Since 2010, an unprecedented digital transformation has taken place globally: the integration of emerging technologies into all business areas and the digitalisation of society across all sectors. Internet traffic has increased reportedly 15-fold, with global internet traffic surging by over 40% in 2020 alone. The digitalisation is set to continue with swelling amounts of data being consumed, for example, through video streaming services, machine learning, quantum computing, Internet-of-Things devices, expansion of services such as online banking, electronic commerce and virtual healthcare, the blockchain infrastructure, the 5-G wireless rollout and the metaverse. In parallel with the global digital transformation, European countries have placed increasing emphasis on the concept of personal data protection and the operationalisation of such concept through the adoption of new laws and regulations, which has resulted in various European countries embracing concepts akin to “data sovereignty”, i.e. keeping data within a state’s own borders. Since the introduction of the GDPR in 2018, it has become more difficult than ever to transfer personal data outside of the European Union (EU), and companies must satisfy high hurdles in order to be permitted to do so. In addition, a number of European countries and their data protection authorities (DPAs) have made transfers of personal data outside these countries to non-EU states even more challenging than under the GDPR alone. These factors put increasing pressure on data centres, whose occupiers often require data to be processed and shared globally and moved among different jurisdictions, in order to function efficiently. The evolving sophistication of cyber threats, combined with the ability of EU DPAs to issue fines of up-to the higher of EUR20 million or 4% of worldwide annual turnover and the heightened risk of related private actions by individuals (including class actions), mean that controllers and processors handling EU data must be strategic when choosing a jurisdiction from which to operate.
Utilising a data centre in Portugal presents a unique solution to the challenges posed by the trend towards data sovereignty and the growing sophistication of global cyber threats. Portugal is a welcoming hub for large technology companies and hyperscalers, with minimal restrictions on data processing within the EU framework. Portugal adheres to best practices in the law and regulation of data protection, yet at the same time it is consistently ranked as one of the most business-friendly, stable and open jurisdictions in the EU. Publicly recognised for fostering innovation, Portugal has taken concrete steps to embrace the digital transformation and encourage technological investment.
Portugal’s cybersecurity framework also aligns its laws with industry-leading international standards and certifications. While working within the high standards of the EU framework, Portugal maintains a sensible, secure and confidential privacy and cybersecurity enforcement regime.
These characteristics, coupled with the country’s strong network connectivity and favourable environmental conditions, position Portugal to be a highly desirable jurisdiction in which to establish and operate a data centre. This paper presents the advantages of developing and operating a data centre in Portugal from privacy, data protection and cybersecurity perspective.