Portuguese Decision Another Foreboding Sign for Global Data Transfers

It only took a “quick investigation” and a questionable analysis of the now infamous “Schrems II” ruling for the Portuguese privacy watchdog (CNPD) to impose a quasi-data localization requirement in Europe. Should other European watchdogs follow suit, it would threaten Europe’s recent connectivity investment plans and alienate European businesses and researchers from the rest of the world. 

The aftershocks from last year’s Schrems II decision are continuing to reverberate, posing new threats to a key foundation for global economic activity – cross-border data transfers. While the Court of Justice of the European Union’s judgment struck down the EU-U.S. Privacy Shield data transfer mechanism, it left in place additional tools for sending European data overseas, such as Standard Contractual Clauses (“SCCs”). Unfortunately, an emerging line of enforcement actions from European Data Protection Authorities (“DPAs”) is expanding upon the Schrems II judgment to cast serious doubt on the viability of these additional data transfer instruments. 

Last month, DisCo described how a German State DPA took action to bar a domestic company from using a U.S. service provider to send marketing messages to customers, because the company had not conducted a particularized inquiry as to whether additional measures would be necessary to ensure adequate protection of their customers’ email addresses. This post covers the national Portuguese Data Protection Authority’s (“CNDP”) decision issued last week and its sweeping ramifications for Europe’s digital aspirations and its economic recovery if it ever becomes Europe’s enforcement standard for data transfers. 

Portuguese DPA Order Against National Statistical Institute 

On April 27, the CNPD upheld a complaint against Portugal’s National Statistical Institute (“INE”) for using a service provider headquartered in the U.S. as a content delivery provider for conducting Portugal’s 2021 national census. The CNPD found that while INE had assessed the security of the census and further consulted with the Portuguese National Security Cabinet, it had not conducted a specific data protection impact assessment and hence not adopted any “additional measures” to mitigate risks.

In its holding, the CNPD gave INE 12 hours to “suspend the sending of personal data” involving the census to the United States or to any other third countries without an EU adequacy decision through any company. In issuing this broad holding, the CNPD foreclosed the possibility of an assessment finding INE’s use of the service provider having met data protection standards and essentially prejudged a wide array of potential fully legal and non-risk posing transfers of information without any further legal process. Ironically, the 12-hour deadline resulted in INE having to turn off their web application firewall, a cybersecurity service that is designed to block cyber threats seeking to exfiltrate sensitive data.

Beyond the broad judgment, the CNPD’s reasoning for the decision is also alarming as it stretches to breaking point the Schrems II decision and European Data Protection Board’s draft guidance. In particular, it advances several legal arguments and conclusions that cast doubts about most EU data transfers outside Europe and appears to require foreign companies to adopt “additional requirements” even if data stays in Europe:

1. The CNPD suggests that SCCs cannot be used to transfer data to the United States simply because they do not bind U.S. authorities, without regard for whether they can ensure protected data transfers (Paragraph 39). This conflicts with the CJEU’s finding in Schrems II where SCCs could be used to transfer data to the United States provided that supplementary measures are in place if the terms of the SCCs cannot be complied with. But it also singles out adequacy decisions as the only mechanism to transfer data outside Europe, and threatens all other transfer tools under the General Data Protection Regulation (“GDPR”) which, by definition, do not bind third-country authorities, be they Binding Corporate Rules, clauses approved by a data protection authority, Codes of Conduct, consent, contract, or legitimate interest. 
2. The CNPD suggested that the imposition of “additional measures” are required for any organization using a service provider headquartered in the U.S. even if that data is never transferred to the U.S. (Paragraph 40). This implies that a U.S. service provider must do more than just complying with the GDPR. The CNPD does not justify why that is the case, nor does it explain what such additional measures may be.
3. Finally, the CNPD ruled that the data exporter must ensure that any subcontractors are not obliged to comply with legislation that would conflict with the European General Data Protection Regulation (GDPR) (Paragraph 43). In doing so, the CNPD contradicts the CJEU findings and rules out any supplementary measures that a subcontractor may implement to ensure adequate protection of personal data. In addition,  European regulators have hitherto given no significant guidance on which foreign laws may pose such conflicts. 
4. The CNPD took issue with the use of encryption controlled by the service provider (Paragraph 13), even though encryption is recognized as a supplementary measure enabling protected transfers in preliminary EDPB guidance. 

Taken together, this reasoning appears to erect serious market barriers against U.S. and global companies operating in EU markets without any clear connection to mitigating actual risks to the privacy of European citizens. 

Blow to National and European Interests

The decision is also a massive blow to the Portuguese government’s digital connectivity ambitions and Europe’s aspiration to become a global data hub. 

Just last month, the Portuguese government rallied 26 other European governments in committing to strengthen Europe’s international and domestic connectivity infrastructures, with one goal in mind: turn Europe into a “world-class data hub” in the global digital economy. 

Unfortunately, the CNPD decision could severely undermine those plans and risks clogging the very pipes that Portugal and other European countries want to build in the coming years. As DisCo previously outlined, increasing connectivity infrastructures will only be useful if data is able to flow freely in and out of the continent.

To be clear, if this decision becomes a precedent for the rest of the continent, personal data would only be able to flow to 12 countries outside Europe, 5 of which have less than 100,000 inhabitants. Data flows to 153 countries around the world, including some of Europe’s prominent trade partners, would be prohibited. This would mean severing Europe’s digital ties with four-fifths of the world economy. 

It’s hard to imagine how Europe could realistically aspire to become a “world-class data hub” if it can’t even connect with its main trading partners in the first place. 

The decision also raises an obvious question beyond any economic considerations: is Europe really prepared to favor an absolutist and inward-looking view of privacy over health research advancements? The answer should be obvious, particularly as Europe grapples with a global pandemic. 

Yet, by prohibiting transfers of sensitive data such as health data to 153 ‘non-adequate’ countries, the CNPD decision would further exacerbate the difficulties that European researchers are already facing to collaborate with major partners in critical health research. 

In a report published last month, three major European research organizations made it abundantly clear that the EU’s data transfer rules are inadequate to conduct health research collaboration. As a result, 40 health research projects, looking at diseases from cancer to Alzheimer’s, have been suspended since the GDPR entered into force. Furthermore, 5,000 ongoing projects between European and American researchers could be at risk. 

Should the CNPD decision become Europe’s enforcement standard for data transfers, those 5,000 projects would also have to be suspended since the only option left for European researchers would be to send data to one of the 12 adequate jurisdictions. 

While Europe seeks to build its own European Health Data Space, diseases know no borders and require global answers through research collaboration inside and outside Europe. Europe’s first priority should be to fix the most obvious shortcomings that European health researchers are already facing.

At this point, anyone supporting Europe’s global digital aspiration and a thriving economic and public health recovery can only hope that the CNPD decision does not become Europe’s enforcement standard for data transfers.