CNPD (Portugal) - Deliberação 2021/533: Difference between revisions

From GDPRhub
No edit summary
 
(25 intermediate revisions by 8 users not shown)
Line 15: Line 15:
|Original_Source_Language__Code_1=PT
|Original_Source_Language__Code_1=PT


|Type=Investigation
|Type=Complaint
|Outcome=Violation Found
|Outcome=Upheld
|Date_Decided=27.04.2021
|Date_Decided=27.04.2021
|Date_Published=28.04.2021
|Date_Published=28.04.2021
Line 49: Line 49:


|Initial_Contributor=n/a
|Initial_Contributor=n/a
|
|}}
}}


The Portuguese DPA ordered the National Statistical Institute to stop all data transfers to a service provider located in the US.  
The Portuguese DPA ordered the National Statistical Institute to stop all data transfers to a service provider located in the US. Referencing the CJEU's Schrems II Judgment, the DPA stated that controllers using standard contractual clauses for data transfers are still obliged to implement safeguards to ensure an equivalent level of protection in third countries. 


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The Portuguese National Statistical Institute gathers data for their census through a [https://censos2021.ine.pt/ form in their website], using the services of Cloudfare, a service provider based in the US.  
The Portuguese National Statistical Institute ("''Instituto Nacional de Estatística''") was undertaking the 2021 census by collecting data through forms on their own website "[https://censos2021.ine.pt/ CENSOS 2021]", and using various website security and content delivery services of Cloudflare, a service provider headquartered in the United States.


=== Dispute ===
The Portuguese DPA (''"Comissão Nacional de Proteção de Dados"'', CNPD) received various complaints from people, mainly that citizens were obliged to disclose their full name, but also that personal data was being sent to the United States, due to the use of Cloudflare as a service provider.


The DPA's investigation found that the Institute's use of Cloudflare as a content delivery network did not guarantee that personal data would be processed in the European Union or in other countries, some of which may not ensure the adequate level of protection of the personal data required by the GDPR, given Cloudflare's network extended to more than one hundred countries. Cloudflare's service uses anycast to route incoming traffic to the nearest data centre to the user, using IP addresses registered in the United States.


=== Holding ===
Although the algorithm that routes the traffic is supposed to chose the closest server possible to the origin of the request, it is not guaranteed that the data is not sent to other servers located in countries without such level of protection.
in progress


== Comment ==
The DPA also noted that the census website used Cloudflare's own certificates to encrypt website traffic, rather than encryption using the Institute's own private and public keys. Accordingly, the security protocol used by Cloudflare deprives the Institute of control regarding the transfer. Such protocol is fully controlled by Cloudflare, which possess both the private and public key of the encryption.
''Share your comments here!''


== Further Resources ==
At the time of the investigation, more than six million Portuguese citizens had completed the census, what amounts to more than half of the Portugal population. The 2021 national census was mandatory and included the collection and processing of special categories of personal data, including health and religious beliefs.
''Share blogs or news articles here!''
 
===Holding===
The CNPD found that the National Statistical Institute, being the controller of the data processing, had not carried out the necessary Data Protection Impact Assessment for this particular processing, having only carried out an impact assessment for the general statistical activities. Therefore, Institute had not been able to assess the risks of this particular processing of data, that might include transfers of personal data to third countries without an adequate level of protection. The controller did not seek the DPA's advice either; consulting only with the Portuguese National Security Cabinet (''"Gabinete Nacional de Segurança"'') about the census' cybersecurity requirements.


== English Machine Translation of the Decision ==
The DPA stated that even given the cybersecurity requirements of the census, additional measures could have been put in place to mitigate the risk to individual's personal data, ensuring greater control over the data by the National Institute, and limiting the processing of personal data to EU Member States; and by implication not processing the personal data in third countries. However, the choices made by the National Institute meant personal data might be processed in the United States and other countries in Cloudflare's network (for instance, South Africa, China, India, Jordan, Mexico, Russia, and Singapore).
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.


<pre>
The National Institute, as a controller, accepted Cloudflare's terms and conditions when using their service. The contract specifies that:
                                                                                                  AVG12021I01 1


*personal data may transit any of the 200 servers used by Cloudflare;
*Standard Contractual Clauses are relied upon for the transfer of data to third countries, based on the Commission Decision 2010/87/UE of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries;
*Cloudflare is authorized to use sub-processors from outside their group, including companies from third countries;
*Cloudflare may be subject to requests of disclose by US government institutions that may be inconsistent with the GDPR; and those requests may forbid the notification to the data controller about these requests.


    rJ
The DPA held that use of standard contractual clauses does not imply that the controller does not have the obligation to ensure an equivalent level of protection when data is transferred to third countries, implementing adequate safeguards that allow to maintain such level of protection, according to the CJEU Schrems II Judgment<ref>CJEU Case C‑311/18, Schrems II, § 92-93.</ref>. This is also related to the accountability principle from Article 5(2) GDPR.


The DPA remarks that, according the Schrems II Judgment, the transfer of data to the United States may result in violations of fundamental rights, given that the US legislation allows for access to the data because of national security and public interest reasons. Such inferences are not reasonable, as limitations to fundamental rights are not clearly defined; as there are no clear and precise rules on the application of such measures or minimum requirements to protect against risks of abuse; there is no requirement for a necessity test; and there are no enforceable rights for data subjects or legal remedies.


CNPD
The Portuguese DPA found that the National Institute had not undertaken a sufficient Data Protection Impact Assessment, had not consulted the supervisory authority prior to processing, and had therefore not adopted adequate additional safeguards before using the services of a data processor who was headquartered in the United States.
  Nacronãl Commission
  of PYotData


                                            DELTBERAÇÃO / 2021t533
The DPA concluded that Portuguese citizens lack any guarantees in regards to their data being collected by the National Statistical Institute, as US legislation does not offer a similar level of protection than the GDPR. The controller had neither been able to demonstrate that the data is not effectively transferred to the US, not had they implemented any supplementary adequate measures to ensure a similar level of protection, which they are obliged to do as a data controller.


Therefore, the CNPD ordered the National Statistical Institute to suspend any processing of personal data for the census in the US or any other third country without adequate levels of protection, within 12 hours of their decision being issued.


The CNPD also remarked that the National Institute should obtain guarantees that compliance with GDPR is assured when contracting with processors or sub-processors.


        l. lntroduction
==Comment==
The issue of ''transit data'' vs. ''international data transfers'' has been considered by the EDPB in its ''Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data''<ref>https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf</ref>, adopted on 10 November 2020.  


For the EDPB, in its Use Case 3 in the above-mentioned Recommendation, considers the possibility that "(...) ''a data exporter wishes to transfer data to a destination recognised as offering adequate protection in accordance with Article 45 GDPR. The data is routed via a third country''."


    i. The National Data Protection Commission (CNPD) received more than a dozen related participations
The EDPB sets 11 requirements for transport encryption, if needed in combination with end-to-end content encryption, to provide an effective supplementary measure:<blockquote>1. A data exporter transfers personal data to a data importer in a jurisdiction ensuring adequate protection, the data is transported over the internet, and the data may be geographically routed through a third country not providing an essentially equivalent level of protection;


    to the ongoing census operation - 2021 Censuses - carried out by the National Statistics Institute, l.P.NE), the
2. Transport encryption is used for which it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of the third country;


    which partly takes place by filling in the online form available at the address
3. Decryption is only possible outside the third country in question;


    httos.//censos2021.ine.pt/ The largest share is linked to the survey's obligation to provide
4. The parties involved in the communication agree on a trustworthy public-key certification authority or infrastructure;


    identification data of all the full name. However, some participations
5. Specific protective and state-of-the-art measures are used against active and passive attacks on transport-encrypted;
                                citizens,


    associated the data provision obiigator identified with the transfer of data to a
6. In case the transport encryption does not provide appropriate security by itself due to experience with vulnerabilities of the infrastructure or the software used, personal data is also encrypted end-to-end on the application layer using state-of-the-art encryption methods;


    company based in the United States of America.
7. The encryption algorithm and its parameterisation (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities in the transiting country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them;


8. The strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved;


    2. Also on social networks, the same issue was raised, with media outlets reporting
9. The encryption algorithm is flawlessly implemented by properly maintained software the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification;


    that the information exposed there was not accurate.
10. The existence of backdoors (in hardware or software) has been ruled out;


11. The keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of the intended recipient, and revoked), by the exporter or by an entity trusted by the exporter under a jurisdiction offering an essentially equivalent level of protection.</blockquote>


    3. CNPD, under the powers conferred by subparagraphs b) and Article 58.0 (1) of Regulation (EU)
==Further Resources==
https://www.cloudflare.com/resources/assets/slt3lc6tev37/1M1j5uuFDuLTYiZJJDPBag/bda8d591447971b3df2bccf5aa4e0916/Customer_DPA_v.3_1_-_en_1_Oct_2020.pdf


    20161679 of the European Parliament and of the Council of 27 April 2016 6 (General Regulation on the Protection
https://edpb.europa.eu/news/national-news/2021/census-2021-portuguese-dpa-cnpd-suspended-data-flows-usa_en


    Data - RGPD), in conjunction with the provisions of article 3.0, paragraph 2 of article 4.0 and paragraph b) owner 1
https://iapp.org/news/a/cnpd-orders-statistics-portugal-to-stop-sending-census-data-to-us/


    of article6.0, all from Lein.0 58/2019, from August 1 (which has the object of insuring the execution, in
https://www.huntonprivacyblog.com/2021/04/28/portuguese-dpa-orders-suspension-of-u-s-data-transfers-by-agency-that-relied-on-sccs/#more-20425


                                                                                  platform
https://www.natlawreview.com/article/portuguese-dpa-orders-suspension-us-data-transfers-agency-relied-sccs
    internal law, of the GDPR), proceeded to the analysis of the INE internet site and the one made available there,


    having concluded that this entity uses services provided by the company Cloudflare.
== English Machine Translation of the Decision==
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.


      information to iNE regarding this operation on personal data.
<pre>
CNPD
National Commission for Data Protection
DELIBERATION/2021 / 533
1. introduction
1.
The National Commission for Data Protection (CNPD) has received more than a dozen participations regarding the ongoing census operation - Census 2021 - carried out by the National Statistics Institute, I.P. (INE), which in part is done by filling out the form available online at https://censos2021.ine.pt/. The greatest number of participations is related to the fact that the survey requires citizens to provide their identification data, namely their full name. However, some respondents associated the requirement to provide identifying data with the transfer of data to a company based in the United States of America.  


2.
2. The same question was also asked on social networks, and media outlets reported that the information displayed there was inaccurate.


3.
3. The ACNPD, under the powers conferred by Article 58(1)(b) and (e) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR), in conjunction with Article 3, Article 4(2) and Article 6(1)(b), all of which are applicable to the processing of personal data, is responsible for the protection of personal data. 1 of article 6, all of Law 58/2019, of 8August (which aims to ensure the implementation, in the internal legal order, of the GDPR), has analyzed the website of Statistics Portugal and the platform made available therein, and concluded that this entity uses services provided by the company Cloudflare. Statistics Portugal was also requested to provide information on this operation regarding personal data.


        ll. Analyze
li.  
Analysis


i.
Facts found


          i. Determined facts
4.
The Census 2021 data collection form is accessed through the infrastructure provided by Cloudflare, lnc. (hereinafter Cloudflare), a company based in San Francisco, California, in the United States of America. This company provides various Internet security and Content Delivery Network (CDN) services.  


      4.0 form for collecting data from the 2021 Census is accessed through the available infrastructure
5.  
The CDN consists of a network of servers that aims to reduce the latency of access to servers -i.e., the period of time between the user's action and the response to that action. In effect, through an algorithm that sends information simultaneously to several servers, it chooses the one with the shortest response time. With this, it is possible to deliver information faster and with greater robustness from the point of view of security.


      by (hereinafter, a company based in San Francisco, California, the United States
6.
          Cloudflare, lnc. Cloudflare),
ACloudflare owns 200 {hundred} datacenters located in over one hundred countries, the vast majority of which do not have an adequate level of data protection, under the terms of article 45.0 of the RGPD.  


      United States of America. This company provides several security services on the Internet and Content Delivery
7.
OINE used the services provided by the company Cloudflare through the onlined subscription to its Business Plan1. This plan provides a set of services, and INE is currently making use of WAF2, the CDN, and Rate Limit3.


      Network (CDN).
8. This plan is governed by the 'Self-Serve Subscription Agreement'4 (main service provision agreement) and the data processing addendum (Data Processing Addendum version 3.05), dated October 1st, 2020, which is part of the main agreement (see clause 6.1 of the main agreement).  


9. INE justified the conclusion of this contract with the objective of "(...) effectively responding to the performance and information security needs associated with the size and complexity of the Census 2021 operation".


      5. The CDN consists of a network of servers that aims to reduce the latency of access to the
10. Notwithstanding the use of this service, it is not, nor has it ever been, in question that the information provided by citizens through the Censos 2021 forms is hosted in INE's servers.


      servers- 1.e., the period of time between the user's action and the response to that action. With
11 . When the citizen accesses the Census 2021 form, it is forwarded to one of Cloudflare's servers according to the referred algorithm. Cloudflare's infrastructure communicates with the INE server by TLS.  


      effect, through an algorithm that sends information simultaneously to several servers, chooses that one
12. The name censos2021.ine.pt is associated with IP 172.67.41.182, located in the United States of America, and is assigned to Cloudflare. Customers access the site using the HTTPS secure communication protocol, and the associated certificate is issued by Cloudflare, Inc ECC CA-3, a certification body of Cloudflare itself. Thus, this company holds both the private key and the public key,
1 This plan is presented on Cloudflare's website as being aimed at small businesses and e-commerce websites that require advanced performance and security, and that give priority to email support. See httos://www.cloudflare.com/olans/business/ 2A WAF helps secure web applications by filtering and monitoring HTTP traffic. It protects against attacks such as Cross Site Request Forgery,
Cross Site Scripting, SQLlnjection, and others. 3 Rate limiting protects against Denial of Service (DoS) attacks, brute force attacks and other types of malicious behavior. 4 httos://www cloudflare.com/terms/
httos://www.cloudflare.com/resources/assets/slt31c6tev37/1 M 1 j5uuFDuLTYiZJJDPBag/bda8d591447971 b3df2bccf5aa4e0916/Customer OPA v,3 1 -en J Oct 2020.pdf


      which requires a shorter response time. with islo, faster information delivery is achieved
13.  
Note that the fact that the encryption key used is Cloudflare's means that the encryption is applied by this entity, remaining during the transit of information, and is deciphered by it, and only by it - i.e., before delivering the whole set of information (the data packages) to INE, Cloudflare has to proceed to its deciphering, and INE has no intervention in this process.


      and with greater robustness from the point of view of security.
14.
Moreover, INE admits that it has no control over the transmission of information between citizens and its server. Once inside Cloudflare's CON network, Statistics Portugal has no way of knowing whether the traffic is being directed to servers located in the territory of European Union countries or residing in any other area of the world.  


15.
As of the date of this deliberation, personal data of more than six million citizens residing in the national territory has been collected.




ii. Assessment in light of the RGPD
16 Since the information provided by citizens when filling out the Census 2021 forms constitutes personal data, under the terms of article 4.0, paragraph 1), of the RGPO - since it corresponds to information on identified natural persons -, the census operation is subject to the RGPO, and Statistics Portugal is responsible for the processing, in accordance with paragraphs 2) and 7) of the same article.


                                                                                (+351) 400 gerâl@cnpd.pt
17. It is also true that some of the information falls into the category of specific personal data provided for in Article 9(1) of the RGPO, and therefore the data processing is subject to a stricter protection regime and to the obligation to carry out a data protection impact assessment (DPA), in accordance with Article 9(1) and (3)(b) of the RGPO.  
                                                    Av. D.íosl, 134, 1o Í 213 928
                                                        '1200-6Lisboa F (+351) 213976 832 www.cnpd.pt AVGt2021t401 1v


18.
It should be noted that the AIPO must cover all operations on personal data, including, therefore, the operation corresponding to the transport of information to and from Cloudflare's servers, in the scope of the outsourcing relationship. 


19. On this point, INE declared to the CNPO that "(...) it has chosen to carry out a Data Protection Impact Assessment only for the main statistical operation. This was due to the fact that the tests (2016, 2018, 2020) only aimed at testing collection processes and application functionalities, and were, as far as the application solutions were concerned, partial. Therefore, they did not allow for testing and evaluating the risk inherent in all processes. In this sense, only the final operation allowed for a complete and comprehensive assessment
)
in a scenario where the decisions taken, given the pandemic context, were being modified and optimized. However, the respective contents are not yet integrated in such a way as to be made immediately available. Although the systematic and continuous monitoring of the EPD and RSI to the Census 2021 is guaranteed."


20.
20. As an impact assessment was not carried out for this specific operation on personal data, Statistics Portugal did not carry out an assessment of the risks for the rights of data subjects and, consequently, did not adopt any additional measures to mitigate these risks, focusing only on the performance and security of the system, including consulting the National Security Office.


21.
21. Statistics Portugal did not consult the CNPD on this operation, which would have allowed the CNPD to make a statement and thus seek to protect the rights of the data subjects.


22.
However, even considering the purpose of this operation, there were other solutions that could have mitigated the risks, ensuring greater control over the data by Statistics Portugal, and, of course, limiting the transit of personal data to the territory of EU Member States, which would not imply sending them to third countries.


23.
However, the choice of the NSI implies, as will be shown, the transit of personal data through third countries in relation to the European Union and which do not have the adequate level of protection. It also implies, by virtue of the contract signed, a specific authorization by INE to transfer personal data to the United States of America (USA) and to other countries where the servers used by Cloudflare are located (namely, South Africa, China, India, Jordan, Mexico, Russia, Singapore).


24.
As described above, in points 5 and 11, the personal data of citizens residing in Portugal are sent to Cloudflare servers located in different countries that are neither identified nor identifiable by INE or by the data subjects. Moreover, the encryption and decryption key is owned by Cloudflare.




25. The contract concluded between Statistics Portugal and Cloudflare foresees the transit of personal data to any of the 200 servers used by Cloudflare, as well as the transfer of personal data to the USA.


  6. Cloudflared has 200 (two hundred) data centers located in more than 100 countries, the vast majority of
26. Indeed, under the terms of the Data Processing Addendum version 3.0 (hereinafter 'OPA'), which, it is recalled, forms part of
contract, personal data are transferred from the customer (data exporter) to Cloudflare (data importer), in the United States of America, using as international transfer mechanism the standard contractual clauses based on Commission Decision 2010/87/EU of 5 February 2010, applicable transfers of personal data to processors established in third countries6 , which are an integral part of the Addendum and are to that extent endorsed by the customer (cf. clause 1.1(m) of the DPA)7.


  which does not have an adequate level of data protection, as provided for in article 4 of the RGpD.
27.
The PPA applies to the extent that Cloudflare processes personal data submitted by the customer to Cloudflare or, as is the case with INE, collected and processed by the customer using the service, where such personal data is subject to applicable data protection legislation.  


28.
Thus, by (sub)contracting Cloudflare's services, INE, in its capacity of controller and simultaneously of client, accepted the conditions of use of the service, including the amendment to the terms of processing of personal data, which contains a contract between the controller (INE) and the subcontractor (Cloudflare) for the transfer of personal data to the United States of America.


  7.0 INE used services provided by the company Cloudflare through the online subscription of its Busmess
29.  
Also under the terms of the Tender Offer, INEgranted a general authorization to Cloudflare to use other (sub-)subcontractors, whether companies within or outside the Group (clause 4.2), acknowledging and accepting that it may be necessary for the provision of the service to use (sub-)subcontractors established in third countries (clause 6.4).


  P / an '. This plan provides a set of services, with INE currently making use of WAF2, the
30.  
If standard contractual clauses are, in general, a legal instrument for the transfer of personal data to third countries, under the combined provisions of Article 46.0(2)(e) en. 0 5 of the GDPR, it is necessary to verify, however, whether the law of the third country, which obviously overlaps with an instrument of a contractual nature, does not diminish or negate the guarantees offered by these clauses, which aim precisely at compensating for the lack of an adequate level of protection in the country of destination of the data (cf.


  CDN, and Rate lrnrit3.
31 . According to the Court of Justice of the European Union (CJEU), it is for the data exporter, on a case-by-case basis, in cooperation with the data importer, to ascertain whether the country of destination in question ensures a level of data protection essentially equivalent to that guaranteed by the EU and, if possible, to adopt additional safeguards to overcome the obstacles and ensure that data protection is maintained9. This obligation also derives from compliance with the principle of accountability, enshrined in
Article 5.0.2 of the GDPR.
6 Conformeconstains from Cloudflare's website. the privacy policy was revised on October 27, 2020, to "reflect- a change in the legal instrument underpinning the transfer of personal data from the European Union (EU) to the United States of America (US), which is no longer the Privacy Sh,eld adequacy decision invalidated by the Court of Justice of the European Union (T JEU) in July 2020. in the Schrems li case, to become the standard contractual clauses 7 httos://www.cloudflare.com/cloudflare customer sccs.pdf 8 See nrs. 92 and 93 of the Schrems li Judgment, in which the Court stressed that the assessment of the existence of a level of protection essentially equivalent to that guaranteed in the EU in the country of destination of the data must be made regardless of whether a transfer mechanism provided for in Chapter V of the GDPR is used. 9 See paragraph 134 of the Schrems II judgment.


32.
According to the CJEU analysis in the Schrems li case, the law of the US -which is the destination country for Cloudflare's international transfers under the standard contractual clauses- allows for interference with the fundamental rights of individuals based on national security and public interest requirements, which may result in access to personal data transferred from the EU to the US and the use of such data in surveillance programs, based on Section 702 of the FISA (Foreign Intelligence Surveillance Act) and Executive Order 123331.


  B. This plan is governed by 'self-servesubscription
33.  
                                                            Agreement'a (main contract for the provision of
The TJEU concluded that such interference is not proportionate under EU law as there is no definition of the scope of the limitations on individuals' rights, no clear and precise rules on the application of such measures and no minimum requirements to protect against risks of abuse, no assessment of necessity, no enforceable rights for data subjects and no judicial remedies, so that the limitations on data protection under US law do not meet the requirements of the EU Charter of Fundamental Rights11 (cf. Articles 7, 8, 47 and 52(1)). 1).


  services) and the data processing addendum (Data Processing Addendum version 3.0s), dated
34.
Therefore, a transfer of personal data to the U.S. would be possible if the legislation at stake here, and expressly referred to by the CJEU, were not directly or indirectly applicable to Cloudflare or its (sub-)subcontractors, and even then only by taking additional measures that could demonstrably show that this legislation would not be applicable or would have no practical effect on transfers of personal data.


  1 October 2020, which is part of the main contract (cf. clause 6.1 of the main contract).
35.
However, the services provided by Cloudflare, namely those contracted by INE when it subscribed to the Business Plan, put the company directly under US law, which imposes on it the obligation to grant bulk access to the personal data it processes, already as a provider of electronic communications services12 , without prejudice to other types of services also being covered by other provisions of the US surveillance legislation.  


36.
Cloudflare acknowledges in point 7 of the Tender Offer that, in its role as a subcontractor, it may be subject to requests for access to personal data by third parties in the context of legal proceedings, which may be "inconsistent" with the law applicable to its customer, i.e., the GDPR. In such a case, where a conflict of laws exists, Cloudflare declares that it will immediately inform the Customer, "unless such notification is legally prohibited" (cf. a) clause 7.1 ).


  9.0 INE justified the execution of this contract with the objective of '(..) responding effectively to


  performance and information security needs associated with dimension and complexity
10 See paragraph 165 of the cited judgment, where the PRISM andUPSTREAM programs are cited. 11 See paragraphs 175-176, 180-185, 191 and 94 of the cited judgment. 12 Cf. Section 702 of FISA as amended by 50 use§ 188P.
                                                                                                of the operation
  2021 Census ".


37.
This is precisely the case with this US legislation that prevents US companies from informing their customers of access by US authorities for the purpose of gathering information on foreigners in the context of national security activity.


  I0. Notwithstanding the use of these services, it is not, nor ever
38.  
                                                                  was concerned that the information provided
Therefore, there is no guarantee that the personal data of citizens residing in Portugal, collected by INE through its website, in the context of Censos 2021, will not be accessed by the US authorities, through Cloudflare, due to the services it provides to INE and which imply, according to the contract signed, the transfer of such personal data to the USA.  
  by citizens through
                        of the 2021 censuses' Imormulários is housed in the lNE's seitores.


  11. the citizen
39.  
      When you access the 2021 Census form, you are forwarded to one of the
In this sense, as the standard contractual clauses under which personal data are transferred by the NSI to Cloudflare in the USA cannot be respected in the third country of destination, insofar as they are not binding on the authorities of that country, thus not offering the appropriate guarantees required by the GDPR, the CNPD is obliged to prohibit these data transfers, as prescribed by the CJEU.13


  Cloudflare according to this algorithm. Even though the criterion underlying this algorithm is the highest
40.
Furthermore, according to the same case law 14, even if the NSI could demonstrate that the personal data was not transferred to the U.S., the transit of the data would always depend on the adoption of adequate and sufficient additional measures, which are not present here.


  proximity of the servers to the location of the origin of the invocation, there is no guarantee that
                                                                                          of such a success,
  since it depends on the load on them at each moment.
                                                                    Cloudflare infrastructure communicates


  with the DOINE server via TLS.
41 . Under Article 5(2) and Article 24 of the GDPR, Statistics Portugal is obliged to comply with the principles and rules on personal data protection and to demonstrate compliance with the processing of personal data under its responsibility.  


  12 name
III. Conclusion
      Censos2021 .ine.pt is associated with lP 172.67.41.182, located in the United States of America,
42.  
In view of the above and as there is no other corrective measure capable of safeguarding the rights of data subjects, the CNPD, under paragraph}) of Article 58(2) of the GDPR, hereby orders Instituto Nacional de Estatística, I.P., to suspend the sending of personal data from Censos 2021 to the USA and to other third countries without an adequate level of protection, whether through Cloudflare, lnc. or another company, within a maximum period of 12 hours.


  being assigned to CloudÍlare.0s clients access the site using the secure communication protocol
43.
The same entity shall also ensure, in the scope of any subcontracting, that subcontractors are not obliged to comply with a legislation that departs from the protection conferred by the RGPD.


  HTTPS, the associated certificate being issued by Cloudflare, tnECC CA-3, an entity
44.
                                                                                                certifying
The hearing is waived, in accordance with Article 124.1 a) of the Administrative Procedure Code, considering the urgency of the corrective measure, taking into account the time period of the online collection of the Census and that, otherwise, the risk to the rights, freedoms and guarantees of citizens, potentially more than four million, who have not yet fulfilled their legal obligation to respond to the census operation, would remain.
  Cloudflare itself.
                              Therefore, this company holds both the private and public keys,




13 See paras. 107 and 121 of the cited judgment. 14 Cf. nos. 63 and 183 of the same accd.
Approved at the meeting of April 27, 2021


<
Filipa Galvão (Chair)


</pre>


 
<references />
 
rSplit is presented on the Cloudflar website as a small business website
performance and security that is comercielelronic, eÍequeÍem
                                  advanced, and give priority to .orr ... ãta, óni.o support. veí
2ttps: //www.cloudÍlare.com/plans/business/
A WAF helps protect waofiltremonitor applications from HTT traffic. Píotedos attack as cross regre Reguest Forgery,
Cross S, te Scí, pSoL /r.iectior, among others.
3 protects
Ráte, r? Itlng against Oeofservice (DoS) attacks - brute force attacks and malignant types.
Ihttps: //wwwcloudlare.com/terms/
5
              f1
        - 'l P 44
DPA v.3 1 in oct 2020odf AVçt2021t401 2
 
 
    rJ
 
 
CNPD
  National Commission
  deProtedeData
 
    getting enabled that
            so the cyber and decryption of all communications between citizens access
 
    to the form and send data to the lNE server.
 
 
    13. Note that the fact that the encryption key used is from Cloudflare means the encryption is applied by
 
    this entity, maintaining itself during the transit of the information, and is by it, and only by it, deciphered - that is,
 
    before the delivery of all the information (the data packets) to lNE, aCloudflare must proceed with its
 
                                any intervention in this process.
    decryption, not having INE
 
    14. Incidentally, INE does not provide information between citizens and their service.
              o admits control over transmission
 
    Once inside Cloudflare's CDN network, OINE has no way of knowing if the traffic is directed to
 
    servers located in the countries of the European Union, or resident in any other area of the globe.
 
 
    15. As of the date of this determination, personal data has been collected from more than six million citizens
 
    residing in national territory.
 
 
 
 
 
 
        ii. Assessment in the light of the GDPR
 
    16. There is no doubt that the information provided by citizens when filling out the forms
 
                                    personal data, 1), of the GDPR - for
    2021 Census consist of data in the terms of article 4.0, paragraph
 
    information relating to identified natural persons, the census operation is subject to the GDPR, being
 
    INE is responsible for the treatment, in accordance with paragraphs 2) and 7) of the same article.
 
 
    17. While it is also certain that some of the information falls within the category of special personal data
 
    in Article 9.0 (1) of the GDPR, and data processing is therefore subject to a more stringent protection
 
                      therefore, to carry out an impact assessment on data protection
    rigorous and, since the obligation
 
    (AIPD), in accordance with paragraph 1 and paragraph b.do paragraph 3 of article 9.0 of the GDPR.
 
                                                                                                        therefore,
      18. It should be noted that the AIPD must cover all operations on personal data, including,
 
    the operation corresponding to the transport of information to and from Cloudflare servers, within the scope of
 
      subcontracting relationship.
 
 
      19.As for this point, INE declared to CNPD that '(..opted for the realization of an Impact Assessment
 
      about Data Protection only to the statistical operation. main.lsto was due to the fact that the tests
 
      (2016,2018,2020) ylsarem re applicational functionalities, are, as far as
                                just test harvesting processes and
 
      in relation to solutions to plications, partly, therefore they did not allow testing and assessment of the risk related to sludge
 
      the pIocesses. In this sense, only the final operation allowed to carry out a complete and comprehensive assessment
 
 
 
 
                                                                                  (+351) 213 geral@cnpd.t
                                                      Av. 0.arlol, 13410 Í 928 400
                                                          120M51 Lisboa F (1351213 976 832 www.cnpd.pt AVG / 2021/401 2 \.
 
 
 
 
 
 
 
 
 
in a scenario in which the Ímâ das decisions, given theandtopic context, were being
                                                                                changed and optimized.
However, the respective contents
                                  not yet integrated in order to be made available
 
immediate. Although systematic and continuous monitoring of EpD and RS / Censuses is guaranteed
 
2021. ',
 
 
20. No impact assessment has been carried out on this specific operation on data
 
INE did not carry out a weighting of the risks to the rights of the data subjects and,
 
consequently, it has not adopted, with respect to this operation, any
                                                                  supplementary mitigating measure of these
risks, having only centered
                                performance and security of the system, including promoting a
 
consultation with the National Security Office.
 
21. About this operation,
                          INE did not consult CNPD, which would have allowed CNpD to comment and so
 
seek to safeguard the data holders' data.
 
 
22. However, even considering the purpose envisaged with this operation, there were other solutions that
 
would allow to mitigate the risks, guaranteeing INE a greater control over the data, and, from the outset, limiting
                                                                                                        O
transit of personal data to the territory of the Member States of the European Union,
                                                                                not implying your shipment
country third countries.
 
 
23. Now, the INE option implies, as demonstrated,
                                                      the transit of personal data by third country without
relation to the union that
                European Union and do not have the appropriate level of protection. It also implies, by virtue of the
 
contract concluded, a specific authorization from INE to transfer personal data to the United States
 
United States of America (USA) and other countries where the servers used by
 
cloudflare (namely, South Africa, chinaIndia, Jordan, Mexico, Russia,
                                                                            singapore)
 
24. As described above, in points 5 and 11, the personal data of resident citizens portugal
                                                                                        in are
sent to Cloudflare servers in different countries
                                              in different unidentified or identifiable by
      by the
Statistics Portugal or data holders. In addition, the decryption and decryption key is the property of Cloudflare.
 
25 0r4, at least
        the contract concluded INE and Cloudflare foresees the transfer of personal data to anyone
 
of the 200 servers used, as well as the transfer of personal data to the USA.
 
26. With
        effective terms of Daía Processing Addendum version 3.0 (hereinafter, DpA), which, it is recalled, integrates
 
The contract, personal data from the customer (data exporter) is transferred to Cloudflare (importer of
 
data) in the United States of America, using the international transfer mechanism
 
standard contractual clauses based on Commission Decision 2010 / 87lUE, of 5 February
                                                                                          2010, applicable AVGt2021t401 3
 
 
 
    rJ
 
 
CNPD
  National Commission
  dPÍotqãdêDâdos
 
    transfers of personal data to subcontractors established in third countries6, which do
 
    part by
          as part of the addendum and are, to that extent, customer subscriptions (heading m) of clause 1.1 of the DPA) 7.
 
 
    27. DPA applies insofar as Cloudflare personal data submitted by the client to CloudÍlare
 
    or, as is the case of lNE, collected and treated by the customer using the service, I pass this personal data
 
    are subject to the applicable data protection legislation.
 
 
    28. Thus, by (sub) contracting the services of Cloudflare, olNE, in his capacity as responsible for the treatment
 
 
    and at the same time as a customer, accepted the conditions of use of the service, including the addendum to the terms of
 
    processing of personal data, which contains a contact between the controller (lNE) and the
 
                    (Cloudflare) for personals for the United States of America.
    subcontractor the data transfer the
 
                                                                                    general country that this
    29. Still according to the terms of the DPA, INE granted an authorization to Cloudflare
 
    can resort to others (sub-subcontractors, whether companies inside or outside the Group (clause 4.2),
 
    recognizing and accepting that it might be necessary for the provision of the service to use (sub-
 
 
    ) subcontractors established in third countries (clause 6.4).
 
 
    30, If standard contractual clauses are, in general, a legal instrument for data transfer
 
    personal data for third countries, under the provisions of article 46.0, paragraph 2, point c), and paragraph 5, of
 
    GDPR, it is necessary to verify, however, whether the legislation of the third State, which obviously overlaps with a
 
                                                                                            per
    instrument of a contractual nature, does not diminish or deflate the guarantees offered by these clauses,
 
    which precisely aim to compensate for the lack of an adequate level of protection in the country of destination
 
    of the data (cf. article 44.0 and 46.0 of the GDPR) 8.
 
 
                          Court of the European Union (CJEU), it is the exporter of data that competes,
    31. According to Justice
 
    on a case-by-case basis, with the assistance of the data importer, verify that the specific country of destination
 
    a level of data protection essentially equivalent to that guaranteed by the EU, and should, if possible, adopt
 
                              to overcome obstacles and ensure that data protection is
    additional safeguards
 
    keep it up. This obligation also stems from the fulfillment of the principle of responsibility, enshrined in
 
    in Article 5.0, paragraph 2 of the GDPR.
 
 
 
 
    ôAs per conseba doebs / leda Cloudflare, pítividad alitideeviste 27 de ocio de020, paÍa (reflection of a change in the
    legem instrument that resets the transfer of personal data from the European Union (EU) to the United States to America (USA), which
    ceased to be the decree of adequacy to the PÍoteçà of the PIVIVITYPrivacSh / e / d.), validated by the Government of the Union
    European Union (CJEU) in July 2020, in the Schíems // case, to pass over the original clauses
    7
    https: //w',^/w.cioudfiare.com/clocuslomer SCCs odí
    8See 92 and 93 of the Schrems House / iem that the Court emphasized and the assessment of the existence of an essential protection
    equitable, then guaranteed in the EU in the country of destination of the data must be
              report
    qransferênciâ in the chapter of RGP0.
    See paragraph 134 of the Schr judgment //.
 
 
                                                            CâÍlosl134 1 T (+ 3s1213928 400 geral@cnpd.pt
                                                        Av. D., â / ww.cnpd.pt
                                                          120M51 Lisboa F (+ 35i213 976 832 AVG / 2021/401 3v
 
 
                                                                                                                      I
 
 
 
 
 
 
 
  32. According to the CJEU analysis in the Schrems case // the US legislation - which is the country of destination of
 
  international transfers from Cloudflare under standard contractual clauses - allows for interference
 
  on people's fundamental rights,
                                          based on requirements related to national security and interest
 
  which may result in access to personal data transferred from the EU to the USA and the use of such data
 
  data under surveillance programs based on Section 702 of the FtSA (Foreign tntelligence Surveillance
 
  Act) and Executive Decree 1233310.
 
 
  33.0 CJEU concluded that such interferences are not proportional,
                                                                    in the light of the Union's right, insofar as
 
  the scope of the limitations on people's rights is not defined, there are no clear and precise rules regarding
 
  application of these measures or minimum requirements for protection against risks of abuse, there is no
 
  1uzo of necessity, and opposable rights are not conferred on holders
                                                                                data or remedies
  jurisdiction, because of the limitations on protection
                                                  data resulting from US law do not satisfy
 
  The requirements required by the uElr Charter of Fundamental Rights (cf. articles7.0, g.0.47.0 and 52.0, paragraph 1).
 
 
  34. Therefore, it would only be possible to carry out a personal data transfer to the USA if the legislation
 
  here concerned, and expressly referred to by the CJEU, were it not directly or indirectly
                                                                                          applicable to Cloudflare
  or their (sub-subcontractors, even so)
                                                      only through the adoption of supplementary measures that
  could
            demonstrably proves that this legislation would not be applicable or would have no practical effect
 
  on personal data transferences.
 
 
  35. However, the services provided by Cloudflare, namely those contracted by INE when
 
  subscribed to Euslness P / an, place the company directly under the
                                                                    within the scope of US legislation that imposes
  the obligation
              granting mass access to personal data by sitratados, right from the start as a provider
 
  of electronic communications services r2, without prejudice to other types of services also being covered
 
  other provisions of US surveillance legislation.
 
 
  36. Cloudflare recognizes in point 7 of the DPA that, in its role as a subcontractor, it may
                                                                                                  be the object of
  requests for access to personal data, as part of
                                                  third parties within the scope of legal procedures, which may
 
  Be "inconsistent" with the application applicable to your client, that is, RGpD. In this case, if there is a conflict,
 
  Cloudflare declares that it will promptly inform the customer, unless such notification is strictly prohibited »
 
  (cf. paragraph a) clause 7.'l).
 
 
 
 
 
 
 
r0VeÍ n.165 of the quoted acid, in which the grams are quoted by UpSTREAtú
rrSee numbers i 75-176, 1801915,
r2 and] 94 of the judgment.
  Cf.Section702 daFISAchanged by paper50 USC s lBBt AVG / 2021/401 4
 
 
    rJ
 
 
CNPD
  National Commission
  dPÍot @ of Data
 
 
    37. It is precisely the case with this US legislation that prevents US companies from
 
    inform their clients of the access made by the North American authorities to Íinsde collection of
 
    information about foreigners, in the context of national security activity.
 
 
    38. It appears, there is no guarantee that the personal data of citizens residing in Portugal,
 
    collected
                    INE through its website, within the scope of Census 202.l, are not accessed by the authorities
                intermediate
    of the USA, by Cloudflare due to the services it provides to INEe that imply, as
 
    contract signed, the transfer of such personal data to the USA.
 
 
    39. In this sense, the standard contractual clauses, under which personal data are
 
    transferred by NINE to Cloudflare, in the USA, if respected in the third country of destination, insofar as
 
 
    these do not bind the authorities of that country, thus not offering the adequate guarantees required by the
 
    RGPD, CNPD is obliged to prohibit these data transfers, according to the prescribed by ÍJUE.r3
 
 
    40. In addition, according to the same judiciary, even though INE could demonstrate that the data
 
    personal data were not transferred to the USA, data transit would always depend on the adoption of measures
 
    that they do not verify.
                    adequate and sufficient, here
 
    41. Under the terms of no. 2 of article 5.0 and article 24.0 of the RGPD, it is the responsibility of INE to comply with the
 
 
    safe principles of personal data protection, as well as demonstrating compliance with treatments
 
    personal data under your responsibility.
 
 
 
 
 
 
        lll. Conclusion
 
    42. In view of the foregoing and because there is no other corective measure capable of safeguarding the rights of titles
 
                                                                                            to the national institute
    data, the CNPD decides, under the paragraph y) of paragraph 2 of article 58.0 of the GDPR, to order
 
    of Statistics1.P.the suspension of the sending of personal data from the 2021 Census to the USA and to other countries
 
    without an adequate level of protection, whether through Cloudflare, lnc., or another company, the term
 
    maximum of 12 hours.
 
 
    43. The same entity must also ensure, in the context of any subconditions, that the subcontractors
 
 
    are not obliged to comply with legislation that removes the protection conferred by the RGPD.
 
 
 
 
 
  r3Vern.0107e 121of the cited action.
  ra '183
    cf.n.os63e of the same judgment
 
 
 
                                                                                                          geral@cnpd.pt
                                                    Av.D.Carlos, 134.10 T (+351) 213928400
                                                        1200 {51 Lisboa F (+ 35 ', 213 97632 r / vww.cnpd.pt AVG1202I401 4v
 
 
 
 
 
 
 
 
 
44. The hearing is waived, under the terms of paragraph a.) Of no. 1 of article124.0 of the Code of Procedure
 
Administrative, considering the urgency of the corrective measure, taking into account the time period
                                                                                                gives
                    what,
online of the Census and otherwise, the ILO would remain for the rights, freedoms and guarantees of
 
potentially more than four million, who have not yet fulfilled their legal obligation to respond to
 
census operation.
 
 
 
 
 
Approved at the meeting of April 27, 2021
 
 
 
 
FilipaCalvão (President)
</pre>

Latest revision as of 16:56, 6 December 2023

CNPD - Deliberação/2021/533
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 9 GDPR
Article 44 GDPR
Article 46 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 27.04.2021
Published: 28.04.2021
Fine: None
Parties: lnstituto Nacional de Estatística, l.P.
Cloudflare, lnc.
National Case Number/Name: Deliberação/2021/533
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD Deliberação (in PT)
Initial Contributor: n/a

The Portuguese DPA ordered the National Statistical Institute to stop all data transfers to a service provider located in the US. Referencing the CJEU's Schrems II Judgment, the DPA stated that controllers using standard contractual clauses for data transfers are still obliged to implement safeguards to ensure an equivalent level of protection in third countries.

English Summary

Facts

The Portuguese National Statistical Institute ("Instituto Nacional de Estatística") was undertaking the 2021 census by collecting data through forms on their own website "CENSOS 2021", and using various website security and content delivery services of Cloudflare, a service provider headquartered in the United States.

The Portuguese DPA ("Comissão Nacional de Proteção de Dados", CNPD) received various complaints from people, mainly that citizens were obliged to disclose their full name, but also that personal data was being sent to the United States, due to the use of Cloudflare as a service provider.

The DPA's investigation found that the Institute's use of Cloudflare as a content delivery network did not guarantee that personal data would be processed in the European Union or in other countries, some of which may not ensure the adequate level of protection of the personal data required by the GDPR, given Cloudflare's network extended to more than one hundred countries. Cloudflare's service uses anycast to route incoming traffic to the nearest data centre to the user, using IP addresses registered in the United States.

Although the algorithm that routes the traffic is supposed to chose the closest server possible to the origin of the request, it is not guaranteed that the data is not sent to other servers located in countries without such level of protection.

The DPA also noted that the census website used Cloudflare's own certificates to encrypt website traffic, rather than encryption using the Institute's own private and public keys. Accordingly, the security protocol used by Cloudflare deprives the Institute of control regarding the transfer. Such protocol is fully controlled by Cloudflare, which possess both the private and public key of the encryption.

At the time of the investigation, more than six million Portuguese citizens had completed the census, what amounts to more than half of the Portugal population. The 2021 national census was mandatory and included the collection and processing of special categories of personal data, including health and religious beliefs.

Holding

The CNPD found that the National Statistical Institute, being the controller of the data processing, had not carried out the necessary Data Protection Impact Assessment for this particular processing, having only carried out an impact assessment for the general statistical activities. Therefore, Institute had not been able to assess the risks of this particular processing of data, that might include transfers of personal data to third countries without an adequate level of protection. The controller did not seek the DPA's advice either; consulting only with the Portuguese National Security Cabinet ("Gabinete Nacional de Segurança") about the census' cybersecurity requirements.

The DPA stated that even given the cybersecurity requirements of the census, additional measures could have been put in place to mitigate the risk to individual's personal data, ensuring greater control over the data by the National Institute, and limiting the processing of personal data to EU Member States; and by implication not processing the personal data in third countries. However, the choices made by the National Institute meant personal data might be processed in the United States and other countries in Cloudflare's network (for instance, South Africa, China, India, Jordan, Mexico, Russia, and Singapore).

The National Institute, as a controller, accepted Cloudflare's terms and conditions when using their service. The contract specifies that:

  • personal data may transit any of the 200 servers used by Cloudflare;
  • Standard Contractual Clauses are relied upon for the transfer of data to third countries, based on the Commission Decision 2010/87/UE of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries;
  • Cloudflare is authorized to use sub-processors from outside their group, including companies from third countries;
  • Cloudflare may be subject to requests of disclose by US government institutions that may be inconsistent with the GDPR; and those requests may forbid the notification to the data controller about these requests.

The DPA held that use of standard contractual clauses does not imply that the controller does not have the obligation to ensure an equivalent level of protection when data is transferred to third countries, implementing adequate safeguards that allow to maintain such level of protection, according to the CJEU Schrems II Judgment[1]. This is also related to the accountability principle from Article 5(2) GDPR.

The DPA remarks that, according the Schrems II Judgment, the transfer of data to the United States may result in violations of fundamental rights, given that the US legislation allows for access to the data because of national security and public interest reasons. Such inferences are not reasonable, as limitations to fundamental rights are not clearly defined; as there are no clear and precise rules on the application of such measures or minimum requirements to protect against risks of abuse; there is no requirement for a necessity test; and there are no enforceable rights for data subjects or legal remedies.

The Portuguese DPA found that the National Institute had not undertaken a sufficient Data Protection Impact Assessment, had not consulted the supervisory authority prior to processing, and had therefore not adopted adequate additional safeguards before using the services of a data processor who was headquartered in the United States.

The DPA concluded that Portuguese citizens lack any guarantees in regards to their data being collected by the National Statistical Institute, as US legislation does not offer a similar level of protection than the GDPR. The controller had neither been able to demonstrate that the data is not effectively transferred to the US, not had they implemented any supplementary adequate measures to ensure a similar level of protection, which they are obliged to do as a data controller.

Therefore, the CNPD ordered the National Statistical Institute to suspend any processing of personal data for the census in the US or any other third country without adequate levels of protection, within 12 hours of their decision being issued.

The CNPD also remarked that the National Institute should obtain guarantees that compliance with GDPR is assured when contracting with processors or sub-processors.

Comment

The issue of transit data vs. international data transfers has been considered by the EDPB in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data[2], adopted on 10 November 2020.

For the EDPB, in its Use Case 3 in the above-mentioned Recommendation, considers the possibility that "(...) a data exporter wishes to transfer data to a destination recognised as offering adequate protection in accordance with Article 45 GDPR. The data is routed via a third country."

The EDPB sets 11 requirements for transport encryption, if needed in combination with end-to-end content encryption, to provide an effective supplementary measure:

1. A data exporter transfers personal data to a data importer in a jurisdiction ensuring adequate protection, the data is transported over the internet, and the data may be geographically routed through a third country not providing an essentially equivalent level of protection;

2. Transport encryption is used for which it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of the third country;

3. Decryption is only possible outside the third country in question;

4. The parties involved in the communication agree on a trustworthy public-key certification authority or infrastructure;

5. Specific protective and state-of-the-art measures are used against active and passive attacks on transport-encrypted;

6. In case the transport encryption does not provide appropriate security by itself due to experience with vulnerabilities of the infrastructure or the software used, personal data is also encrypted end-to-end on the application layer using state-of-the-art encryption methods;

7. The encryption algorithm and its parameterisation (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities in the transiting country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them;

8. The strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved;

9. The encryption algorithm is flawlessly implemented by properly maintained software the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification;

10. The existence of backdoors (in hardware or software) has been ruled out;

11. The keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of the intended recipient, and revoked), by the exporter or by an entity trusted by the exporter under a jurisdiction offering an essentially equivalent level of protection.

Further Resources

https://www.cloudflare.com/resources/assets/slt3lc6tev37/1M1j5uuFDuLTYiZJJDPBag/bda8d591447971b3df2bccf5aa4e0916/Customer_DPA_v.3_1_-_en_1_Oct_2020.pdf

https://edpb.europa.eu/news/national-news/2021/census-2021-portuguese-dpa-cnpd-suspended-data-flows-usa_en

https://iapp.org/news/a/cnpd-orders-statistics-portugal-to-stop-sending-census-data-to-us/

https://www.huntonprivacyblog.com/2021/04/28/portuguese-dpa-orders-suspension-of-u-s-data-transfers-by-agency-that-relied-on-sccs/#more-20425

https://www.natlawreview.com/article/portuguese-dpa-orders-suspension-us-data-transfers-agency-relied-sccs

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

CNPD 
National Commission for Data Protection 
DELIBERATION/2021 / 533 
1. introduction 
1. 
The National Commission for Data Protection (CNPD) has received more than a dozen participations regarding the ongoing census operation - Census 2021 - carried out by the National Statistics Institute, I.P. (INE), which in part is done by filling out the form available online at https://censos2021.ine.pt/. The greatest number of participations is related to the fact that the survey requires citizens to provide their identification data, namely their full name. However, some respondents associated the requirement to provide identifying data with the transfer of data to a company based in the United States of America. 

2. 
2. The same question was also asked on social networks, and media outlets reported that the information displayed there was inaccurate. 

3. 
3. The ACNPD, under the powers conferred by Article 58(1)(b) and (e) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR), in conjunction with Article 3, Article 4(2) and Article 6(1)(b), all of which are applicable to the processing of personal data, is responsible for the protection of personal data. 1 of article 6, all of Law 58/2019, of 8August (which aims to ensure the implementation, in the internal legal order, of the GDPR), has analyzed the website of Statistics Portugal and the platform made available therein, and concluded that this entity uses services provided by the company Cloudflare. Statistics Portugal was also requested to provide information on this operation regarding personal data. 

li. 
Analysis 

i. 
Facts found 

4. 
The Census 2021 data collection form is accessed through the infrastructure provided by Cloudflare, lnc. (hereinafter Cloudflare), a company based in San Francisco, California, in the United States of America. This company provides various Internet security and Content Delivery Network (CDN) services. 

5. 
The CDN consists of a network of servers that aims to reduce the latency of access to servers -i.e., the period of time between the user's action and the response to that action. In effect, through an algorithm that sends information simultaneously to several servers, it chooses the one with the shortest response time. With this, it is possible to deliver information faster and with greater robustness from the point of view of security. 

6. 
ACloudflare owns 200 {hundred} datacenters located in over one hundred countries, the vast majority of which do not have an adequate level of data protection, under the terms of article 45.0 of the RGPD. 

7. 
OINE used the services provided by the company Cloudflare through the onlined subscription to its Business Plan1. This plan provides a set of services, and INE is currently making use of WAF2, the CDN, and Rate Limit3. 

8. This plan is governed by the 'Self-Serve Subscription Agreement'4 (main service provision agreement) and the data processing addendum (Data Processing Addendum version 3.05), dated October 1st, 2020, which is part of the main agreement (see clause 6.1 of the main agreement). 

9. INE justified the conclusion of this contract with the objective of "(...) effectively responding to the performance and information security needs associated with the size and complexity of the Census 2021 operation". 

10. Notwithstanding the use of this service, it is not, nor has it ever been, in question that the information provided by citizens through the Censos 2021 forms is hosted in INE's servers. 

11 . When the citizen accesses the Census 2021 form, it is forwarded to one of Cloudflare's servers according to the referred algorithm. Cloudflare's infrastructure communicates with the INE server by TLS. 

12. The name censos2021.ine.pt is associated with IP 172.67.41.182, located in the United States of America, and is assigned to Cloudflare. Customers access the site using the HTTPS secure communication protocol, and the associated certificate is issued by Cloudflare, Inc ECC CA-3, a certification body of Cloudflare itself. Thus, this company holds both the private key and the public key, 
1 This plan is presented on Cloudflare's website as being aimed at small businesses and e-commerce websites that require advanced performance and security, and that give priority to email support. See httos://www.cloudflare.com/olans/business/ 2A WAF helps secure web applications by filtering and monitoring HTTP traffic. It protects against attacks such as Cross Site Request Forgery, 
Cross Site Scripting, SQLlnjection, and others. 3 Rate limiting protects against Denial of Service (DoS) attacks, brute force attacks and other types of malicious behavior. 4 httos://www cloudflare.com/terms/ 
httos://www.cloudflare.com/resources/assets/slt31c6tev37/1 M 1 j5uuFDuLTYiZJJDPBag/bda8d591447971 b3df2bccf5aa4e0916/Customer OPA v,3 1 -en J Oct 2020.pdf 

13. 
Note that the fact that the encryption key used is Cloudflare's means that the encryption is applied by this entity, remaining during the transit of information, and is deciphered by it, and only by it - i.e., before delivering the whole set of information (the data packages) to INE, Cloudflare has to proceed to its deciphering, and INE has no intervention in this process. 

14. 
Moreover, INE admits that it has no control over the transmission of information between citizens and its server. Once inside Cloudflare's CON network, Statistics Portugal has no way of knowing whether the traffic is being directed to servers located in the territory of European Union countries or residing in any other area of the world. 

15. 
As of the date of this deliberation, personal data of more than six million citizens residing in the national territory has been collected. 


ii. Assessment in light of the RGPD 
16 Since the information provided by citizens when filling out the Census 2021 forms constitutes personal data, under the terms of article 4.0, paragraph 1), of the RGPO - since it corresponds to information on identified natural persons -, the census operation is subject to the RGPO, and Statistics Portugal is responsible for the processing, in accordance with paragraphs 2) and 7) of the same article.

17. It is also true that some of the information falls into the category of specific personal data provided for in Article 9(1) of the RGPO, and therefore the data processing is subject to a stricter protection regime and to the obligation to carry out a data protection impact assessment (DPA), in accordance with Article 9(1) and (3)(b) of the RGPO. 

18. 
It should be noted that the AIPO must cover all operations on personal data, including, therefore, the operation corresponding to the transport of information to and from Cloudflare's servers, in the scope of the outsourcing relationship.  

19. On this point, INE declared to the CNPO that "(...) it has chosen to carry out a Data Protection Impact Assessment only for the main statistical operation. This was due to the fact that the tests (2016, 2018, 2020) only aimed at testing collection processes and application functionalities, and were, as far as the application solutions were concerned, partial. Therefore, they did not allow for testing and evaluating the risk inherent in all processes. In this sense, only the final operation allowed for a complete and comprehensive assessment 
)
in a scenario where the decisions taken, given the pandemic context, were being modified and optimized. However, the respective contents are not yet integrated in such a way as to be made immediately available. Although the systematic and continuous monitoring of the EPD and RSI to the Census 2021 is guaranteed." 

20. 
20. As an impact assessment was not carried out for this specific operation on personal data, Statistics Portugal did not carry out an assessment of the risks for the rights of data subjects and, consequently, did not adopt any additional measures to mitigate these risks, focusing only on the performance and security of the system, including consulting the National Security Office. 

21. 
21. Statistics Portugal did not consult the CNPD on this operation, which would have allowed the CNPD to make a statement and thus seek to protect the rights of the data subjects. 

22. 
However, even considering the purpose of this operation, there were other solutions that could have mitigated the risks, ensuring greater control over the data by Statistics Portugal, and, of course, limiting the transit of personal data to the territory of EU Member States, which would not imply sending them to third countries. 

23. 
However, the choice of the NSI implies, as will be shown, the transit of personal data through third countries in relation to the European Union and which do not have the adequate level of protection. It also implies, by virtue of the contract signed, a specific authorization by INE to transfer personal data to the United States of America (USA) and to other countries where the servers used by Cloudflare are located (namely, South Africa, China, India, Jordan, Mexico, Russia, Singapore). 

24. 
As described above, in points 5 and 11, the personal data of citizens residing in Portugal are sent to Cloudflare servers located in different countries that are neither identified nor identifiable by INE or by the data subjects. Moreover, the encryption and decryption key is owned by Cloudflare. 


25. The contract concluded between Statistics Portugal and Cloudflare foresees the transit of personal data to any of the 200 servers used by Cloudflare, as well as the transfer of personal data to the USA.

26. Indeed, under the terms of the Data Processing Addendum version 3.0 (hereinafter 'OPA'), which, it is recalled, forms part of 
contract, personal data are transferred from the customer (data exporter) to Cloudflare (data importer), in the United States of America, using as international transfer mechanism the standard contractual clauses based on Commission Decision 2010/87/EU of 5 February 2010, applicable transfers of personal data to processors established in third countries6 , which are an integral part of the Addendum and are to that extent endorsed by the customer (cf. clause 1.1(m) of the DPA)7. 

27. 
The PPA applies to the extent that Cloudflare processes personal data submitted by the customer to Cloudflare or, as is the case with INE, collected and processed by the customer using the service, where such personal data is subject to applicable data protection legislation. 

28. 
Thus, by (sub)contracting Cloudflare's services, INE, in its capacity of controller and simultaneously of client, accepted the conditions of use of the service, including the amendment to the terms of processing of personal data, which contains a contract between the controller (INE) and the subcontractor (Cloudflare) for the transfer of personal data to the United States of America.

29. 
Also under the terms of the Tender Offer, INEgranted a general authorization to Cloudflare to use other (sub-)subcontractors, whether companies within or outside the Group (clause 4.2), acknowledging and accepting that it may be necessary for the provision of the service to use (sub-)subcontractors established in third countries (clause 6.4). 

30. 
If standard contractual clauses are, in general, a legal instrument for the transfer of personal data to third countries, under the combined provisions of Article 46.0(2)(e) en. 0 5 of the GDPR, it is necessary to verify, however, whether the law of the third country, which obviously overlaps with an instrument of a contractual nature, does not diminish or negate the guarantees offered by these clauses, which aim precisely at compensating for the lack of an adequate level of protection in the country of destination of the data (cf. 

31 . According to the Court of Justice of the European Union (CJEU), it is for the data exporter, on a case-by-case basis, in cooperation with the data importer, to ascertain whether the country of destination in question ensures a level of data protection essentially equivalent to that guaranteed by the EU and, if possible, to adopt additional safeguards to overcome the obstacles and ensure that data protection is maintained9. This obligation also derives from compliance with the principle of accountability, enshrined in 
Article 5.0.2 of the GDPR. 
6 Conformeconstains from Cloudflare's website. the privacy policy was revised on October 27, 2020, to "reflect- a change in the legal instrument underpinning the transfer of personal data from the European Union (EU) to the United States of America (US), which is no longer the Privacy Sh,eld adequacy decision invalidated by the Court of Justice of the European Union (T JEU) in July 2020. in the Schrems li case, to become the standard contractual clauses 7 httos://www.cloudflare.com/cloudflare customer sccs.pdf 8 See nrs. 92 and 93 of the Schrems li Judgment, in which the Court stressed that the assessment of the existence of a level of protection essentially equivalent to that guaranteed in the EU in the country of destination of the data must be made regardless of whether a transfer mechanism provided for in Chapter V of the GDPR is used. 9 See paragraph 134 of the Schrems II judgment.

32. 
According to the CJEU analysis in the Schrems li case, the law of the US -which is the destination country for Cloudflare's international transfers under the standard contractual clauses- allows for interference with the fundamental rights of individuals based on national security and public interest requirements, which may result in access to personal data transferred from the EU to the US and the use of such data in surveillance programs, based on Section 702 of the FISA (Foreign Intelligence Surveillance Act) and Executive Order 123331. 

33. 
The TJEU concluded that such interference is not proportionate under EU law as there is no definition of the scope of the limitations on individuals' rights, no clear and precise rules on the application of such measures and no minimum requirements to protect against risks of abuse, no assessment of necessity, no enforceable rights for data subjects and no judicial remedies, so that the limitations on data protection under US law do not meet the requirements of the EU Charter of Fundamental Rights11 (cf. Articles 7, 8, 47 and 52(1)). 1). 

34. 
Therefore, a transfer of personal data to the U.S. would be possible if the legislation at stake here, and expressly referred to by the CJEU, were not directly or indirectly applicable to Cloudflare or its (sub-)subcontractors, and even then only by taking additional measures that could demonstrably show that this legislation would not be applicable or would have no practical effect on transfers of personal data. 

35. 
However, the services provided by Cloudflare, namely those contracted by INE when it subscribed to the Business Plan, put the company directly under US law, which imposes on it the obligation to grant bulk access to the personal data it processes, already as a provider of electronic communications services12 , without prejudice to other types of services also being covered by other provisions of the US surveillance legislation. 

36. 
Cloudflare acknowledges in point 7 of the Tender Offer that, in its role as a subcontractor, it may be subject to requests for access to personal data by third parties in the context of legal proceedings, which may be "inconsistent" with the law applicable to its customer, i.e., the GDPR. In such a case, where a conflict of laws exists, Cloudflare declares that it will immediately inform the Customer, "unless such notification is legally prohibited" (cf. a) clause 7.1 ). 


10 See paragraph 165 of the cited judgment, where the PRISM andUPSTREAM programs are cited. 11 See paragraphs 175-176, 180-185, 191 and 94 of the cited judgment. 12 Cf. Section 702 of FISA as amended by 50 use§ 188P.

37. 
This is precisely the case with this US legislation that prevents US companies from informing their customers of access by US authorities for the purpose of gathering information on foreigners in the context of national security activity. 

38. 
Therefore, there is no guarantee that the personal data of citizens residing in Portugal, collected by INE through its website, in the context of Censos 2021, will not be accessed by the US authorities, through Cloudflare, due to the services it provides to INE and which imply, according to the contract signed, the transfer of such personal data to the USA. 

39. 
In this sense, as the standard contractual clauses under which personal data are transferred by the NSI to Cloudflare in the USA cannot be respected in the third country of destination, insofar as they are not binding on the authorities of that country, thus not offering the appropriate guarantees required by the GDPR, the CNPD is obliged to prohibit these data transfers, as prescribed by the CJEU.13 

40. 
Furthermore, according to the same case law 14, even if the NSI could demonstrate that the personal data was not transferred to the U.S., the transit of the data would always depend on the adoption of adequate and sufficient additional measures, which are not present here. 


41 . Under Article 5(2) and Article 24 of the GDPR, Statistics Portugal is obliged to comply with the principles and rules on personal data protection and to demonstrate compliance with the processing of personal data under its responsibility. 

III. Conclusion 
42. 
In view of the above and as there is no other corrective measure capable of safeguarding the rights of data subjects, the CNPD, under paragraph}) of Article 58(2) of the GDPR, hereby orders Instituto Nacional de Estatística, I.P., to suspend the sending of personal data from Censos 2021 to the USA and to other third countries without an adequate level of protection, whether through Cloudflare, lnc. or another company, within a maximum period of 12 hours. 

43. 
The same entity shall also ensure, in the scope of any subcontracting, that subcontractors are not obliged to comply with a legislation that departs from the protection conferred by the RGPD. 

44. 
The hearing is waived, in accordance with Article 124.1 a) of the Administrative Procedure Code, considering the urgency of the corrective measure, taking into account the time period of the online collection of the Census and that, otherwise, the risk to the rights, freedoms and guarantees of citizens, potentially more than four million, who have not yet fulfilled their legal obligation to respond to the census operation, would remain. 


13 See paras. 107 and 121 of the cited judgment. 14 Cf. nos. 63 and 183 of the same accd. 
Approved at the meeting of April 27, 2021 

< 
Filipa Galvão (Chair)