Portuguese Data Protection Authority and cross border transfers of personal data
November 27, 2015
The Portuguese Data Protection Authority (“Authority”) has been one of the first EU Data Protection Authorities to issue statements with regards to cross border transfers of personal data in the aftermath of the Safe Harbor judgement by the Court of Justice of the European Union (CJEU).
The first stateement, issued on the 23 October, was specifically targeted at personal data transfers to the US under the Safe Harbor EU Commission Decision, which was invalidated by the CJEU.
This first statement, whilst recognising that the Safe Harbor mechanism is the most used mechanism in Portugal for legitimising data transfers to the US, nevertheless stated in no ambiguous terms that:
- Transfers of personal data from Portugal to the US based on Safe Harbor certification are forbidden;
- Any authorisation issued by the Authority regarding transfers of personal data to the US will be given on a temporary basis only. This is because the existing alternative mechanisms to Safe Harbor are being analysed by the Article 29 Working Party, and may be found to carry the same risks to individuals’ privacy as Safe Harbor – the massive and indiscriminate disclosure of personal data to the US police and information authorities, paired with the lack of supervision of those authorities and lack of judicial remedies for citizens to assert their data protection rights;
- Previous authorisations to transfer personal data based on the Safe Harbor mechanism will be formally reviewed by the Portuguese Data Protection Authority; and
- Portuguese data controllers must suspend transfers of personal data which are based on the Safe Harbor mechanism.
This means that Portuguese data controllers should now be considering not only what alternative mechanisms can they actually implement to legitimise their US data transfers, but also proceeding with an operational adequacy check of those same transfers, as there is no guarantee that such alternative legitimising mechanism would in fact be authorised by the Authority.
After this decision was issued, the Authority issued a second statement, on 10 November 2015, with the aim of simplifying authorisations for data transfers within a single multinational group of companies, when they are based on the standard contractual clauses approved by the EU Commission as affording adequate protection to the transferred personal data (the “model clauses”).
In this statement, the Authority tackles some very useful topics to any multinational organisation struggling with intra group data transfers:
- By clarifying that due to their multinational nature intra group data transfer agreements should always be subject to case by case specific authorisation by the Authority;
- By acknowledging that it does take the Authority significant time to issue such authorisations, even when the agreements are based on the model clauses;
- By setting out that if the intra group agreement is based on the model clauses it will be authorised by the Authority in a quicker manner;
- By identifying when are intra group agreements considered to be based on the model clauses:
- When the intra group agreement is a contract, and not a unilateral statement of compliance with a set of rules;
- When the intra group agreement does not contradict the model clauses, or bring harm the freedoms and fundamental rights of EU citizens. Perhaps acknowledging the uncertainty of this final aspect, the Authority clarified what acceptable intra group agreements would look like:
- Contracts in which the only change from the model clauses are their multilateral nature, and which identify all parties and their roles (importer or exporter), would not ;
- Contracts in which the only changes are superficial amendments such as punctuation or language, without any amendment to the meaning of the used terms;
- Contracts with additional commercial clauses that are not in conflict with the model clauses;
- Contracts with additional clauses regarding jurisdiction of contractual disputes, indemnity between the parties, right of redress, as long as they do not hinder in any way the data subjects’ third party rights; and
- With regards to contracts governing controller to processor intra group data transfers, clauses that allow for a general subcontracting authorisation with a previous information obligation and a previous authorisation power.
Although this decision does not cover situations where companies integrated in multinational groups execute intra group agreements covering both controller to controller and controller to processor, we have informally confirmed with the Authority that these would nonetheless still be subject to the streamlined authorisation process.
What has still not been expressly covered are situations where there is an intra EU controller to processor engagement with a subcontracting entity located outside the EU. Given the exceptional nature of this statement, for now it seems that engagements like these would still require specific case by case and lengthier authorisations by the Authority.