CNPD (Portugal) - Deliberação 2021/533

From GDPRhub
Revision as of 08:25, 28 April 2021 by Cvl (talk | contribs)
CNPD - Deliberação/2021/533
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 9 GDPR
Article 44 GDPR
Article 46 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.04.2021
Published: 28.04.2021
Fine: None
Parties: lnstituto Nacional de Estatística, l.P.
Cloudflare, lnc.
National Case Number/Name: Deliberação/2021/533
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD Deliberação (in PT)
Initial Contributor: n/a

The Portuguese DPA ordered the National Statistical Institute to stop all data transfers to a service provider located in the US.

English Summary

Facts

The Portuguese National Statistical Institute gathers data for their census through a form in their website, using the services of Cloudfare, a service provider based in the US.

Dispute

Holding

in progress

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

                                                                                                   AVG12021I01 1


    rJ


CNPD
  Nacronãl Commission
  of PYotData

                                            DELTBERAÇÃO / 2021t533



        l. lntroduction


     i. The National Data Protection Commission (CNPD) received more than a dozen related participations

     to the ongoing census operation - 2021 Censuses - carried out by the National Statistics Institute, l.P.NE), the

     which partly takes place by filling in the online form available at the address

     httos.//censos2021.ine.pt/ The largest share is linked to the survey's obligation to provide

     identification data of all the full name. However, some participations
                                 citizens,

     associated the data provision obiigator identified with the transfer of data to a

     company based in the United States of America.


     2. Also on social networks, the same issue was raised, with media outlets reporting

     that the information exposed there was not accurate.


     3. CNPD, under the powers conferred by subparagraphs b) and Article 58.0 (1) of Regulation (EU)

     20161679 of the European Parliament and of the Council of 27 April 2016 6 (General Regulation on the Protection

     Data - RGPD), in conjunction with the provisions of article 3.0, paragraph 2 of article 4.0 and paragraph b) owner 1

     of article6.0, all from Lein.0 58/2019, from August 1 (which has the object of insuring the execution, in

                                                                                  platform
     internal law, of the GDPR), proceeded to the analysis of the INE internet site and the one made available there,

     having concluded that this entity uses services provided by the company Cloudflare.

      information to iNE regarding this operation on personal data.



        ll. Analyze


          i. Determined facts

      4.0 form for collecting data from the 2021 Census is accessed through the available infrastructure

      by (hereinafter, a company based in San Francisco, California, the United States
          Cloudflare, lnc. Cloudflare),

      United States of America. This company provides several security services on the Internet and Content Delivery

      Network (CDN).


      5. The CDN consists of a network of servers that aims to reduce the latency of access to the

      servers- 1.e., the period of time between the user's action and the response to that action. With

      effect, through an algorithm that sends information simultaneously to several servers, chooses that one

      which requires a shorter response time. with islo, faster information delivery is achieved

      and with greater robustness from the point of view of security.




                                                                                (+351) 400 gerâl@cnpd.pt
                                                     Av. D.íosl, 134, 1o Í 213 928
                                                         '1200-6Lisboa F (+351) 213976 832 www.cnpd.pt AVGt2021t401 1v










   6. Cloudflared has 200 (two hundred) data centers located in more than 100 countries, the vast majority of

   which does not have an adequate level of data protection, as provided for in article 4 of the RGpD.


   7.0 INE used services provided by the company Cloudflare through the online subscription of its Busmess

  P / an '. This plan provides a set of services, with INE currently making use of WAF2, the

   CDN, and Rate lrnrit3.


  B. This plan is governed by 'self-servesubscription
                                                            Agreement'a (main contract for the provision of

  services) and the data processing addendum (Data Processing Addendum version 3.0s), dated

   1 October 2020, which is part of the main contract (cf. clause 6.1 of the main contract).


  9.0 INE justified the execution of this contract with the objective of '(..) responding effectively to

  performance and information security needs associated with dimension and complexity
                                                                                                 of the operation
   2021 Census ".


  I0. Notwithstanding the use of these services, it is not, nor ever
                                                                  was concerned that the information provided
  by citizens through
                         of the 2021 censuses' Imormulários is housed in the lNE's seitores.

  11. the citizen
      When you access the 2021 Census form, you are forwarded to one of the

  Cloudflare according to this algorithm. Even though the criterion underlying this algorithm is the highest

  proximity of the servers to the location of the origin of the invocation, there is no guarantee that
                                                                                           of such a success,
  since it depends on the load on them at each moment.
                                                                     Cloudflare infrastructure communicates

  with the DOINE server via TLS.

  12 name
      Censos2021 .ine.pt is associated with lP 172.67.41.182, located in the United States of America,

  being assigned to CloudÍlare.0s clients access the site using the secure communication protocol

  HTTPS, the associated certificate being issued by Cloudflare, tnECC CA-3, an entity
                                                                                                 certifying
  Cloudflare itself.
                              Therefore, this company holds both the private and public keys,







rSplit is presented on the Cloudflar website as a small business website
performance and security that is comercielelronic, eÍequeÍem
                                  advanced, and give priority to .orr ... ãta, óni.o support. veí
2ttps: //www.cloudÍlare.com/plans/business/
 A WAF helps protect waofiltremonitor applications from HTT traffic. Píotedos attack as cross regre Reguest Forgery,
Cross S, te Scí, pSoL /r.iectior, among others.
3 protects
 Ráte, r? Itlng against Oeofservice (DoS) attacks - brute force attacks and malignant types.
Ihttps: //wwwcloudlare.com/terms/
5
               f1
         - 'l P 44
DPA v.3 1 in oct 2020odf AVçt2021t401 2


    rJ


CNPD
  National Commission
  deProtedeData

     getting enabled that
             so the cyber and decryption of all communications between citizens access

     to the form and send data to the lNE server.


     13. Note that the fact that the encryption key used is from Cloudflare means the encryption is applied by

     this entity, maintaining itself during the transit of the information, and is by it, and only by it, deciphered - that is,

     before the delivery of all the information (the data packets) to lNE, aCloudflare must proceed with its

                                 any intervention in this process.
     decryption, not having INE

     14. Incidentally, INE does not provide information between citizens and their service.
              o admits control over transmission

     Once inside Cloudflare's CDN network, OINE has no way of knowing if the traffic is directed to

     servers located in the countries of the European Union, or resident in any other area of the globe.


     15. As of the date of this determination, personal data has been collected from more than six million citizens

     residing in national territory.






         ii. Assessment in the light of the GDPR

     16. There is no doubt that the information provided by citizens when filling out the forms

                                     personal data, 1), of the GDPR - for
     2021 Census consist of data in the terms of article 4.0, paragraph

     information relating to identified natural persons, the census operation is subject to the GDPR, being

     INE is responsible for the treatment, in accordance with paragraphs 2) and 7) of the same article.


     17. While it is also certain that some of the information falls within the category of special personal data

     in Article 9.0 (1) of the GDPR, and data processing is therefore subject to a more stringent protection

                       therefore, to carry out an impact assessment on data protection
     rigorous and, since the obligation

     (AIPD), in accordance with paragraph 1 and paragraph b.do paragraph 3 of article 9.0 of the GDPR.

                                                                                                         therefore,
      18. It should be noted that the AIPD must cover all operations on personal data, including,

     the operation corresponding to the transport of information to and from Cloudflare servers, within the scope of

      subcontracting relationship.


      19.As for this point, INE declared to CNPD that '(..opted for the realization of an Impact Assessment

      about Data Protection only to the statistical operation. main.lsto was due to the fact that the tests

      (2016,2018,2020) ylsarem re applicational functionalities, are, as far as
                                just test harvesting processes and

      in relation to solutions to plications, partly, therefore they did not allow testing and assessment of the risk related to sludge

      the pIocesses. In this sense, only the final operation allowed to carry out a complete and comprehensive assessment




                                                                                   (+351) 213 geral@cnpd.t
                                                      Av. 0.arlol, 13410 Í 928 400
                                                          120M51 Lisboa F (1351213 976 832 www.cnpd.pt AVG / 2021/401 2 \.









 in a scenario in which the Ímâ das decisions, given theandtopic context, were being
                                                                                 changed and optimized.
 However, the respective contents
                                  not yet integrated in order to be made available

 immediate. Although systematic and continuous monitoring of EpD and RS / Censuses is guaranteed

 2021. ',


 20. No impact assessment has been carried out on this specific operation on data

 INE did not carry out a weighting of the risks to the rights of the data subjects and,

 consequently, it has not adopted, with respect to this operation, any
                                                                   supplementary mitigating measure of these
 risks, having only centered
                                 performance and security of the system, including promoting a

 consultation with the National Security Office.

 21. About this operation,
                          INE did not consult CNPD, which would have allowed CNpD to comment and so

 seek to safeguard the data holders' data.


 22. However, even considering the purpose envisaged with this operation, there were other solutions that

 would allow to mitigate the risks, guaranteeing INE a greater control over the data, and, from the outset, limiting
                                                                                                        O
 transit of personal data to the territory of the Member States of the European Union,
                                                                                not implying your shipment
 country third countries.


 23. Now, the INE option implies, as demonstrated,
                                                      the transit of personal data by third country without
 relation to the union that
                 European Union and do not have the appropriate level of protection. It also implies, by virtue of the

contract concluded, a specific authorization from INE to transfer personal data to the United States

United States of America (USA) and other countries where the servers used by

cloudflare (namely, South Africa, chinaIndia, Jordan, Mexico, Russia,
                                                                             singapore)

24. As described above, in points 5 and 11, the personal data of resident citizens portugal
                                                                                         in are
sent to Cloudflare servers in different countries
                                              in different unidentified or identifiable by
       by the
Statistics Portugal or data holders. In addition, the decryption and decryption key is the property of Cloudflare.

25 0r4, at least
        the contract concluded INE and Cloudflare foresees the transfer of personal data to anyone

of the 200 servers used, as well as the transfer of personal data to the USA.

26. With
         effective terms of Daía Processing Addendum version 3.0 (hereinafter, DpA), which, it is recalled, integrates

The contract, personal data from the customer (data exporter) is transferred to Cloudflare (importer of

data) in the United States of America, using the international transfer mechanism

standard contractual clauses based on Commission Decision 2010 / 87lUE, of 5 February
                                                                                          2010, applicable AVGt2021t401 3



    rJ


CNPD
  National Commission
  dPÍotqãdêDâdos

     transfers of personal data to subcontractors established in third countries6, which do

     part by
           as part of the addendum and are, to that extent, customer subscriptions (heading m) of clause 1.1 of the DPA) 7.


     27. DPA applies insofar as Cloudflare personal data submitted by the client to CloudÍlare

     or, as is the case of lNE, collected and treated by the customer using the service, I pass this personal data

     are subject to the applicable data protection legislation.


     28. Thus, by (sub) contracting the services of Cloudflare, olNE, in his capacity as responsible for the treatment


     and at the same time as a customer, accepted the conditions of use of the service, including the addendum to the terms of

     processing of personal data, which contains a contact between the controller (lNE) and the

                     (Cloudflare) for personals for the United States of America.
     subcontractor the data transfer the

                                                                                    general country that this
     29. Still according to the terms of the DPA, INE granted an authorization to Cloudflare

     can resort to others (sub-subcontractors, whether companies inside or outside the Group (clause 4.2),

     recognizing and accepting that it might be necessary for the provision of the service to use (sub-


     ) subcontractors established in third countries (clause 6.4).


     30, If standard contractual clauses are, in general, a legal instrument for data transfer

     personal data for third countries, under the provisions of article 46.0, paragraph 2, point c), and paragraph 5, of

     GDPR, it is necessary to verify, however, whether the legislation of the third State, which obviously overlaps with a

                                                                                            per
     instrument of a contractual nature, does not diminish or deflate the guarantees offered by these clauses,

     which precisely aim to compensate for the lack of an adequate level of protection in the country of destination

     of the data (cf. article 44.0 and 46.0 of the GDPR) 8.


                           Court of the European Union (CJEU), it is the exporter of data that competes,
     31. According to Justice

     on a case-by-case basis, with the assistance of the data importer, verify that the specific country of destination

     a level of data protection essentially equivalent to that guaranteed by the EU, and should, if possible, adopt

                               to overcome obstacles and ensure that data protection is
     additional safeguards

     keep it up. This obligation also stems from the fulfillment of the principle of responsibility, enshrined in

     in Article 5.0, paragraph 2 of the GDPR.




    ôAs per conseba doebs / leda Cloudflare, pítividad alitideeviste 27 de ocio de020, paÍa (reflection of a change in the
    legem instrument that resets the transfer of personal data from the European Union (EU) to the United States to America (USA), which
    ceased to be the decree of adequacy to the PÍoteçà of the PIVIVITYPrivacSh / e / d.), validated by the Government of the Union
    European Union (CJEU) in July 2020, in the Schíems // case, to pass over the original clauses
    7
     https: //w',^/w.cioudfiare.com/clocuslomer SCCs odí
    8See 92 and 93 of the Schrems House / iem that the Court emphasized and the assessment of the existence of an essential protection
    equitable, then guaranteed in the EU in the country of destination of the data must be
               report
    qransferênciâ in the chapter of RGP0.
     See paragraph 134 of the Schr judgment //.


                                                            CâÍlosl134 1 T (+ 3s1213928 400 geral@cnpd.pt
                                                        Av. D., â / ww.cnpd.pt
                                                           120M51 Lisboa F (+ 35i213 976 832 AVG / 2021/401 3v


                                                                                                                       I







   32. According to the CJEU analysis in the Schrems case // the US legislation - which is the country of destination of

   international transfers from Cloudflare under standard contractual clauses - allows for interference

   on people's fundamental rights,
                                           based on requirements related to national security and interest

   which may result in access to personal data transferred from the EU to the USA and the use of such data

   data under surveillance programs based on Section 702 of the FtSA (Foreign tntelligence Surveillance

   Act) and Executive Decree 1233310.


   33.0 CJEU concluded that such interferences are not proportional,
                                                                    in the light of the Union's right, insofar as

   the scope of the limitations on people's rights is not defined, there are no clear and precise rules regarding

   application of these measures or minimum requirements for protection against risks of abuse, there is no

  1uzo of necessity, and opposable rights are not conferred on holders
                                                                                data or remedies
  jurisdiction, because of the limitations on protection
                                                  data resulting from US law do not satisfy

  The requirements required by the uElr Charter of Fundamental Rights (cf. articles7.0, g.0.47.0 and 52.0, paragraph 1).


  34. Therefore, it would only be possible to carry out a personal data transfer to the USA if the legislation

  here concerned, and expressly referred to by the CJEU, were it not directly or indirectly
                                                                                          applicable to Cloudflare
  or their (sub-subcontractors, even so)
                                                      only through the adoption of supplementary measures that
  could
             demonstrably proves that this legislation would not be applicable or would have no practical effect

  on personal data transferences.


  35. However, the services provided by Cloudflare, namely those contracted by INE when

  subscribed to Euslness P / an, place the company directly under the
                                                                     within the scope of US legislation that imposes
  the obligation
              granting mass access to personal data by sitratados, right from the start as a provider

  of electronic communications services r2, without prejudice to other types of services also being covered

  other provisions of US surveillance legislation.


  36. Cloudflare recognizes in point 7 of the DPA that, in its role as a subcontractor, it may
                                                                                                  be the object of
  requests for access to personal data, as part of
                                                  third parties within the scope of legal procedures, which may

  Be "inconsistent" with the application applicable to your client, that is, RGpD. In this case, if there is a conflict,

  Cloudflare declares that it will promptly inform the customer, unless such notification is strictly prohibited »

  (cf. paragraph a) clause 7.'l).







r0VeÍ n.165 of the quoted acid, in which the grams are quoted by UpSTREAtú
rrSee numbers i 75-176, 1801915,
r2 and] 94 of the judgment.
  Cf.Section702 daFISAchanged by paper50 USC s lBBt AVG / 2021/401 4


    rJ


CNPD
  National Commission
  dPÍot @ of Data


     37. It is precisely the case with this US legislation that prevents US companies from

     inform their clients of the access made by the North American authorities to Íinsde collection of

     information about foreigners, in the context of national security activity.


     38. It appears, there is no guarantee that the personal data of citizens residing in Portugal,

     collected
                    INE through its website, within the scope of Census 202.l, are not accessed by the authorities
                 intermediate
     of the USA, by Cloudflare due to the services it provides to INEe that imply, as

     contract signed, the transfer of such personal data to the USA.


     39. In this sense, the standard contractual clauses, under which personal data are

     transferred by NINE to Cloudflare, in the USA, if respected in the third country of destination, insofar as


     these do not bind the authorities of that country, thus not offering the adequate guarantees required by the

     RGPD, CNPD is obliged to prohibit these data transfers, according to the prescribed by ÍJUE.r3


     40. In addition, according to the same judiciary, even though INE could demonstrate that the data

     personal data were not transferred to the USA, data transit would always depend on the adoption of measures

     that they do not verify.
                    adequate and sufficient, here

     41. Under the terms of no. 2 of article 5.0 and article 24.0 of the RGPD, it is the responsibility of INE to comply with the


     safe principles of personal data protection, as well as demonstrating compliance with treatments

     personal data under your responsibility.






        lll. Conclusion

     42. In view of the foregoing and because there is no other corective measure capable of safeguarding the rights of titles

                                                                                            to the national institute
     data, the CNPD decides, under the paragraph y) of paragraph 2 of article 58.0 of the GDPR, to order

     of Statistics1.P.the suspension of the sending of personal data from the 2021 Census to the USA and to other countries

     without an adequate level of protection, whether through Cloudflare, lnc., or another company, the term

     maximum of 12 hours.


     43. The same entity must also ensure, in the context of any subconditions, that the subcontractors


     are not obliged to comply with legislation that removes the protection conferred by the RGPD.





   r3Vern.0107e 121of the cited action.
   ra '183
     cf.n.os63e of the same judgment



                                                                                                           geral@cnpd.pt
                                                     Av.D.Carlos, 134.10 T (+351) 213928400
                                                         1200 {51 Lisboa F (+ 35 ', 213 97632 r / vww.cnpd.pt AVG1202I401 4v









44. The hearing is waived, under the terms of paragraph a.) Of no. 1 of article124.0 of the Code of Procedure

Administrative, considering the urgency of the corrective measure, taking into account the time period
                                                                                                gives
                    what,
online of the Census and otherwise, the ILO would remain for the rights, freedoms and guarantees of

potentially more than four million, who have not yet fulfilled their legal obligation to respond to

census operation.





Approved at the meeting of April 27, 2021




FilipaCalvão (President)