Portugal’s National Institute of Statistics Fined €4.3 Million for 2021 Census GDPR Violations
The Instituto Nacional de Estatística (INE), Portugal’s National Institute of Statistics, has been determined to have violated multiple provisions of the EU’s General Data Protection Regulation (GDPR) when conducting its 2021 census.
The National Data Protection Commission (CNPD), Portugal’s Data Protection Authority, determined that the GDPR violations had a significant degree of gravity due to the number of data subjects concerned and were sufficiently severe to warrant a financial penalty. A single financial penalty of €4.3 million ($4.56 million) was imposed to resolve the alleged violations. This is the highest penalty ever imposed by the CNPD to resolve GDPR violations, exceeding the previous maximum fine of €1.25 million ($1.4 million) that was imposed on the Municipality of Lisbon in December 2021.
According to the CNPD, the INE committed five violations of the GDPR while conducting its 2021 census. The INE is alleged to have unlawfully processed special category data, specifically data related to health and religion, and failed to fulfill its duties of informing respondents of the 2021 Census questionnaire. In the census, the INE did not make it clear that the provision of information about health and religion was optional, instead, the provision of that data appeared to be mandatory. This was in violation of the legal obligation in paragraph 4 of Article 4 of the Law of National Statistical Secrecy, and by not allowing data subjects to exercise their will, it meant the INE did not meet its legal obligations under the GDPR for processing special category data.
The INE is also alleged to have failed to conduct appropriate due diligence on the subcontractor it used to conduct the 2021 census relating to the collection of personal data and transmission of that data to third countries – in violation of paragraph 3 of Article 28 of the GDPR. The subcontractor had an office in Lisbon, but the contract was made with the company’s office in the United States, and the INE contractually agreed that the settlement of any disputes with the company must be made through the California Court.
The terms of the contract also permitted the subcontractor – Cloudflare – to transmit the personal data of EU citizens through any of its 200 servers, many of which were located outside of the European Union. Both parties anticipated that EU citizens’ data would be transmitted to other countries. The contract had a standard clause approved for the European Commission for the transfer of data to the United States, without providing for any additional measures that prevent access to data by government entities of the third country, in line with the European Union Court of Justice’s decision in Schrems II. The INE was therefore determined to have violated Articles 44 and 46 of the GDPR with respect to international data transfers. The CNPD notes that after receiving several complaints when it was conducting the census, the INE issued an order to suspend the sending of personal data collected through its 2021 census to the United States and other third countries without an adequate level of protection for that data.
The CNPD determined that two of the five violations were unintentional and were the result of negligence, and three of the violations were committed intentionally and said the INE displayed a disregard for the principles and obligations of the GPDR. The CNPD determined that the financial penalty for all five violations should be €6.5 million, but the penalty was later reduced to €4.3 million.
The INE did not agree with the determinations made by the CNPD and intends to appeal the decision.