The Portuguese Data Protection Commission (Comissão Nacional de Proteção de Dados – CNPD) has ordered the Portuguese office of national statistics (Instituto Nacional de Estatística – INE) to suspend within 12 hours the transfer of personal data from the Census 2021 survey to the USA or other so-called third countries without an adequate level of protection.

The CNPD Investigates

The INE has conducted a Census survey in the course of which it has gathered a vast amount of data of the Portuguese population, amongst them sensitive data, such religious affiliation or health data.

Following complaints by data subjects concerning the collection of Census data via the internet, the CNPD conducted a rapid investigation, in which it found that the Institute has used a US-based company, Cloudflare Inc., to conduct the internet-based survey and that, thereby, a transfer of personal data of Portuguese nationals to the USA was taking place. In the course of its investigation, the INE concluded that the data entry via the internet form and its transmission to the INE’s servers was encrypted, but that Cloudfare held the key to decrypt the data.

Schrems II

The INE has signed a contract including the EU Model Clauses approved by the European Commission with Cloudfare, however, the CNPD determined that according to the “Schrems II” decision of the European Court of Justice (ECJ), the Model Clauses alone are not sufficient to safeguard the personal data and that additional measures needed to be taken to protect the data against possible access based on US national security surveillance legislation. Such additional measures were not taken.

Obligation to Suspend

With its order to suspend the data transfer, the Portuguese Authority said it follows the ECJ’s considerations, whereby data protection authorities are obliged to suspend or prohibit data transfers, even when based on the EU SCC, if there are no guarantees that these will be respected in the third country.

By the time the CNPD issued its order to suspend, the personal data of more than 6.5 million people has already been collected.