CNPD ordered Statistics Portugal to suspend all data transfers to a US based processor within 12 hours earlier this week.
The Portuguese DPA, Comissão Nacional de Proteção de Dados or CNPD ordered Statistics Portugal (INE) to suspend all data transfers specific to their census within 12 hours, due to an inadequate level of protection for international data transfers, IAPP reported. After receiving complaints about the conditions for the collection of data via the internet, the Authority carried out a quick investigation. This probe revealed that INE used Cloudfare Inc, a California based web infrastructure and website security company to handle census survey operations. Due to the nature of the services provided by Cloudfare, the company is directly subject to US surveillance legislation for the purposes of national security.
Even in cases where the data transfers are based on Standard Contractual Clauses, data protection authorities are obliged to suspend or prohibit data transfers where there are no guaranteesthat these can or will be complied with in the recipient country. US surveillance legislation imposes on certain companies a legal obligation to give unrestricted access to US authorities to the personal data in their possession, without being able to inform their clients of it. With Cloudfare Inc being subject to this legislation and being in possession of large amounts of personal data from Portuguese citizens, this posed some serious risk.
The data collection process for the census exercise being executed by INE began on April 19th and was due to be completed by May 3th, however due to the complaints received by CNPD, about a week into the process, they were ordered to cease data transfers within 12 hours. The main reason for the immediate order to cease data transfers was, in addition to the sheer amount of data being collected and processed, the sensitive nature of the data itself. The data included information like religious and health data from the individuals in this large data pool.
In recent times we have seen similar action being taken by other EU DPAs, for example in Spain and Germany, concerning data transfers on the basis of Standard Contractual Clauses. However, with these transfers being made to the U.S. or any other third country that may have not been recognized as providing an adequate level of data protection and without applying any additional measures, these present an issue. This risk is particularly difficult when dealing with particularly sensitive data, as it was the case in this instance. It is extremely important, when making international data transfers on the basis of Standard Contractual Clauses that the data is subject to a level of protection equivalent to the level provided under EU law.
Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.