Portugese gegevensbeschermingsautoriteit schort gegevensstromen naar VS voor Portugese census op

30-04-2021

De Portugese gegevensbeschermingsautoriteit (CNPD) heeft het Nationaal Instituut voor de Statistiek (INE) gelast de doorgifte van persoonsgegevens van de volkstelling 2021 naar de Verenigde Staten op te schorten. Naar aanleiding van een aantal klachten over de voorwaarden voor de online gegevensverzameling heeft de CNPD snel onderzoek verricht en geconcludeerd dat de INE de uitvoering van de vragenlijst voor de volkstelling heeft uitbesteed aan Cloudflare, Inc. via een gegevensverwerkingsovereenkomst die voorziet in de doorgifte van persoonsgegevens aan de Verenigde Staten. Sinds de Schrems II zaak is de doorgifte van persoonsgegevens tussen de EU en VS door het Hof van Justitie onderbroken omdat er geen vergelijkbaar beschermingsniveau voor persoonsgegevens bestaat in de VS. De persoonsgegevens van 6,5 miljoen personen zijn al doorgegeven.

The Portuguese Data Protection Authority (CNPD) ordered INE (National Institute for Statistics) to suspend the sending of personal data from the Census 2021 to the United States.

CNPD has issued a decision addressed to INE for the suspension within 12 hours of any international transfer of personal data to the United States or other third countries without an adequate level of protection in the context of Census 2021 questionnaire.

Following a number of complaints concerning the conditions for the online data collection, CNPD carried out a quick investigation and concluded that the INE outsourced to Cloudflare, Inc. the operation of the census questionnaire, through a data processing agreement that provides for the transfer of personal data to the United States.

Cloudflare is an undertaking established in California. By the type of services which it provides, it is directly subject to the US surveillance legislation for the purposes of national security, which imposes on it the legal obligation to give the United States authorities unrestricted access to personal data held or kept by Cloudflare, without being able to inform its customers of that fact.

The Court of Justice of the European Union recently held, in Schrems II case, that such legislation entails a disproportionate interference with the fundamental rights of the persons concerned in the light of EU law and, therefore, does not ensure a level of data protection essentially equivalent to that guaranteed in the European Union.
The Court has also held that the data protection authorities are required to suspend or prohibit transfers of data, even where they are based on model clauses approved by the European Commission, as is the case with the contract subscribed by INE, in the absence of guarantees that such contractual clauses may be complied with in the third country.

Given that the data in question are personal data from an almost total universe of citizens residing on national territory, including sensitive data such as health and religion data, the CNPD took the view that the transfer of data to the United States or to any other third country without adequate protection should be suspended with almost immediate effect.

According to the information provided by INE, the responses to the census obtained to the date, already covered more than 6,5 million persons, data subjects. The collection of personal data has begun for 8 days and it is planned to be completed on 3 May.


bron: European Data Protection Board

Van onze partners

Internationale doorgifte van persoonsgegevens: hoe regel je dat in de praktijk?

→ Lees meer

Nieuwsbrief

Blijf op de hoogte van het laatste nieuws over privacy, cybersecurity en data. Abonneer op onze gratis nieuwsbrief.

Abonneer