In the ever-evolving landscape of data protection and privacy, the General Data Protection Regulation (GDPR) stands as the most significant legislative framework for processing personal data. Known for its extraterritorial reach, the GDPR sets out the rules for transferring personal data from private organizations established in the European Economic Area (EEA) to authorities in third countries.
Private organizations in the EEA have long faced challenges in managing such requests while ensuring compliance with the GDPR. To address these issues, the European Data Protection Board (EDPB) issued Guidelines 02/2024 on 2 December 2024, offering clarity on the interpretation and application of Article 48. These guidelines, open for public consultation until 27 January 2025, are essential for businesses, legal professionals and privacy experts navigating cross-border data transfers under the GDPR.
Background on Article 48 of the GDPR
Article 48 of the GDPR states that ‘any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter’.
This provision specifically restricts the transfer of personal data to third countries that may not comply with GDPR standards, even if the transfer arises from a court decision or administrative order that requires a controller or processor established in the EEA to disclose personal data, unless certain conditions are met.
Private organizations established in the EEA face a dilemma between complying with third-country requests – often related to national security or law enforcement orders – and adhering to the requirements of the GDPR.
Scope of the Guidelines 02/2024
These guidelines focus on requests for direct cooperation between a third-country public authority and a private entity in the EEA, rather than scenarios where personal data is exchanged directly between public authorities in the EEA and third countries (for example, under mutual legal assistance treaties). These requests may come from a wide range of public authorities, including those regulating the private sector, such as banking regulators and tax authorities, as well as law enforcement and national security agencies.
The guidelines specifically address situations where such requests are directed to controllers or processors in the EEA, whose processing activities are subject to Article 3(1) of the GDPR.
‘Two-step test’ must be fulfilled when responding to a third-country public authority request
The EDPB recalls in these guidelines that the ‘two-step test’ must be applied when transferring personal data to third-country public authorities. First, the transfer of personal data to a third country shall take place only if there is a legal basis together with all relevant provisions of the GDPR. Second, the conditions of Chapter V (‘Transfers of personal data to third countries or international organizations’) must be complied with.
1. Identification of a legal basis under Article 6 of the GDPR
- Compliance with a legal obligation (Article 6(1)(c)): Article 48 contemplates a situation where a court ruling, tribunal decision or administrative order from a third-country authority requires a controller or processor in the EEA to transfer personal data based on an international agreement, which could establish the request as a legal obligation with potential legal consequences for noncompliance. If the processing of personal data is necessary to fulfill a legal obligation, Article 6(1)(c) of the GDPR provides a clear legal basis for the transfer.
In a scenario where there is no legal obligation arising from an international agreement for the EEA organization, the use of other legal bases must be assessed on a case-by-case basis.
- Consent (Article 6(1)(a)): In principle, a data subject’s consent could serve as a legal basis for transferring data to a third-country authority. However, the EDPB considers that relying on consent in this context would be generally inappropriate, as the data transfer is linked to the exercise of authoritative powers. Hence, there would be an imbalance between the parties.
- Vital interests (Article 6(1)(d)): The EDPB acknowledges that in certain established situations, the vital interests of the data subject could be used as a legal basis for a data transfer triggered by a third-country request, provided that the conditions outlined in international law are met. Regarding the vital interests of other individuals, the EDPB emphasizes that the processing of personal data based on the vital interests of another person should – in principle – occur only when it cannot clearly be justified by another legal basis.
- Legitimate interests (Article 6(1)(f)): The EDPB reminds that any processing based on the legitimate interests of the controller or third parties must be necessary and balanced against the interests, fundamental rights and freedoms of the data subject. The outcome of this balancing test, which is subject to an individual assessment, determines whether the legitimate interest legal basis can be relied upon for transferring personal data to a third-country authority. The EDPB states that, although a controller may, in some cases, have a legitimate interest in complying with a request to disclose personal data to a third-country authority, a private business acting as a controller cannot rely on Article 6(1)(f) for the collection and storage of personal data in a preventive manner.
Furthermore, these guidelines remind that the EDPB has previously held that in certain situations, the interests or fundamental rights and freedoms of the data subject would override the controller’s interest in adhering to a third-country law enforcement authority’s request to avoid sanctions for noncompliance.
2. Compliance with Chapter V of the GDPR
The provision of Article 48 itself contains no data protection safeguards for data transfers, but clarifies that decisions or judgments from third-country authorities cannot be directly recognized or enforced in the EEA unless an international agreement provides for this.
Therefore, before responding to a request from a third-country public authority falling under Article 48 of the GDPR, the controller or processor in the EEA must identify an applicable ground for the transfer.
If an international agreement governs cooperation between an EEA controller or processor and a third-country public authority, it can serve as a legal basis for a data transfer, provided that the agreement includes appropriate safeguards in accordance with Article 46(2)(a).
If there is no international agreement that would bound the EEA controller or processor and the third-country public authority, or the agreement does not preclude adequate safeguards for the transfer, the transfer must be based on another ground for transfer under Chapter V – e.g., standard contractual clauses or binding corporate rules – or rely on any of the derogations of Article 49, such as when necessary for important public interest reasons or for the establishment, exercise or defense of legal claims. However, as the EDPB has previously stated, the derogations in Article 49 must be narrowly interpreted and are primarily intended for occasional, nonrepetitive processing activities.
Impact on businesses with an entity in the EEA
For businesses operating globally, the guidance set out in Guidelines 02/2024 is an essential tool for navigating the complexities of handling third-country requests. Companies must remain vigilant in assessing the legal environments of the countries to which they transfer data, ensuring that EEA-established controllers and processors rely on an adequate legal basis and on a ground for transfer under Chapter V when responding to requests from third-country authorities in compliance with the GDPR.
If your organization requires skilled advice and support on how to handle third-country public requests, such as subpoenas, please do not hesitate to contact us.
Authors
Patrick Van Eecke, Partner, Brussels
Enrique Gallego Capdevila, Special Counsel, Brussels
