On 3 December 2024 , the European Data Protection Board (EDPB) released draft Guidelines 02/2024 on Article 48 GDPR clarifying the rules for data sharing with third country authorities. The Guidelines are another essential clarification to the GDPR’s requirements for data transfers. Consultation on the draft guidelines is open until 27 January 2025, after which the EDPB will revise and finalize them. The Guidelines address only scenarios in which private entities receive requests from third country authorities for personal data. The EDPB makes clear that third country authority judgements or decisions requiring transfer by a private sector entity do not by default justify transfer of personal data. Every transferring entity must still assess whether there is 1) a legal basis for the transfer and 2) a ground for transfer, such as an international agreement with appropriate safeguards. The EDPB also shifts the burden to transferring entities to assess whether an applicable international agreement provides sufficient safeguards to allow transfer. While not an unreasonable interpretation of Article 48, Court of Justice (CJEU) jurisprudence does not necessitate this outcome and there are good policy reasons to leave assessments of international agreements to the governments that conclude them. This article summarizes the key points from the Guidelines, with Part I covering the EDPB’s interpretation of Article 48 and Part II describing the two-part test the EDPB lays out for transfers as applied to Article 48. The article concludes with an analysis of the EDPB Guidelines’ obligations for transferring entities through the lens of recent CJEU caselaw.
I. Interpretation of Article 48
The EPDB guidelines start by adding a helpful interpretive gloss to Article 48. Article 48 GDPR states:
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
The EDPB concludes that Article 48, unlike most of the other provisions of Chapter V, is not a ground for transfer. Rather, the Article stands for the proposition that “decisions or judgments from third country authorities cannot be recognised or enforced in the EU/EEA unless an international agreement provides for this”(para. 29). Thus, receipt of a request for personal data from a third country authority for does not automatically justify a transfer, even if there are legal consequences for refusing the request. The EDPB also interprets the Article broadly to cover any official request from a public body in a third country for the transfer of personal data, and the Board clarifies that the Article encompasses the transfer, disclosure, or any other method of making the personal data accessible in the third country (paras 11-14).
II. Two-Part Test for Third Country Authorities’ Transfer Requests
The EDPB then recalls that a two-part test is required to assess appropriateness of any transfer of personal data to third countries, including in response to third country authorities’ transfer requests. To transfer data legally, there must both be 1) “a legal basis for the processing (Article 6 GDPR)” and 2) “compliance with the requirements for transfers of personal data to third countries or international organisations (Chapter V GDPR),” i.e. a ground for transfer (para. 15). An international agreement may provide both a legal basis and grounds for transfer under Chapter V but only if the agreement contains appropriate safeguards (exsum.). Article 48 also does not rule out other grounds for responding to a third country request, the EDPB says; if there is not an international agreement in place or if the applicable agreement is not appropriately protective, the entity may be able to rely on other legal bases and grounds for transfer to respond to the request (exsum.).
a. Legal basis for transfer
First, as with all personal data processing, any transfer of personal data to a third country requires a legal basis listed in Article 6(1) GDPR. The EDPB notes that a range of legal bases that may be available when responding to a third country authority request for transfer, depending on the circumstances. If there is an applicable international agreement, Article 6(1)(c) – processing carried out to fulfil a legal obligation – is an appropriate legal basis for transferring personal data based on a third country authority’s request (para. 19). If there no international agreement in available, an entity may consider other legal bases on a case-by-case basis. The EDPB cautions that if relying on legitimate interest (Article 6(1)(f)), an entity must limit processing to what is clearly necessary for its specific interest; legitimate interest cannot justify preemptive processing of personal data in order to be able to respond to third country authorities’ future requests (para. 28).
b. Grounds for transfer
Second, any transfer of personal data to a third country must be supported by a ground for transfer. Because Article 48 is not a ground for transfer but merely clarifies when a request of a third country authority is enforceable, an entity must find a ground for transfer among the other provisions of Chapter V (para. 29). The EDPB indicates that an international agreement with appropriate safeguards can be a basis for transfer or, if there is no international agreement in place or if the applicable agreement is not appropriately protective, an entity may rely on one of the other grounds for transfer.
An international agreement is the most natural ground for transfer based on a third country authority’s request. Article 46 GDPR states that “a legally binding instrument between public authorities or bodies,” such as international agreement, may be a ground for transfer (Article 46(2)(a)). However, the EDPB concludes that an agreement must provide for appropriate safeguards to be a valid ground for transfer, and it must specifically cover direct cooperation of third country authorities and controllers and processors in the EU (para. 30). The EDPB guidelines place the responsibility on private entities responding to a third country authority request to assess the sufficiency of an applicable international agreement. The EDPB previously enumerated minimum safeguards to be included in such international agreements in its Guidelines 2/2020. As the EDPB states:
…international agreements providing for transfers of personal data should inter alia require that the core data protection principles are guaranteed by both parties, i.e. ensuring enforceable and effective data subject rights, containing restrictions on onward transfers and data sharing, including additional safeguards for sensitive data and providing independent redress and supervision mechanisms. The appropriate safeguards may be included directly in the international agreement, which provides for the direct cooperation between the controller or processor and the third country authorities, or in a separate legally binding instrument.
Guidelines 02/2024 (para. 31).
The EDPB places the responsibility with private entities facing a third country request for personal to review international agreements against these requirements before responding or declining the request.
If there is no international agreement, the transfer must be based on both a new legal basis and ground for transfer, the EDPB says. Or, if the private entity finds the international agreement does not have appropriate safeguards, the transfer must be based on a new ground for transfer such as other appropriate safeguards in Article 46, or, in occasional and non-repetitive circumstances, derogations such as Article 49 consent (paras 32-33).
III. Analysis: Entity Responsibility for Transfers
The EDPB guidelines are largely a straightforward, intuitive interpretation and provide helpful support to private sector entities in applying the contours of Article 48. However, the EDPB guidelines do stake out one contentious position: the responsibility of transferring entities responding to a third country transfer request to assess existing international agreements for adequate safeguards. This is not an unreasonable interpretation of existing law by EDPB. However, CJEU case-law does not mandate this result, and there are sound policy reasons that counsel against allowing private entities to second guess international agreements. While private entities can in some narrow circumstances provide a useful backstop against government overreach, it can also push fundamentally market motivated actors outside of their competency and produce weak outcomes. This responsibility to review international agreements per Article 46(2)(a)) is best left with governments that conclude them.
The EDPB guidelines’ position is an extension of the CJEU’s 2020 Schrems II judgment. In that opinion, the CJEU held that Article 46(1)’s transfer mechanisms with “appropriate safeguards,” including both SCCs and international agreements, must ensure that personal data transferred to a third country receive a level of protection “essentially equivalent” to that in the EU (Schrems II, para. 105). The CJEU gave the responsibility to private entities to ensure that data transferred pursuant to the Standard Contractual Clauses (SCCs) do in fact provide adequate safeguards, since the transferring entity is in the best position to do so. When relying on the SCCs, the transferring entity must independently assess whether the laws of the third country ensure adequate protection of data transferred pursuant to SCCs, including whether their law enforcement and national security access in the third country is necessary and proportionate (Schrems II, para.134). The entity must then provide additional safeguards if necessary and suspend the transfer if it cannot provide adequate guarantees (Schrems II, para.134).
Because of the differences between international agreements and SCCs, the logic of Schrems II does not clearly dictate that transferring entities should also have the responsibility to independently assess international agreements for appropriate safeguards. International agreements are negotiated bilaterally or multilaterally and bind nation states. SCCs are standard clauses drafted by the Commission that can facilitate personal data transfers to any country and bind the contracting entities. The CJEU’s obligation for transferring entities to independently assess whether SCCs were sufficiently protective for a given transfer was rooted in the nature of the SCCs themselves – in qualities that international agreements do not share. The CJEU reasoning relied upon two particular aspects of SCCs: 1) as standard clauses they apply to transfers to any country, so the Commission never assesses the adequacy of the SCCs as applied to transfers to particular countries; and 2) the SCCs do not bind public authorities (Schrems II, paras. 125, 130). By contrast, international agreements on the transfer of data to third country authorities are negotiated and approved by the signatory nations precisely with transfers to other signatory third countries in mind. The agreements also necessarily bind other governments. Transferring entities do retain the responsibility to ensure appropriate safeguards (GDPR, Recital 113). But, by the CJEU’s own logic, international agreements are not analogs to SCCs, leaving room for the responsibility to review, update, and declare international agreements appropriately protective to remain with government.
Good policy reasons also counsel against giving private entities the duty to second guess international agreements. Governments are simply better positioned to assess international agreements for adequate safeguards and update them as needed in line with the EPDB guidance. Governments are, after all, the representative of the public interest. Private entities can, in narrow circumstances, provide a useful backstop against government overreach, such as challenging an invasive practice that involves their services or an overbroad order. But we should be clear eyed that private entities are also incentivized by market interests; they are not the proper locus of rights-based responsibilities in instances where government is both an available alternative and natural fit. Private entities also lack the competency to second guess international agreements negotiated between sovereign nations. Declining to continue their own transfers of data under SCCs is one thing; having private entities decline to follow dully authorized international law is quite another.
Current CJEU jurisprudence does not clearly require that the EDPB place the burden on transferring entities to review whether international agreements per Article 46(2)(a)) provide adequate safeguards. Where case-law provides this leeway, it is wise to leave assessment of such international agreements to government authorities with the proper role, incentives, and competency for the task.
Eleni Kyriakides is a Principal at Gordian Policy Advisors LLC and Adjunct Professor at Georgetown Law in Washington, D.C. Previously she was worked at Meta where she advised the company on product privacy and at the Electronic Privacy Information Center (EPIC) where she managed the organization’s international docket. She co-authored submissions in the landmark Schrems II case, has testified before the European Parliament on cross-border law enforcement data transfers, and has published widely on data protection issues.
