Greetings from Brussels!

There has been an intriguing privacy development out of Portugal over the last couple of weeks. It came to light following an internal investigation that over the last three years, the Lisbon city council illegally shared the personal data of protest organizers and activists with foreign embassies whose countries were the target of city demonstrations. Personal data was shared with authorities of countries both within and outside the EU — China, Hungary, Iran, Iraq, Israel, Russia, Saudi Arabia and Venezuela were all recipients. The city’s internal audit revealed that some 52 such data-sharing incidents occurred since the introduction of the GDPR.

The scandal was initially sparked by irregular disclosures now being dubbed "Russiagate" by the Portuguese media. The fallout from this story has been front-page headline news all week. Last month, Lisbon authorities admitted handing over the personal details of three organizers of an anti-Kremlin demonstration to the Russian embassy. For context, and in accordance with Portuguese legislation, protest organizers must register their intentions ahead of time and send their personal details, including name, ID number, address and telephone number to the city council. In turn, that same data is sent on to the police services and “competent authorities” as standard protocol. It seems the municipality took a rather broad and liberal interpretation of the latter, and on multiple occasions saw fit to send the personal data — including that of individuals with dual Portuguese nationality — to foreign powers.

Lisbon Mayor Fernando Medina acted last week under pressure from calls for his resignation. In an executive decision by vote, the city council dismissed the sitting DPO from his position and announced a forthcoming review of the data protection team functions. This decision provoked a complaint from the National Association of Data Protection and Security Professionals addressed to the Portuguese DPA (CNDP). In another twist, the president of the CNPD, Filipa Calvão, was heard last week in parliament by the Committee on Constitutional Affairs, Rights, Freedoms and Guarantees regarding the case. She stated the DPO at the city council should not be removed (questioning the legality of the decision), stressing the responsibility for data processing and noncompliance of GDPR provisions should be attributed to the municipality. It is also worth noting the DPA investigation into the matter identified 225 administrative and GDPR infringements related to the data communications made to third parties by the municipality in the context of demonstrations and protests. The city, or rather the taxpayer, could be facing a potential fine of more than 10 million euros.

I spoke with Portuguese IAPP members Jose Belo, head of data privacy at Valuer.ai and João Carlos Lamim, senior GDPR & data privacy consultant at Breach Consulting, to get some perspective from privacy pros on the ground. Perhaps not surprisingly, both Belo and Lamin shared similar concerns. The case and its media framing bring to the forefront what has been known and acknowledged by privacy pros in Portugal for some time: The government and public sector entities have been fairly lax regards investing in GDPR compliance programs. Belo reflected the 3-year moratorium on public body administrative fines, as permitted both under Article 83(7) of the GDPR and the national implementing law, possibly served as a distinct disincentive. Lamin added it is estimated about 57% of national city councils are not compliant with applicable data protection law and only 43% have appointed a DPO. This, compounded by the lack of proactive activity and visible enforcement on the part of the national regulator most likely contributed to a lack of privacy culture engagement on the part of public authorities.

There is a draft decision prepared and publicly communicated by the DPA in what concerns the regulatory investigation. The Lisbon city council has two weeks to respond before a formal decision is expected three weeks from now.