The Portuguese Data Protection Authority (CNPD) published today its decision regarding the Court of Justice of the European Union’s (CJEU) decision to invalidate Safe Harbor.
Summing up, the CNPD:
- prohibits data transfers to the US under Safe Harbor, executing CJEU’s decision;
- will only issue provisional authorizations for data transfers to the US using mecanisms other than Safe Harbor, subject to future review;
- reminded that, in Portugal, Safe Harbor was the most widely used mechanism to transfer personal data to the US;
- stated that, together with Article 29 WP, it is analysing the impact of the CJEU’s decision on the other mechanisms, since there is a risk of concluding that, due to the current US national laws, the other mechanisms may not be sufficient to ensure an adequate level of protection of personal data;
- declared that all authorizations issued under the Safe Harbor mechanism will be formally reviewed, and that data controllers have to immediately suspend data transfers using Safe Harbor.
In light of this, data controllers have to make it a priority to review their personal data flows to the US, in particular if previously legitimised by Safe Harbor, and outline a strategy to address the risks and necessary changes in transfer mechanisms to the US. And also even consider the possibility of avoiding transfers to the US altogether in regards to the abovementioned risk, highlighted by the CNPD, of these other instruments being deemed as not sufficient to ensure adequate protection of personal data, as a consequence of the CJEU’s decision.
To that add the fact that Portugal remains the only EU Member State in which BCRs are still not an admissible data transfer mechanism. So there aren’t many options at all for Portuguese data controllers for a course of action.
Source (in Portuguese):https://www.cnpd.pt…
Article originally published at https://www.linkedin.com…