Written by: Haim Ravia, Dotan Hammer
The European Data Protection Board’s Guidelines issued the final version of its guidelines that clarify the framework in Article 48 of the GDPR for controllers and processors in the EU when they receive requests from authorities in non-EU member states (“third countries”) to transfer or disclose personal data.
The core objective of Article 48 of the GDPR is to assert EU legal sovereignty, clarifying that judgments or decisions from third-country authorities (courts, tribunals, administrative bodies) requiring data transfer or disclosure cannot be automatically or directly recognized or enforced in an EU Member State unless they are based on an international agreement, such as a mutual legal assistance treaty (MLAT). The guidelines emphasize that this aims to protect personal data from extraterritorial application of third-country laws that could breach international law or undermine GDPR protection.
These guidelines specifically focus on direct requests to private entities in the EU from various public authorities, including those involved in law enforcement, national security, banking regulation, or tax. They do not cover scenarios where data is exchanged directly between public authorities or requests initially addressed to a parent company in a third country that then seeks assistance from its EU subsidiary.
Regardless of whether an international agreement exists, any such data flow constitutes a transfer under the GDPR and must comply with a “two-step test”. First, there must be a legal basis for the processing under Article 6 GDPR. While a foreign authority’s request itself is not a legal basis, an applicable international agreement could provide one, typically under Article 6(1)(c) (‘compliance with a legal obligation’) or 6(1)(e) (‘performance of a public-interest task’). Other legal bases like consent or legitimate interests might apply in exceptional, carefully examined circumstances, but Article 6(1)(b) (‘contract performance’) is generally excluded.
Second, the transfer must comply with the provisions of Chapter V of the GDPR. Importantly, Article 48 itself is not a ground for transfer. Controllers or processors must identify an applicable ground elsewhere in Chapter V, such as an adequacy decision (Article 45), appropriate safeguards (Article 46), or, restrictively, derogations (Article 49). An international agreement can serve as a ground for transfer if it provides the necessary appropriate safeguards under Article 46(2)(a).
Click here to read the European Data Protection Board’s final Guidelines 02/2024 on Article 48 GDPR.
