Introduction
We’ve written before about the Schrems III case and the difficulties of cross-border data transfer after last year’s ECJ ruling. You can find out more about that here www.bit.ly/pshielddead. Last week Portugal’s data protection authority (the Comissão Nacional de Proteção de Dados or CNPD) ordered the country’s statistical office (INE) to stop using US-based cloud services provider Cloudflare. The prohibition followed the Schrems III ruling and was based on concerns about US government surveillance of data transferred from the EU. The case could potentially have much wider ramifications, particularly for US cloud services providers hosting EU data.
This note uses some GDPR specific technical terms which you can see definitions for here www.bit.ly/gdprwords
What was the case about?
INE was conducting a census and was using Cloudflare. According to the CNPD, INE put in place Standard Contractual Clauses (SCCs) with Cloudflare to legitimise its transfers of data to Cloudflare.
What did the CNPD do?
In the run-up to GDPR coming in much of the focus was on fines. We’ve said before though that DPAs have wide-ranging powers including (in GDPR Art. 58) the power to order the suspension of data flows outside the EEA. We’ve GDPR suspension powers used against HMRC in the UK (see here https://www.corderycompliance.com/episode-247-voice-data-collected-unlawfully-must-be-destroyed/) although in that case there were no international transfers but the ICO also ordered the destruction of the data which had been collected. We’ve also see Facebook voluntarily suspend its online dating service after the DPC in Ireland visited its premises (see www.bit.ly/faceraid).
In this case the CNPD ordered INE to suspend transfers within 12 hours. The CNPD said that INE had already collected data from 6.5 million people that included sensitive data related to religion or health It said the collection started 8 days before the CNPD’s ruling and that, unchecked, the INE planned to keep collecting data until 3 May 2021.
What has Cloudflare said?
Cloudflare has said that it did not transfer the data to the US and that the CNPD’s investigation was inaccurate. It also said that it had measures in place to alert customers if US authorities do request access to data.
Why is the case significant?
Aside from the point we’ve made previously that orders like this can be more damaging than a fine, the case is interesting for the speed with which the CNPD reached its conclusions. It shows that, in some circumstances, DPAs can move quickly.
Portugal has historically been one of the least active DPAs according to figures compiled by LexisNexis with just 4 enforcement actions made public since GDPR came into force and a highest fine to date of just €400,000.
Of more concern however will be the fact that the suspension seems to be building on the concerns the ECJ expressed in Schrems III. DPAs across the EU have been fairly slow to act on the judgment and whilst there have been civil actions (like the German case against Amazon here https://www.corderycompliance.com/munich-privacy-shield-action/) and considerable activity from controllers in sending out questionnaires and demanding information and new contractual agreements from processors, enforcement activity has not followed at the same pace. This may now change.
It is also important to look at this case in an EU-UK context post-Brexit. The UK currently awaits an EU data adequacy decision (see here https://bit.ly/edpbadq) and has had the benefit of a temporary data deal (see here https://bit.ly/brextemp) whilst adequacy decision negotiations progress. Technically the temporary data deal between the EU and the UK has now expired although the original deal did allow for a 2 month extension.
Practical tips
In our view every business should work on a data transfer response plan. Even if this is a work in progress it might be something that they can show a potential claimant, a DPA or a court if they are asked questions. It’s a strategy which we used after the fall of Safe Harbor and it worked well for many then. The plan might also be something that will reassure customers, employees and other stakeholders. That plan might include:
- Thinking about how you transfer data. If you rely on SCCs be prepared to do a double due diligence check on both the organisation you are dealing with and the locations your data is going too. This case tells us that absolute clarity will be needed, especially if a processor you are using is US-owned;
- In a post-GDPR world employees and customers asking more questions about the way in which you make data transfers lawful. Be ready for their questions. Some prepared FAQs may help your HR team and contact centres respond to these questions. Works councils are also asking questions too;
- Look at your transparency obligations. Many organisations still refer to Privacy Shield in their privacy policies. Privacy policies will therefore need a review. You might need to alter other documents too including internal notices to employees and GDPR Article 30 records;
- Stay alert – new versions of the SCCs are on the way (see here https://www.corderycompliance.com/draft-eu-standard-model-clauses/) and they are more challenging to complete. This is unlikely to get any easier;
- Consider a specialist review – for example a Cordery Data Transfers Clinic may help. There are more details here https://www.corderycompliance.com/solutions/data-transfers-clinic/.
More information
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
The CNPD’s announcement is here https://www.cnpd.pt/comunicacao-publica/noticias/censos-2021-cnpd-suspende-fluxos-para-os-eua/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |