ARTICLE
12 May 2021

Portugal Puts Halt On Data Transfers Between INE And Cloudflare

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU.
Portugal Privacy

The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide "adequate" levels of data protection. Among those countries are the United States.

Prompting the resolution was the INE's use of the US company Cloudflare, Inc. The parties had standard contractual clauses in place, and relying on those, the INE transferred Portuguese resident data from the 2021 census surveys to Cloudflare. Citing the Schrems II decision, the Portuguese data protection authority (CNPD) concluded that the SCCs were not sufficient, since Cloudflare is subject to US surveillance laws, which could require the company to share personal information with US authorities.

Noting that as a data protection authority, it was required to stop data transfers if there were insufficient guarantees that the transferred information was protected, the CNPD made the decision to order the data transfers to be stopped. The parties had only 12 hours to comply.

Putting it Into Practice: This resolution, which comes just a month after a similar decision from Bavarian authorities, signals that EU data protection authorities are watching data transfers to the US closely. While we await updated SCCs, recommendations from the EDPB about data transfers can be helpful.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More