In brief: data protection, privacy and cybersecurity in Portugal

All the questions


Portugal, as a Member State of the European Union, is subject to EU data protection regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

The GDPR is supplemented by Law No. 58/2019 of August 8, 2019 implementing the Regulation in the national legal order (implementing law)2 and repealing the former Portuguese Data Protection Law no. 67/98, of October 26, 1998. The implementing law further amended and republished Law no. organization and functioning of the Portuguese Data Protection Supervisory Authority. , the National Commission for Computing and Liberties (CNPD).

Cybersecurity, on the other hand, is governed by Law No. 46/2018 of August 13, which approved the legal regime for cyberspace security (Cybersecurity Law) and transposed Directive 2016/1148 into the national order. of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of network and information systems throughout the Union.

Cybersecurity law has recently been regulated by Decree-Law No. 65/2021 of July 30, which defines the obligations for cybersecurity certification in accordance with Regulation (EU) 2019/881 of the European Parliament of April 17, 2019.

Although the Portuguese reality, especially with regard to the implementation of the GDPR, can still be characterized by the significant exposures of data by companies, the lack of adequate security measures implemented to mitigate the existing risks and the non-respect of the principle of privacy by design, the topics of personal data and cybersecurity, the attention paid to privacy and cybersecurity issues continued to grow in importance in 2021 and 2022. In fact, these two years have been prolific and intense in political debates and judicial decisions, clearly revealing a much greater sensitivity at all levels of society to these subjects.

Last year was also marked by a remarkable increase in cyberattacks in Portugal, causing some social alarm and forcing companies to implement new technical and organizational measures to avoid them, as well as a maximum number of investigations, data breaches and fines never initiated, notified or applied by the CNPD.

The largest increase is in fines, which reached 60 last year for a total value of €1.49 million, including a number of fines enforced under GDPR and privacy law in electronic communications (which includes rules on spam and call recordings). It is worth noting the fine imposed on the municipality of Lisbon following the sharing of the data of the demonstrators with the Russian embassy, ​​in the amount of 1.25 million euros.

The year in review

One of the main legislative developments worth mentioning is the approval of Law no. 93/2021, of December 20, 2021, transposing into Portuguese law Directive (EU) 2019/1937, of October 23, on the protection of whistleblowers under European Union law, which will enter into force on June 18, 2022, and approving the new general regime for the protection of whistleblowers (GDPR). The GDPR imposes on entities employing 50 or more employees, or falling within the scope of the European Union regulations relating to the prevention of money laundering and terrorist financing, new obligations to set up an internal and external alert channel, and ensuring public information, among other things.

Last year was also characterized by the intense activity and intervention of the CNPD. In fact, the CNPD recorded in 2021 the maximum number of investigations, fines imposed and data breaches, the number of decisions rendered by this authority in the same period remaining higher than the number of files it initiated.

Between May 2019 and January 2022, the CNPD received approximately 4,000 communications concerning unsolicited electronic communications, with a clear upward trend.

Unsurprisingly, the CNPD published, on January 25, 2022, new guidelines for controllers and processors on electronic direct marketing communications. These guidelines set out what should be considered electronic communications for marketing purposes, the legal bases under which data may be processed for direct marketing purposes (including requirements that must be met where processing is based on legitimate interests or consent), the conditions of data collection and the procedures that controllers must follow in relation to the engagement of processors (in particular when data is collected by third parties such as brokers in data).

Although these guidelines are not innovative, but above all an updated compilation of previous opinions and guidelines of the CNPD, they now explain the principle of proactive responsibility of the data controller and make it possible to anticipate the way in which the CNPD will deal with situations of offence.

During this period, the CNPD also applied to a Portuguese public entity the third largest GDPR fine ever imposed on public entities in Europe: a fine of 1.25 million euros to the municipality of Lisbon, concerning the processing of personal data of event organizers, in connection with a complaint filed with the CNPD on March 19, 2021, on the grounds of an alleged illicit transfer to the Russian Embassy in Portugal and the Russian Ministry of Affairs foreign countries, personal data of promoters of events held near embassies.

At stake was the violation of the principles of fairness, transparency, lawfulness, limitation of purposes, limitation of storage and minimization of data, as well as the violation of the duties to inform the persons concerned and the obligation to carry out a Data Protection Impact Assessment (DPIA). The CNPD also considered that the Municipality of Lisbon was processing personal data without an adequate legal basis and in breach of GDPR rules on the transfer of data to third countries.

It should also be noted the recent decision of the Portuguese Constitutional Court (decision no. 268/2022, of April 19, 2022), declaring the unconstitutionality of Articles 4 and 6, and Article 9, when combined, of Law no. 32/2008, of July 17, 2008 (the Metadata Law).

The Court found that the Metadata Act was an unbalanced legislative solution, as it was likely to affect citizens for whom there was no suspicion of criminal activity. Indeed, by allowing telecommunications providers to retain all location and traffic data of all subscribers for a period of two years, the electronic communications records of a significant portion of the population end up being retained for a long period, regardless of the limited purposes for which they may be stored and used. For this reason, the Constitutional Court concluded that the provisions referred, when combined, violate the constitutional principles of proportionality in the restriction of privacy and informational self-determination as well as the right to effective judicial protection.

The issue gave rise to intense political debate, which is still ongoing, and led to the CNPD ordering telecommunications providers to delete data retained under the Metadata Act.

About Sandra A. Powell

Check Also

The impact of Apple’s email privacy protection, a year later

On September 20, 2021, Apple changed the email marketing landscape forever with the launch of …