Flash SRS: Personal Data Transfers to the United States

The National for Data Protection Authority ("CNPD") prohibited the transfer of personal data to the United States of America (USA) under the Safe Harbour scheme, referred to in the European Commission Decision 2000/520/EC ("Safe Harbour Decision"). The prohibition has immediate effect.

According to the CNPD, this is "the instrument most commonly used for transferring data to the USA" in Portugal, and therefore the impact of this decision is very significant, especially within the framework of multinationals and organizations that maintain a deal flow with the USA.

The CNPD also announced that it will start to issue provisional authorizations, that is, "subject to possible revision in the near future" in relation to exports of data to the USA based on other grounds, namely "standard contractual clauses, contracts between companies of the same group or other ad-hoc contracts."

The measures announced by the CNPD implement the recent decision of the Court of Justice of the European Union of 6 October 2015 in case Maximillian Schrems/Data Protection Commissioner (C-362/14), and are taken in the context of the evaluation undertaken by the Article 29 Working Party (which brings together the Data Protection Authorities of the Member States and the European Commission) of the consequences of the Court's decision on the grounds used to legitimize data transfers to the USA.

We recommend that you contact your lawyer if your organization stands to be affected by this decision.

We advise you to read the press releases from CNPD (in Portuguese) and the Article 29 Working Party (in English):