Liisa Thomas & Snehal Desai of Sheppard Mullin write:
The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide “adequate” levels of data protection. Among those countries are the United States.
Prompting the resolution was the INE’s use of the US company Cloudflare, Inc. The parties had standard contractual clauses in place, and relying on those, the INE transferred Portuguese resident data from the 2021 census surveys to Cloudflare. Citing the Schrems II decision, the Portuguese data protection authority (CNPD) concluded that the SCCs were not sufficient, since Cloudflare is subject to US surveillance laws, which could require the company to share personal information with US authorities.
Read more on Eye on Privacy.