded that, even though the transfer of personal data outside of the EEA is based on the SCCs, the INE had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards when using the SCCs.
- CNPD (Comissão Nacional de Proteção de Dados) official statement in Portuguese: CENSOS 2021: CNPD SUSPENDE FLUXOS PARA OS EUA
- EDPB statement: Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA