The Privacy, Data Protection and Cybersecurity Law Review: Portugal
The right to privacy is enshrined in the list of rights, freedoms and guarantees provided for in Article 26(1) of the Constitution of the Portuguese Republic, as well as in numerous European and international treaties. This personal right is directly linked to the guiding principle of the Portuguese legal system: the dignity of the person based on the assumption that citizens benefit from privacy under two different rights:
- the right to prevent third parties from having access to information on private and family life; and
- the right for no one to disclose the information they have on the private life of others.
This translates into a real prohibition of interference in private lives by third parties, either by access or by disclosure of information, as enshrined in Article 80(1) of the Portuguese Civil Code:
Everyone should keep a reserve as to the intimacy of the private life of others.
The Portuguese Republic's Constitution was redacted during political turmoil that highlighted the need to readdress and reinforce fundamental rights, as Portugal had just exited a four-decade long dictatorship.
For 40 years, Portugal had a political police force that prosecuted intellectual dissidents, maintaining databases with information regarding all types of personal and private information about whoever was suspected to be conducting activities that were harmful to the national unity.
When the revolution happened and a new constitutional order was imposed, there was a need to implement several fundamental rights that had been stripped from the citizens for a long time. Article 35 ('Use of computerised data') established a fundamental right regarding usage of information technology, which was considered innovative for its time compared with other jurisdictions.
The Portuguese Constitution was subsequently amended to meet new conceptions about personal data protection, and also revised to address the provisions of Directive 95/46/CE.
The Portuguese jurisdiction also encompasses a very broad spectrum of legislation concerning privacy, data protection and cybersecurity, as there is no omnibus of law that covers all subjects simultaneously.
However, Portugal had always been on par with other Member States in terms of legislative coverage of subjects such as personal data protection and cybercrime.
More recently, there has been greater motivation by civil society, and by the government, to promote awareness on the issues of protection of citizens' privacy, as well as the protection of networks and technological infrastructures.
The current covid-19 pandemic crisis offers a vivid illustration of this globalisation of the privacy debate both during the crisis and as the world seeks to emerge from it. Like every other Member State, Portugal took emergency measures in an effort to protect public health.
GDPR is clear in that any restriction must respect the essence of fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society to safeguard public interests such as public health.
As these measures are being deployed, Portuguese incumbents must address the expectation of citizens to be presented with legal obligations that are trustworthy and respectful of their rights to privacy and personal data protection.
Also, the entry into force of GDPR and Law No. 58/2019 of 8 August, granting the execution of the General Data Protection Regulation in Portugal, have made a huge impact on the perception and awareness of digital privacy issues that were somewhat dormant in past decades.
There is still a lot of work to be done, but Portugal is presenting as a country that intends to be on the technological front line.
The year in review
On 9 August 2019, the New Data Protection Law (Law No. 58/2019 of 8 August) came into force, ensuring the execution of the General Data Protection Regulation in Portugal. The major points of this Law were:
- confirmation and designation of the National Data Protection Commission (CNPD) as the Portuguese Supervisory Authority;
- definition of the scope of right to data portability – to only cover data that was provided by the data subject;
- establishment of the minimum age of consent to 13 years, within the direct provision of information society services;
- establishment that consent was not required if processing results in a legal or economic advantage for the employee, as previously stated in the Working Party of Article 29 opinions; and
- reinforcement of a data protection officer's (DPO's) functions and the establishment that the DPO does not require any professional certification to perform his or her duties.
However, the local supervisory authority (CNPD) issued Decision No. 494/2019 deciding not to apply certain provisions of such law as they were considered in contradiction with GDPR, the Portuguese Constitution and with the jurisprudence of the EU Court of Justice.
The new EU e-Privacy Regulation is also set to be enforced in Portugal. This transposition is still undergoing the legislative process, with no definite time frame for implementation.
The Portuguese Supervisory Authority imposed three fines, the biggest one being €107,000, for violations concerning direct marketing without appropriate consent and lack of information regarding CCTV processing. These sanctions are addressed in more detail below.
There was also a considerable media coverage regarding data breaches, with particular focus on one that occurred with the leading company in the energy sector, bringing more awareness of cybersecurity. It is also worth mentioning the effect of covid-19 on the way that companies are interacting with their employees.
i Privacy and data protection legislation and standards
Currently, the processing of personal data in Portugal is governed by GDPR and Law No. 58/2019 of 8 August, ensuring the execution of GDPR in Portugal.
Several derogations, as permitted by the GDPR, were included in this Law regarding different subjects such as protection of personal information of deceased persons, video surveillance, labour relations, processing of health and genetic data, and data portability and interoperability.
Relevant data protection provisions in the context of electronic communications may also be found in Law No. 41/2004, which regulates the processing of personal data and the protection of privacy in electronic communications, and other specific regulations such as CCTV, the national identification card, healthcare, labour relations and cybercrime.
As a Member State of the European Union, Portugal is committed to the same European legislation as every other Member State. This means a very similar approach, with little-to-no differences regarding the rules provided by directives transposition and direct applicability of regulations such as GDPR.
For legal concepts concerning 'data subjects', 'controller' and 'personal information', Portugal adopts GDPR definitions. The Portuguese Supervisory Authority has been more reactive than proactive in terms of sanctioning, owing to some operational constraints that will be addressed below.
Nevertheless, CNPD has published models of 'Records of Processing Activities' for data controllers and data processors, as well as a regulation on mandatory data protection impact assessment processing activities.
The Portuguese Supervisory Authority has also published four guidelines addressing subjects such as availability of personal data of students, teachers and other workers on the websites of higher education institutions; processing of personal data in the context of election campaigns and political marketing; and processing of personal data in the context of intelligent electricity distribution networks.
Specific laws such as the one regulating the telecoms sector foresee duties for the controller to notify CNPD when a personal data breach occurs. In this particular case, when a provider of publicly available electronic communication services becomes aware of a data breach, it has to report it to the CNPD, and, if the personal data breach is likely to have a negative impact on one of its clients, the provider must notify them.
Requirements contained in GDPR must always be met in the event of a personal data breach, in any of the aforementioned cases.
ii General obligations for data handlers
Every organisation, whether they are a public or a private entity, must comply with the data protection principles established in GDPR Article 5(1), as well as every other rule in that regulation. This includes the obligation to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR. Implementing adequate data protection policies and adhering to approved data protection codes of conduct or approved certification mechanisms are ways to demonstrate compliance with this obligation.
In accordance with the Portuguese Data Protection Law, the appointment of a DPO must follow GDPR requirements. No professional certification is required and the DPO is bound by professional secrecy. In addition to the functions described in GDPR, DPOs should ensure audits are conducted properly, inform users of the importance of data breach detection and ensure data subjects are aware of matters covered by GDPR and national data protection laws.
For the purpose of mandatory notification of the DPO to the supervisory authority, in the context of Article 37(7) of the GDPR, the supervisory authority has established the applicable procedure for notification. A specific form made available by the supervisory authority on its website should be completed and submitted online.
Cookies require prior informed consent for storage and access; however, consent is not required if the cookie is used to carry out a transmission of communication and is strictly necessary to provide a service to the user.
iii Data subject rights
Portuguese law adopts the same data subject rights as GDPR, adding no significant changes to the general regime provided in the Regulation; however, Law No. 58/2019 establishes that the right of information cannot be exercised when law imposes on the controller or processor a duty of secrecy that is enforceable against the data subject. It also establishes that, where a retention period is imposed by law, the right to erasure can only be exercised when that retention period expires.
The Portuguese Data Protection Law further details that 'data portability' only refers to personal data provided by the data subject and the portability of the personal data should be, where possible, carried out in an open format.
The Portuguese Data Protection Law does not establish additional requirements regarding the right to restriction of processing nor specific rules on automated individual decision-making, including profiling.
iv Specific regulatory areas
There is a very broad and disparate set of rules regarding data protection. For example, Portugal has Law No. 12/2005 of 26 January, regulating the use of personal genetic and health information. This law defines the concept of health information and genetic information, the circulation of information and intervention on the human genome in the health system, as well as rules for the collection and conservation of biological products for the purposes of genetic testing or research.
Law No. 41/2004 of 18 August is about data protection and privacy in telecommunications. This Law transposes into national law Directive 2002/58/EC, and applies to the processing of personal data in the context of the provision of publicly available electronic communications services in public communications networks, in particular in public communications networks supporting data collection and identification arrangements.
Law No. 34/2013 of 27 August regulates private security activities and the security measures to be adopted by public or private entities in the scope of crime prevention. The Portuguese Data Protection Law also has a provision in its Article 19 regarding the use of CCTV: data collected from CCTV surveillance, such as images and videos, can only be used for the security of people and goods and not for other purposes.
Law No. 83/2017 of 18 August establishes measures to combat money laundering and terrorism financing, and has specific provisions regarding data protection that are already in accordance with GDPR provisions.
v Technological innovation
Location tracking in a working environment
On 28 October 2014, the Portuguese Data Protection Authority approved Guideline No. 7680/2014, establishing the general principles in respect of the processing of personal data as a result of the use of geolocation devices in a working environment.
This Guideline imposes several obligations to companies and public entities, in order to guarantee the balance between business management and organisation with the employee's constitutional right to privacy. CNPD considers that the use of such geolocation devices represents processing of sensitive data stipulated in Paragraph 2 of Article 20 of the Portuguese Labour Code. According to GDPR and the Portuguese Data Protection Law, consent is not a valid legal basis owing to the imbalance between employer and employee.
According to Law No. 41/2004 of 18 August, storage of and access to cookies requires consent, depending on the type of cookie. However, some cookies are allowed for the legitimate purposes of the data controller. Clear and precise information should be provided about the purposes of cookies, to ensure that users are aware of the information placed on their devices. Data controllers must give users the opportunity to refuse the storage of cookies. The cookies regime must be interpreted in line with Recitals 30 and 32, as well as Article 7 of GDPR.
Storage and access to information relating to cookies constitutes processing of personal data. Therefore, a data subject's consent should be as easy to withdraw as to give and the right to information must be ensured. Where the processing serves multiple purposes, consent should be given to each individual purpose.
GDPR prohibits this type of data processing, since biometric data is considered a special category of data. Nevertheless, the Regulation opens the possibility to do so on the basis of, for example, the consent of the data subject or a law approved by the Member States. Consent in a work context is, as a rule, not valid. Thus, the Portuguese Data Protection Law contains a specific provision that allows the collection of biometric data following the practices already in force in Portugal prior to the GDPR. This law establishes the legitimacy of the processing of biometric data of employees if it is limited to attendance control and access control to the employer's premises. It must be ensured that only representations of biometric data are used, and that their collection process does not allow for the reversibility of such data.
Recently, CNPD referred to the EDPB Guidelines 04/2020 on the use of location data and contact-tracing tools in the context of the covid-19 outbreak.
Portuguese law does not address this particular subject, but it is understandable that, depending on the application technical specifications, the information provided to data subjects and the data retention policy, use of tracing apps is possible as long as it is voluntary and not a requirement set by employers.
Several tools have been developed in Portugal to manage contact tracing, and CNPD has published its findings regarding privacy and data protection concerns.
As we are facing a new paradigm, several actions must be taken by data controllers in order to address their accountability regarding data protection. This includes updating processing activities with the new health-related processing activities, indicating the specific data retention periods associated to the processing.
There is also an increasing need for detailed information on employees regarding temperature readings and any other covid-19 containment measures that may have impact on a data subject's rights.
International data transfer and data localisation
Portuguese rules about international data transfers to third countries or international organisations follow the GDPR approach and provisions.
Article 37 of Law No. 59/2019 of 8 August, which approves the rules regarding the processing of personal data for the purposes of prevention, detection, investigation or prosecution of criminal offences or enforcement of criminal sanctions, provides that the data transfer may only take place in specific circumstances such as the ones that are already provisioned in GDPR.
Within the aforementioned scope, Portuguese law allows for data transfer without previous consent if it cannot be obtained in a good time and the transfer is necessary to prevent an immediate and serious public security threat to a Member State or a third country, or to the essential interests of a Member State.
In addition, Article 22 of Law No. 58/2019 of 8 August provides that data transfer to third countries, carried out by public entities in compliance with legal obligations and in the exercise of authority, would be considered as being in the public interest for the purposes of Article 49 (4) of the GDPR. In other words, transfer of personal data to a third country or an international organisation may take place in the absence of an adequacy decision, or of appropriate safeguards pursuant, including binding corporate rules, if it is considered as necessary for important reasons of public interest.
It is worth mentioning Case C-311/18 (Schrems II), where the court decided that protections afforded by the Privacy Shield were not adequate, especially in the face of US-led surveillance programmes, which are not limited to what is strictly necessary. The decision further states that data subjects have no effective remedy before the courts against US authorities in relation to such surveillance programmes.
With respect to standard contractual clauses, the court decided that they remain valid as a method for international data transfers. However, competent supervisory authorities must order the suspension or prohibition of international data transfer based on standard contractual clauses (SCCs) in cases where they believe that the respective clauses are not, or cannot be, complied with by the country of destination of the transfer, when data protection cannot be guaranteed by other means.
Service providers based in the United States that are currently reliant on the Privacy Shield to make international transfers will have to switch the mechanism onto SCCs. This will increase the negotiation attrition between US and EU companies, as the former will have to prove that they comply with all the requirements stated in the SCCs.
Schrems II will also create more appetite for EU-based data centres, as it will be a great way to mitigate legal and operational constraints. The European Commission will also have to update the SCCs, as they are still redacted under the rules of Directive 95/46/EC and need adaptations such as those concerning the controller–processor relationship under Article 28 GDPR (in particular the processor obligations), the transparency obligations of the data importer (in terms of the necessary information to be provided to the data subject), etc. SCCs still represent the most widely used data transfer mechanism.
Company policies and practices
GDPR brought requirements on organisations that process and collect personal data with an emphasis on accountability and proving compliance, while strengthening the individual's rights. GDPR puts special focus on personal data security and prevention of data breaches through the provision of security measures and required communications in the case of a data breach.
Portuguese companies have been focused on rearranging their internal procedures with recourse to digitalisation and digital transformation. This involves embedding the necessary technical and organisational measures that GDPR suggests, such as pseudonymisation and anonymisation, as well as establishing procedures that allow data subjects to exercise their rights in a more automated way.
Companies usually have similar approaches, regardless of size or profits, to GDPR implementation. As a rule of thumb, GDPR projects have encompassed the collection of the information necessary to make a record of processing activities, data flow mapping, inclusion of 'privacy by design' in already established internal workflows, reorganisation of marketing activities and the establishment of internal privacy committees to involve C-suites in high-impact GDPR decisions.
Discovery and disclosure
Law No. 59/2019 contains provisions related to personal data processing for the purpose of prevention, detection, investigation and repression of criminal offences and for execution of criminal sanctions, transposing EU Directive 2016/680. The main consideration regarding this Law is that decisions taken solely on the basis of automated processing, including profiling, which produce adverse effects on the data subject's legal sphere or significantly affect him or her shall be prohibited, except where authorised by law, provided that provision is made for the data subject's right to obtain human intervention from the controller.
More recently, the Portuguese Supervisory Authority issued two negative opinions on the use of video surveillance with artificial intelligence in two Portuguese cities in the scope of crime prevention. There were special considerations regarding the potential misuse of artificial intelligence techniques that could ultimately be used to distinguish some physical traits of bystanders.
Public and private enforcement
i Enforcement agencies
CNPD is an independent body, with powers of authority throughout the national territory. It is endowed with the power to supervise and monitor compliance with laws and regulations in the area of personal data protection, with strict respect for human rights and the fundamental freedoms and guarantees enshrined in the Constitution and the law.
CNPD is the public entity responsible for the enforcement of personal data protection laws and regulations in Portugal. Law No 58/2019 includes the following provisions related to civil administrative and criminal liability:
Use of personal data in a manner that is incompatible with the purposes of collection, unauthorised access or deviation of personal data; vitiation or erasure of personal data; insertion of false data; and violation of the duty of secrecy and disobedience constitute crimes punishable by a prison sentence of up to four years or a daily fine for up to 480 days. Each day of fine is between €5 and €500 for natural persons and between €100 and €10,000 for legal persons, which the court shall determine on the basis of the economic and financial situation of the offender and its expenses. Generally, legal persons and similar entities have criminal liability.
Any person who has suffered damages owing to the unlawful processing of personal data or any other act that violates the provisions of the GDPR or of the national law on personal data protection has the right to compensation from the data controller or the processor for the damage suffered.
Serious administrative offences shall be punishable with a fine:
- from €2,500 to €10 million or 2 per cent of the total worldwide annual turnover, whichever is higher, for a large company;
- from €1,000 to €1 million or 2 per cent of the total worldwide annual turnover, whichever is higher, for an SME; and
- from €500 to €250,000, for natural persons.
Very serious administrative offences shall be punishable with a fine:
- from €5,000 to €20 million or 4 per cent of the total worldwide annual turnover, whichever is higher, for a large company;
- from €2,000 to €2 million or 4 per cent of the total worldwide annual turnover, whichever is higher, for SMEs; and
- from €1,000 to €500,000, for natural persons.
However, CNPD issued Decision No. 494/2019 deciding not to apply certain provisions of Law No. 58/2019, notably the ones related to sanctions applicable to administrative offences as they were considered to be in contradiction with GDPR.
ii Recent enforcement cases
According to a reply to questions posed by the European Commission within the Evaluation of the GDPR under Article 97, the Portuguese Data Protection Supervisory Authority, until 19 January 2019, had applied:
seven fines (in a total of €430,000) under the GDPR. During this period, the DPA has also applied other fines under the previous Data Protection Law and under the e-Privacy Law (Law 41/2004, as amended by Law 46/2012). Most of the fines were related to the rights of the data subjects: lack of the right to information and failure to ensure the right of access.2
In 2018, in Resolution No. 984/2018, CNPD imposed a fine of €400,000 to a public hospital for having insufficient technical and organisational measures to ensure information security.3
According to the Resolution, the public hospital violated the principle of data minimisation by granting access to an excessive amount of data, also violating the obligation to take appropriate information security measures to prevent unauthorised and unsegregated access to health data.
So far, this has been the biggest fine imposed in Portugal. It had plenty of coverage in national media, serving as an example of how organisations, public and private, should tackle GDPR adaptation and implementation.
In 2019, CNPD imposed four fines: one of €107,000, one of €20,000 and two of €2,000, all under different grounds.
Resolution No. 21/2019 of 5 February 2019 imposed a fine of €20,000 on the defendant based on a failure to comply with data subject right of access. As a brief factual framework of this process, the data subject requested that the defendant grant him access to a copy of phone call records with the defendant call centre – an entity subcontracted by the defendant to manage its call centre. CNPD stated that the defendant did not mention the justification provided by the DPO to the data subject; instead, it was mentioned that 'a court order or request of some entity or official body, as CNPD, police, etc.' was needed. CNPD also noted that the consultation implies a company's paradigm transition of the 'regulation by other bodies regime (…) to self-regulation', which should 'ensure the legality of the processing of personal data carried out, without any intermediation of the control authorities', so that the misinterpretation or ignorance of the law cannot benefit the defendant. As result of the evidence, the Portuguese Supervisory Authority considered that the defendant had failed to comply with the right of access of the data subject.4
In another case, a defendant was fined €2,000 based on failure to comply with the data subject's right of access to information (Resolution No. 207/2019 of 19 March 2019). In summary, CNPD considered that there was a violation of the duty of information in the course of an inspection by the public security police of a store, because they found non-conformity with regard to the store's signage (i.e., there was no informative warning about video surveillance cameras). The defendant argued in its defence that, at the time of the infraction, the commercial establishment had the necessary signs but that a cabinet obstructed view of them, and that they had bought new signs to comply with the law. CNPD considered that the defendant, having processed personal data through video surveillance, should have complied with the information duty according to Articles (13)(1) and (2) of the GDPR. As result of the evidence, the Portuguese Supervisory Authority considered that the defendant failed to comply with the right of information of the data subject.5
Resolution 222/2019 of 25 March 2019 imposed a fine of €2,000 based on failure to comply with the data subject right of information, under similar circumstances as Resolution 207/2019.
Resolution 297/2019 of 6 May 2019 imposed a fine of €107,000 based on the sending of unsolicited emails for direct marketing and advertising purposes without prior consent.6 In summary, a company sent dozens of communications with unsolicited advertising content to a person's email address. The person was never a client of that company and had not given consent to receive those communications. The figure of €107,000 was the result of the imposition of a single fine of €7,000 for the practice of 46 misdemeanours in light of the law that imposes prior consent of the employee as a 'ground of legitimacy for the processing of personal data consisting of the sending of unsolicited communications for direct marketing purposes'. In addition, the defendant was given 40 fines of €2,500 each for the practice of an equal number of administrative offences that failed to comply with the provisions of the law, which states that consent is the only legitimate basis for this type of data processing. The defendant also claimed that the email addresses from which the electronic communications contained in the complaint were sent were from another entity. In its assessment, the CNPD rejected that argument, stating that it is 'quite common nowadays for companies to use external entities for the development of marketing campaigns. However, this does not detract from their qualification as a controller'.
iii Private litigation
It is considered that the use of the mechanism laid down in Article 82(1) GDPR can be made not only by the data subject, but also by other persons who have suffered damages.
Illegality is a requirement of civil liability and is associated with conduct contrary to the law, either because of violation of the rights of others or violation of a rule aimed at protecting the interests of others. Illegality, in this case, arises from the 'violation of this Regulation' in accordance with Article 82(1) GDPR.
Claimants must prove the defendant's fault or negligence in performing the unlawful conduct, the extent of the injury and the link between the two.
Any person who has suffered damage as a result of an unlawful processing operation or any other act in breach of the provisions of the GDPR or the applicable law has the right to obtain compensation for the damage suffered.
It also possible for any person to bring actions against decisions, including misdemeanours and omissions of the CNPD, as well as civil liability actions for damages that such acts or omissions may have caused.
The data subject may bring actions against the controller or the processor, including civil liability actions. These legal actions shall be brought in the national courts if the controller or processor has an establishment on national territory or if the data subject resides in Portugal.
Article 80(1) GDPR reinforces the right to class actions by giving the data subject the right to instruct a 'body, organisation or association' to lodge a complaint on his or her behalf, to exercise the rights provided for in Articles 77, 78 and 79 and to exercise the right to compensation provided for in Article 82, if provided for by the law of the Member State. In accordance with Article 80(2), Member States may additionally recognise the procedural initiative of those entities irrespective of the mandate of the data subjects.
In Portugal, the right to collective actions has constitutional recognition. Article 52, Paragraph 3 of the Portuguese Constitution provisions the right of popular action aimed at, among others, 'promoting the prevention, cessation or judicial pursuit of offences against public health, consumer rights, quality of life and the preservation of the environment and cultural heritage'.
Considerations for foreign organisations
Adding to the provisions of Article(3) GDPR, the Portuguese data protection law establishes its applicability to the processing of personal data carried out on national territory, regardless of the public or private nature of the controller or processor.
It also applies to the processing of personal data carried out outside Portugal when it:
- is carried out within the scope of the activity of an establishment located in Portugal;
- affects data subjects on national territory where the processing activities are subject to Article 3(2) of the GDPR; or
- affects the data of Portuguese holders living abroad and registered at consular offices.
Portugal also has legislation with specific territorial requirements regarding the localisation process, such as data related to national security, anti-money laundering and financial records.
On 16 July 2020, the CJEU invalidated Decision No. 2016/1250 on the adequacy of the protection provided by the EU–US Data Protection Shield.7
For that reason, any companies in the United States will have to make use of standard contractual clauses, or other approved mechanisms, to make any international data transfers with a Portuguese company.
Cybersecurity and data breaches
The National Cybersecurity Centre (CNCS) operates within the scope of the National Security Office, with attributions granted to it by the Organic Law of the National Security Office and Law No. 46/2018 of 13 August, which defines the legal regime of cyberspace security. Its mission is to help Portugal use cyberspace in compliance with the principles and objectives of the National Strategy for Cyber Security 2019–2023, exercising powers of national authority in cybersecurity matters.
The past year was marked by the continuation of the publication of standards and benchmarks for cyberspace security, with special emphasis on the National Framework of Reference for Cybersecurity and the Roadmap for Minimum Capacities in Cybersecurity. The National Framework of Reference for Cybersecurity allows organisations to reduce the risk associated with cyberthreats, providing the basis for any entity to meet the minimum security requirements of networks and information systems.
These publications contribute to the goal of qualifying and improving the resilience of people and entities in national cyberspace, allowing for reduction of risk associated with cyberthreats and providing the basis for any entity to meet the minimum security requirements of networks and information systems.
CNCS also promotes the development and application of measures towards human and technological building of public and critical infrastructures, with the objective of preventing and reacting to cybersecurity incidents, ensuring the assistance of entities in the following ways:
- review of cybersecurity policies;
- recommendations for the building of computer security incident response teams;
- recommendations for carrying out internal cybersecurity audits; and
- promotion of training and awareness.
Nowadays, it is undeniable that both individuals and companies are completely reliant on the internet. This reality has numerous advantages, but also carries certain risks.
Companies have become a target for black-hat hackers, exploiters and cybercriminals, who aim to obtain information from their servers with the intention of using it, hijacking it, selling it or publishing it on the internet. With this in mind, there is a growing need for specialised and multidisciplinary teams that seek to defend companies against these types of incidents.
Cybercrimes committed on Portuguese territory have increased in recent years. Numbers from the Attorney General's Office indicate that this type of crime has increased exponentially since the beginning of the covid-19 pandemic, having grown 230 per cent in March and 165 per cent by 16 April 2020.
Crime complaints received by the Cyber Crime Bureau have consistently increased between 2016 and 2019, and those received up to 16 April 2020 'have already surpassed those of the entire year of 2018 and are close to the total number of 2019'.8
The transposition of the NIS Directive by Law No. 46/2018 of 13 August, has shed new light on the obligations that companies have within the legal framework of cyberspace security. This Law applies to the public administration; to critical infrastructure operators; to essential services operators; to digital service providers that provide online market-related services, online search engine or cloud computing services providers with an establishment in Portugal or, not having one, have assigned a representative established in the Portuguese territory as long as they are providing digital services; as well as any other entity that uses networks and information systems.
This Law also establishes that the National Cyberspace Security Strategy shall define a state framework, as well as objectives and lines of action according to the national interests.
Law No. 46/2018 also defines security and standardisation requirements, incident notification requirements, security requirements and incident reporting for the public administration and infrastructure operators, for essential service operators and for digital service providers.
It also establishes sanctions for those who violate the provisions of this Law, defined as serious or very serious administrative offences, in accordance with Article 21 et seq., the National Cybersecurity Center being responsible for supervising and applying the provided sanctions. Serious offences result from failure of the obligation to notify the National Cybersecurity Center of incidents and activities in the digital infrastructure sector. Very serious offences result from from non-compliance with the obligation to implement security requirements, and non-compliance with cybersecurity instructions issued by the National Cybersecurity Center. Serious administrative offences have fines from €1,000 to €3,000 for natural persons and fines from €3,000 to €9,000 for legal persons. Very serious administrative offences have established fines varying between €5,000 and €25,000 for natural persons and between €5,000 and €25,000 for legal persons.
We took the opportunity to analyse 'Contribution of the EDPB to the evaluation of the GDPR under Article 97'. The European Data Protection Board (EDPB) and the individual EEA supervisory authorities contributed to the evaluation and review of GDPR's 20 months of implementation for the upcoming European Commission 2020 report.9 The main takes regarding the Portugal Supervisory Authority (CNPD) activity are as follows:
- Regarding CNPD's full-time employees, with 27 people, Portugal is well below the average of 136, but near the median, which is 58 full-time employees for other Member-State supervisory authorities.
- The budgets envisaged for CNPD are also disparate (e.g., Germany has a €85,837,500 budget and Portugal's budget is €2,385,000).
- The Portuguese Supervisory Authority declared that it did not have an adequate budget or conditions to perform their supervisory functions as provisioned by GDPR.
- Portugal was in the middle of the table of countries below 2,500 complaints between 25 May 2018 and 30 November 2019, with 1,394 complaints reported.
- Portugal made use of corrective powers under GDPR Articles (58)(2c,d,f,g and i).
- There were 785 fines imposed, distributed among 22 control authorities (out of 30). The majority were for infringements of GDPR Articles 5, 6, 7, 9, 12–22 and 32–34.
- Portugal had 400 data breach notifications.
- The Portuguese Supervisory Authorities promoted initiatives among SMEs. CNPD said that they provided records of processing activities models, participated in several clarification sessions and created FAQs and other guidance. However, thia was a little underwhelming in comparison with other countries with the same budget and headcount.
Covid-19 has brought a lot of economic and financial uncertainty to Member-States, and to the world altogether, which will mean some concerns being prioritised over others.
We believe that Portugal will have to refocus itself on some major issues such as unemployment, company restructuring and public health, as every citizen expects it.
Areas like cybersecurity or data protection and privacy might get overlooked, but we also believe that the trend is to increase awareness in data protection as whole, including technological infrastructures and databases, whether they include personal data or not.
On 25 July 2020, the Portuguese government presented the 'Simplex 20-21', which made commitments regarding the digitisation of several public administration services, namely the service 'My Data', which consists of providing mechanisms for consultation and validation of data contained in the main public administration registers and monitoring of data sharing through a platform for the interoperability of public administration.10
1 Joana Mota Agostinho is a partner and Nuno Lima da Luz is a senior associate at CTSU – Sociedade de Advogados, member of Deloitte Legal Network.
3 Offence in breach of Articles (5)(1)(c)(f) and (83)(5)(a), as well as Articles (32)(1)(b)(d) and (83)(4)(a).
4 Offence in breach of Articles (15)(f) and (83)(5) (b) of the GDPR.
5 Offence in breach of Articles (13) and (83)(5)(b) of the GDPR.
6 Offence in breach of Article (13-A)(1) of Law No. 41/2004 of 18 August.