EDPB Guidelines 02/​2024 on Article 48 GDPR, adop­ted 02 December 2024 (in consul­ta­tion until 27 February 2025)

Last December, the EDPB publi­shed guide­lines on art. 48 GDPR, with the purpose of clari­fying the ratio­nale and objec­tives of the article, as well as its inter­ac­tions with the remain­der of Chapter V of the GDPR.

The fifth chap­ter of the GDPR regards the trans­fer of data outside of the European Economic Area. The prin­ciple is that all trans­fers abroad shall only take place when one of the grounds of Chapter V is fulfilled, mainly meaning those provi­ded in either art. 45, art. 46 or art. 49 GDPR.

The subject of the EDPB’s guide­lines analy­sed in this contri­bu­tion, art. 48 GDPR, is not a ground for proces­sing as the other articles of that chap­ter. It is a clari­fi­ca­tion of the requi­re­ments when basing the trans­fer on a deci­sion or judg­ment from a third country’s public body. Such a trans­fer is only possible if an inter­na­tio­nal agree­ment is in force between the respec­tive actor’s coun­tries. The inter­na­tio­nal agree­ment may be a mutual legal assis­tance treaty (MLAT).

The scope of the guide­lines is limi­ted to the trans­fer of data from a private entity in the EU, based on a request from a third country’s public autho­rity. The article itself is not restric­ted to the trans­fer of private enti­ties – it may also cover public enti­ties –, but the EDPB consi­ders the former as the most wides­pread scena­rio. Such a request would be, for example, made to enti­ties in the banking sector by foreign tax autho­ri­ties or law enforcement.

In the instance a foreign public body requests from a private EU entity to trans­fer perso­nal data, the GDPR is appli­cable, as provi­ded by art. 3 par. 1 GDPR on the terri­to­rial scope of the Regulation. In addi­tion to the GDPR, speci­fic rules of Member States may apply, such as crimi­nal proce­du­ral rules.

When trans­fer­ring perso­nal data abroad, the two-step test must be perfor­med. The first is the iden­ti­fi­ca­tion of a legal basis for the proces­sing – i.e the trans­fer –, on the prin­ciple set out in art. 5 par. 1 GDPR and found in art. 6 GDPR. The second step is the compliance with Chapter V, meaning that there is a ground for the transfer.

A legal basis

For the first step, the most appro­priate legal basis, as outlines by the EDPB, would be the “legal obli­ga­tion” provi­ded by art. 6 par. 1 let © GDPR, in conjunc­tion with art. 6 par. 3 GDPR. Indeed, if an inter­na­tio­nal agree­ment is in place, it is part of the country’s legal systems and is there­fore binding to the parties, as a “legal obli­ga­tion”. Other legal bases may howe­ver be relied on. The EDPB analyses and provides guidance on each.

Consent is diffi­cult to argue, espe­cially in the exer­cise of an authority’s power. The requi­re­ment that consent must be “free” can be put in ques­tion. It is remin­ded – as descri­bed in Recital 115 – that the aim of the GDPR is also to protect indi­vi­duals against the extra­ter­ri­to­rial appli­ca­tion of laws that may be in breach of inter­na­tio­nal law.

Contracts are exclu­ded, by nature.

Vital inter­est of the data subject or other persons : the former requires that condi­tions of inter­na­tio­nal laws are met (e.g. Council Regulation (EU) 2019/​1111 of 25 June 2019 on juris­dic­tion, the recog­ni­tion and enfor­ce­ment of deci­sions in matri­mo­nial matters and the matters of paren­tal respon­si­bi­lity, and on inter­na­tio­nal child abduc­tion), the latter that no other legal basis can mani­festly be used.

Public inter­est is the most appro­priate legal basis besides the legal obli­ga­tion. It must howe­ver have a basis in the Union’s or the member state’s laws.

Legitimate inter­est may be used in excep­tio­nal circum­stances and always with the perfor­mance of the neces­sity and balance test. All the poten­tial and/​or actual conse­quences for the data subject must be taken into account. Here, the EDPB provides examples, such as :

“the serious­ness of alle­ged offenses that may be noti­fied, the scope of the request, appli­cable stan­dards and proce­du­ral guaran­tees in the third coun­try, and appli­cable data protec­tion safeguards.”

The nature of perso­nal data and type of proces­sing acti­vity are also to be taken into account. Finally, and most inter­es­tin­gly, the reaso­nable expec­ta­tion of the data subjects should be consi­de­red. In that case, the proces­sing must be limi­ted to what is “demons­tra­bly neces­sary to pursue the speci­fic interest”.

It is clari­fied here that relying on the legi­ti­mate inter­est does not allow to rely on that legal basis in order to pre-empti­vely collect and store data “just in case” it might be reques­ted by an autho­rity. In the past, the CJEU has ruled that the inter­est of the data subject over­rides the controller’s inter­ests (on that topic, see : www​.swiss​pri​vacy​.law/​2​44/).

A ground in compliance with Chapter V

The rele­vant ground linked to art. 48 GDPR is of course art. 46 par. 2 (a) GDPR, which provides that an appro­priate safe­guard can be :

“a legally biding and enfor­ceable instru­ment between public autho­ri­ties or bodies”

International agree­ments, such as MLAT, provide for the coope­ra­tion between autho­ri­ties of different coun­tries, and may also concern coope­ra­tions by private entities.

The mini­mum safe­guards that need to be inclu­ded in said inter­na­tio­nal agree­ments are simi­lar to the “adequacy” condi­tions of art. 45 GDPR. An equi­va­lent level of protec­tion must be ensu­red, meaning that the core prin­ciples of data protec­tion need to be guaran­teed. This means that, in parti­cu­lar, data subject rights must be effec­tive and enfor­ceable, that restric­tions on onward trans­fers are deter­mi­ned, addi­tio­nal protec­tions for sensi­tive data are in place, etc.

In the absence of these mini­mum safe­guards in the inter­na­tio­nal agree­ment or a sepa­rate binding instru­ment, the control­ler or proces­sor must rely on a different ground of Chapter V. If no adequacy or appro­priate stan­dards can be relied upon, the excep­tions of art. 49 GDPR may be used as a last recourse, while remem­be­ring that these dero­ga­tions should be inter­pre­ted restric­ti­vely and used only for occa­sio­nal cases (see the EDPB Guidelines 2/​2018).

The main takea­ways of the guide­lines are that a judg­ment or deci­sion from a third coun­try cannot auto­ma­ti­cally be used as a ground for trans­fer. Indeed, a binding inter­na­tio­nal agree­ment between the two stakeholder’s coun­tries is needed. If appli­cable, the inter­na­tio­nal agree­ment can be a legal basis and a ground for transfer.

This guidance from the EDPB clari­fies the reach of art. 48 GDPR, and by extent, other articles of Chapter V. It should be remin­ded here, as does the EDPB, that the ques­tion regar­ding the need for an inter­na­tio­nal agree­ment for the recog­ni­tion and enfor­ce­ment of a deci­sion or judg­ment is different from the ques­tion of the lawful­ness of a perso­nal data transfer.

The requi­re­ment for mini­mum safe­guards to be present in the inter­na­tio­nal agree­ment restricts the capa­city to rely on any inter­na­tio­nal agree­ment between two coun­tries. This mecha­nism can howe­ver be used as repla­ce­ment for an adequacy deci­sion and provide a simi­lar frame­work between a Member State and a third coun­try. The process of giving out adequacy deci­sion is quite leng­thy and gene­rally only initia­ted towards coun­tries with a broad econo­mic inter­est for the European Union as a whole. Relying on a binding instru­ment provides Member States with the ability to enter into speci­fic MLAT with certain third coun­tries, while ensu­ring data protec­tion aspects are covered.

In Switzerland, a simi­lar ground for trans­fer is provi­ded at art. 16 par. 2 let. a FADP. The Message for the law’s revi­sion (FF 2017 6658) states that, are consi­de­red as “inter­na­tio­nal treaty” conven­tions such as the Convention 108 and its amen­ding Protocol. Art. 67 let. a FADP expli­citly autho­rises the Federal Council to conclude inter­na­tio­nal trea­ties with third coun­try autho­ri­ties in charge of perso­nal data protection.