Privacy & Cybersecurity Law Blog

On December 3, 2024, the European Data Protection Board (“EDPB”) published its draft Guidelines 02/2024 on Article 48 of the GDPR (the “Guidelines”). The Guidelines focus on how a controller should act when subject to a judgment or administrative decision requiring the transfer or disclosure of personal data to a public authority in a third country.

As explained by the EDPB, under Article 48 of the GDPR, requests from public authorities in third countries may only be recognized or enforceable if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or an EU Member State.

The Guidelines clarify that Article 48 is not a transfer mechanism in itself. As such, organizations relying on this provision still need to find both a legal basis under Article 6 of the GDPR and a ground for transfers under Chapter V of the GDPR. Depending on the international agreement in force with the requesting country, the potential legal basis may be, for example, legal obligation, public interest or consent. Subject to the outcome of a balancing test and assuming that the transferred data is limited to what is objectively necessary, the EDPB also considers that legitimate interests could be an adequate legal basis for processing, albeit in exceptional cases.

If the transfer is within the scope of an international agreement that provides adequate safeguards for personal data and allows for cooperation between public and private entities, the applicable transfer mechanism should be the existence of a legally binding and enforceable instrument between public authorities or bodies under Article 46(1)(a). However, if such requirements are not met (e.g., the international agreement does not provide for adequate safeguards) an alternative transfer mechanism will be required.

The rules in Article 48 are without prejudice to other grounds for transfers under Chapter V of the GDPR. That is to say, in the absence of an international agreement, controllers may still be able to transfer personal data to third-country authorities if: (1) another transfer mechanism such as Standard Contractual Clauses or derogations for specific situations can be identified; and (2) there is a legal basis for the transfer under Article 6 of the GDPR.

The Guidelines will be available for public consultation until January 27, 2025.

Read the Guidelines.