Schrems II – Portuguese DPA suspends data transfer to the US by public entity that relied on standard contractual clauses

The resolution followed an urgent investigation procedure conducted by the CNPD on basis of numerous complaints. The INE was conducting 2021 Census surveys of Portuguese residents with the operational support of the US-based company Cloudflare Inc. (Cloudflare). The contract between the parties specified that data would be transferred to the US and included European Commission’s standard contractual clauses (SCCs).

The CNPD investigation concluded that Cloudflare is directly subject to U.S. national security surveillance legislation, which includes a legal obligation on the company to provide US authorities with unrestricted access to personal data in its possession without notifying its clients. The CNPD quoted the Schrems II decision, noting that US surveillance laws entail disproportionate interference with the fundamental rights of data subjects in the light of EU law and therefore the data transferred by INE to the US were not afforded a level of protection essentially equivalent to that guaranteed in the EU. The CNPD pointed out that, according to Schrems II, data protection authorities are obliged to suspend or prohibit data transfers, even when based on SCCs, as in the present case, if no supplementary measures to ensure such protection have been put in place.

In imposing an almost immediate ban on data transfer to the US or any other third country without adequacy status, the CNPD considered that since the start of the surveys, the INE had collected personal data from almost all residents of Portugal (having concluded the surveys for 6,5 million individuals), and that it included special categories of data, such as data relating to religion or health status of individuals.

The press release of the CNPD is available here and the decision here (both only in Portuguese). The English summary is available here.