On 2 December 2024, the European Data Protection Board (“EDPB”) adopted its draft guidelines on Article 48 GDPR (the “Draft Guidelines”). The Draft Guidelines are intended to provide guidance on the GDPR requirements applicable to private companies in the EU that receive requests or binding demands for personal data from public authorities (e.g., law enforcement or national security agencies, as well as other regulators) located outside the EU.
The Draft Guidelines focus in particular on Article 48 GDPR, which states that a binding demand from a non-EU public authority “requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
As an initial matter, the EDPB addresses the question of whether Article 48 operates as a blocking statute—i.e., a prohibition on disclosure of personal data subject to the GDPR to non-EU public authorities in the absence of an international agreement (e.g., a mutual legal assistance treaty) that permits that disclosure. The Draft Guidelines state that, even in the absence of such an international agreement, companies can in principle disclose personal data in response to such demands, provided that they (a) have a valid legal basis for doing so under Article 6 GDPR, and (b) can validly transfer the personal data outside the EU in accordance with Chapter V GDPR (e.g., on the basis of an EU adequacy decision, “appropriate safeguards”, or one of the derogations set out in Article 49 GDPR). The Draft Guidelines nonetheless make clear that, absent such an international agreement, any demand from a non-EU public authority will not be recognized as a binding demand by, or enforceable in, EU courts.
The Draft Guidelines also provide guidance on the Article 6 legal bases and Chapter V transfer grounds that might apply where a private entity receives a request or demand for personal data from a non-EU public authority. This guidance is broadly consistent with the EDPB’s analysis in its 2019 joint opinion with the EDPS on the CLOUD Act. Of particular note:Continue Reading EDPB adopts draft guidelines on requirements when responding to requests from non-EU public authorities