The data privacy scenario in Portugal has gone through a number of changes in 2015, in light of the European Court of Justice’s (ECJ’s) October 2015 ruling on the invalidity of the European Commission Decision 2000/520/CE (Safe Harbour Decision) as a basis for data transfers to the USA.
While a replacement mechanism (Safe Harbour 2.0) is currently being negotiated between EU and US authorities, the interim period has required adjustments, not just from the market (with data controllers having to employ alternative means of ensuring compliance with the legal rules applicable to data transfers outside EU territory), but also from regulators, which must arrange for an adequate replacement scenario for Safe Harbour.
The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados/CNPD) is no exception to this, having issued two decisions, both of which may be traced back to the repercussions of the ECJ’s Safe Harbour ruling.
The first of these two CNPD decisions was issued in late October and was aimed at clarifying the practical implications on data transfers from Portugal to the US.
In this decision, CNPD decided that, not only would it review all authorisations for transfers under the US Safe Harbour principles issued by this authority since the year 2000, but that companies should also suspend all international data flows in this context. Indeed, since the issuance of this decision, CNPD has been notifying data controllers, asking them to replace the mechanism for transferring data to the US and noting that transfers under Safe Harbour are not allowed.
This CNPD decision also tackles the matter of the European Commission Standard Contractual Clauses – this is consistent with the Article 29 Working Party’s indication that the validity of the Standard Contractual Clauses should be analysed and revisited.
In this respect, CNPD’s decision states that, under US law, companies must supply data to police and other authorities in a massive, indiscriminate manner that exceeds strict necessity in a democratic society; as a result, the remaining instruments associated with personal data transfers to the US (for example, the European Commission Standard Contractual Clauses) are also not entirely adequate. Therefore, CNPD shall start to issue only temporary authorisations for the transfer of personal data to the US under these alternative instruments.
The second CNPD decision of note (and one which also seeks to clarify and facilitate international data transfers in the current scenario) was issued in November, on the subject of intragroup transfer agreements. This decision establishes new rules on intragroup transfer agreements (deliberation). CNPD considered that they may prove a valid mechanism for legitimising international data transfers to third countries which do not provide for an adequate level of protection of the personal data, provided they comply with the European Commission Standard Contractual Clauses.
It should be noted, however, that while CNPD has officially decided on the validity of these intragroup agreements, it has not changed its stance on Binding Corporate Rules (BCR). While several companies throughout the EU have relied on BCR as a mechanism for handling data transfers, CNPD has consistently taken the view that BCRs are incompatible with the Portuguese legal system and, as such, are not a legitimate mechanism for international data transfers.
While this is the current scenario for data privacy in Portugal, it will necessarily need to be adjusted, as soon as a final, formal decision is reached on the matter of the negotiations towards Safe Harbour 2.0.
In fact, the ECJ’s deadline for the EU and US to conclude the negotiations (31 January, 2016) has just expired the European Commission’s Commissioner for Justice Vera Jourová was set to present the results of the negotiations to a meeting of a European Parliament committee on civil liberties, justice and home affairs on 1 February, 2016. While there was no major news to report, Commissioner Jourová noted that negotiations were still ongoing and additional work is still required.
In any event, when concluded, the outcome of this process will surely give rise to new changes in the Portuguese data privacy framework.
Magda Cocco is a partner at Vieira de Almeida. She can be contacted at firstname.lastname@example.org