On 2 December 2024, the European Data Protection Board (“EDPB”) adopted its draft guidelines on Article 48 GDPR (the “Draft Guidelines”). The Draft Guidelines are intended to provide guidance on the GDPR requirements applicable to private companies in the EU that receive requests or binding demands for personal data from public authorities (e.g., law enforcement or national security agencies, as well as other regulators) located outside the EU.

The Draft Guidelines focus in particular on Article 48 GDPR, which states that a binding demand from a non-EU public authority “requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”

As an initial matter, the EDPB addresses the question of whether Article 48 operates as a blocking statute—i.e., a prohibition on disclosure of personal data subject to the GDPR to non-EU public authorities in the absence of an international agreement (e.g., a mutual legal assistance treaty) that permits that disclosure. The Draft Guidelines state that, even in the absence of such an international agreement, companies can in principle disclose personal data in response to such demands, provided that they (a) have a valid legal basis for doing so under Article 6 GDPR, and (b) can validly transfer the personal data outside the EU in accordance with Chapter V GDPR (e.g., on the basis of an EU adequacy decision, “appropriate safeguards”, or one of the derogations set out in Article 49 GDPR). The Draft Guidelines nonetheless make clear that, absent such an international agreement, any demand from a non-EU public authority will not be recognized as a binding demand by, or enforceable in, EU courts.

The Draft Guidelines also provide guidance on the Article 6 legal bases and Chapter V transfer grounds that might apply where a private entity receives a request or demand for personal data from a non-EU public authority. This guidance is broadly consistent with the EDPB’s analysis in its 2019 joint opinion with the EDPS on the CLOUD Act. Of particular note:

  • Where an applicable international agreement (i.e., one to which the EU or a relevant Member State is a signatory) obliges private entities in the EU to provide data in response to binding demands from non-EU public authorities (and failing to do so would “have legal consequences” for the company), then the private entity could transfer the data pursuant to the “compliance with a legal obligation” legal basis under Article 6(1)(c) GDPR;
  • Even where no such international agreement exists , a private entity may be able to transfer the data in reliance on the “performance of a task in the public interest” legal basis under Article 6(1)(e) GDPR. The EDPB indicate that, in appropriate circumstances, the Second Additional Protocol to the Convention on Cybercrime could provide a basis for relying on this legal basis;
  • The “vital interests” and “legitimate interests” legal bases under Articles 6(1)(d) and 6(1)(f) GDPR, respectively, may be available, but this will depend heavily on the circumstances. Consistent with its recent draft guidelines on the legitimate interests legal basis (discussed in our blog post here), the EDPB reiterates that a private entity may not rely on legitimate interests to collect data for the sole purpose of potentially disclosing that data to law enforcement agencies if doing so is “unrelated to its own actual (economic and commercial) activities.”
  • An international agreement will not always authorize an international transfer under Chapter V GDPR. An adequacy decision under Article 45 GDPR, appropriate safeguards under Article 46 GDPR, or a derogation under Article 49 GDPR are required even where such an agreement exists.
  • That said, applicable international agreements can, in principle, provide “appropriate safeguards.” It will be interesting to see if any future agreement between the EU and a third country (such as the long-awaited EU-U.S. data access agreement that is currently being negotiated) might provide for such safeguards, such that no additional safeguards would be necessary in order to permit a transfer of personal data in accordance with Chapter V.
  • The Draft Guidelines do not expressly endorse the use of any derogations under Article 49 GDPR, although they note that these derogations must be interpreted restrictively. However, the Guidelines acknowledge that Article 49 derogations may be relevant to requests from non-EU public authorities, and refer specifically to the fact that transfers may take place “if they are necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.”

The Draft Guidelines are subject to public consultation until 27 January 2025. Feedback can be submitted here.

*            *            *

Covington’s Data Privacy and Cybersecurity Practice regularly advises on issues arising from demands for data from both EU and non-EU public authorities. If you have questions about the potential impact of the Draft Guidelines, or are interested in responding to the consultation on them, please do not hesitate to contact us.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Marty Hansen Marty Hansen

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues, including related to artificial intelligence. Martin has…

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues, including related to artificial intelligence. Martin has extensive experience in advising clients on matters arising under EU and U.S. law, UK law, the World Trade Organization agreements, and other trade agreements.

Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.