EDPB clarifies assessment for disclosing EU data to foreign authorities

Legal Framework: Art. 48 GDPR

Article 48 of the GDPR states a judgment of a court or tribunal or a decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or a Member State. In other words, decisions or judgments from non-EU authorities requiring the disclosure of personal data by EU-based entities are not automatically enforceable within the EU. Recognition of such requests expressly requires a valid international agreement.

In its Guidelines 02/2024 on Article 48 GDPR (the Guidelines), the EDPB clarifies the scope and application of Article 48 and outlines the four-step assessment that companies must follow to determine whether a foreign request can be lawfully fulfilled.

Practical steps for EU-based companies

When receiving a request from a foreign authority, EU-based companies should assess whether:

1. The request is formalized in a judgment or decision from a court or tribunal or an administrative authority;
2. The request is based on an international agreement between the third-country and the EU (or the EU Member State in which the entity is located), providing for the possibility of direct requests from foreign authorities for access to personal data processed by companies in the EU;
3. The international agreement establishes a lawful basis, imposing a legal obligation implemented under EU or national law (Art. 6(1)(c) GDPR), or where cooperation is permitted in conformity with EU or national law and the disclosure is necessary for performing a task in the public interest based on (Art. 6(1)(e) GDPR); and
4. Appropriate safeguards are provided in the international agreement satisfying Art. 46(2)(a) GDPR and the EDPB Guidelines 2/2020.

General rules for transfers

If the above conditions are not met, reliance on Article 48 GDPR will not be possible. In such cases, companies must instead rely on the standard GDPR framework for disclosing EU personal data through international transfers, ensuring a valid legal basis for the disclosure and the use of an appropriate transfer mechanism.

The Guidelines come at a time when cross-border data flows remain a point of legal and operational tension for EU companies operating internationally. EU personal data exports have long been a difficult issue, particularly in light of concerns about foreign governments’ ability to access EU personal data in jurisdictions where legal protections are not considered equivalent to those in the EU. These concerns were the basis for the Schrems I and II rulings that invalidated key transatlantic data transfers mechanisms (see our coverage of the Safe Harbor and Privacy Shield invalidations), and may lead to heightened scrutiny from regulators when evaluating transfers to foreign authorities.

The Guidelines reaffirm the EU’s legal sovereignty over personal data and clarify the need for companies to take a nuanced and legally grounded approach to foreign access requests. Notably, the step-by-step approach to Art. 48 GDPR applies regardless of whether the request is voluntary or compulsory.

In summary, EU companies must assess each request individually and cannot rely on foreign legal obligations as a defense if a European regulator finds the disclosure non-compliant with the GDPR.

What companies should do now

To align with the EDPB’s guidance, EU-based companies should:

• Assess internal processes: Review and update internal procedures for handling foreign access requests to ensure alignment with the Guidelines.
• Standardize review procedures: Implement consistent, documented procedures for evaluating each request from foreign authorities.
• Record-keeping: Document all foreign access requests, including the rationale for granting or denying them.
• Employee awareness and training: Raise awareness internally and provide regular training to employees involved in handling such requests.
• Monitor regulatory developments: Stay informed about changes to international agreements and evolving guidance from EU regulators, particularly in sector-specific contexts.

Authored by Eduardo Ustaran and Julian Flamant.

Special thanks to Alexandre Owen for assisting with the preparation of this post.