On December 3, 2024, the European Data Protection Board (EDPB) adopted a Consultation draft of the guidelines 02/2024 on Article 48 GDPR published (see here). Article 48 GDPR stipulates that data may only be transferred by order of a court or authority of a third country on the basis of a mutual legal assistance treaty or other agreement. However, other grounds for a transfer under Chapter V GDPR remain unaffected.
The guidelines primarily deal with possible transfers by EU companies to third country authorities and courts. While transfers under mutual legal assistance agreements usually take place between authorities, the EDPB points out that such transfers can also be made by companies:
“[…] there has been a recent tendency to negotiate international agreements to also provide for direct requests from law enforcement authorities in third countries for access to personal data processed by private entities in the EU.” (EDPB, Draft Guidelines 02/2024, page 5, footnote 3).
The EDPB’s opinion is welcome in that it clarifies that Article 48 does not function as a so-called blocking statute. This means that transfers to third country courts and authorities can also be based on a transfer basis from Chapter V GDPR outside of a mutual legal assistance agreement.
Examination scheme of the EDSA
However, the assessment scheme provided by the EDPB proves to be problematic. The EDPB is of the opinion that Article 48 GDPR does not constitute a ground for authorization for a transfer to the third country in the case of a mutual legal assistance agreement and that another ground for transfer from Chapter V GDPR is required:
“Unlike the other provisions of Chapter V, Article 48 is not a ground for transfer. The provision itself contains no data protection safeguards but clarifies that decisions or judgments from third country authorities cannot be recognized or enforced in the EU/EEA unless an international agreement provides for this. Therefore, before responding to a request from a third country authority falling under Article 48, the controller or processor in the EU/EEA must identify an applicable ground for the transfer elsewhere in Chapter V.” (EDPB, Draft Guidelines 02/2024, para. 29)
The EDPB cites a data transfer based on appropriate safeguards in accordance with Article 46(2)(a) GDPR, a legally binding and enforceable document between the authorities or public bodies, as a possible authorization criterion. At the same time, however, the EDPB points out that in this case, the transferring EU company must check and ensure that the mutual legal assistance agreement also contains the necessary appropriate safeguards. As with the use of standard contractual clauses, the transferring company must therefore also check whether the data protection principles, such as enforceable rights and effective legal remedies, independent supervision and restrictions on onward transfers, are provided for in the context of mutual legal assistance agreements.
If this is not the case, the transferring EU company must identify another reason for the transfer, such as Article 49 GDPR. However, Article 49 GDPR should be interpreted narrowly. Consequently, this means that in the absence of a basis for the transfer, an EU company may not be able to respond to a request made under a valid mutual legal assistance agreement for data protection reasons, even though the company would be obliged to do so under Member State law.
Article 48 GDPR as a symbolic program sentence
Due to the unclear wording, the regulatory content of Article 48 GDPR is assessed differently in the literature. Some representatives see Article 48 GDPR as merely a “program sentence with symbolic meaning”, which clarifies that a decision by a third country does not constitute a basis for a data transfer (Taeger/Gabel/Gabel, 4th ed. 2022, GDPR Art. 48 para. 3; Simitis/Hornung/Spiecker gen. Döhmann/Schantz, 2nd ed. 2925, Data Protection Law Art. 48, para. 1; Ehmann/Selmayr/Zerdick, 3rd ed. 2024, GDPR Art. 48 para. 6; BeckOK DatenschutzR/Jungkind, 50th ed. 1.2.2024, GDPR Art. 48 para. 3). However, the legal consequences of this view are unclear. Only Zerdick and Spieker point out that there must be another reason for transfer from Chapter V GDPR. As explained above, this would mean that companies may not be able to respond to valid requests for data protection reasons and would therefore be in breach of the Member State law applicable to them.
The other proponents of this view maintain that the authorization to transfer data follows from the legal act itself and not from Article 48 GDPR. They therefore leave open the extent to which Article 48 GDPR nevertheless constitutes an authorization to use the respective agreement as a basis for transfer outside of the GDPR.
Article 48 GDPR as a permission standard
Other representatives of the literature are of the opinion that, despite the unclear wording, Article 48 GDPR allows data to be transferred on the basis of an international agreement and therefore constitutes a permissive element (Sydow/Marsch DS-GVO/BDSG/Towfigh/Ulrich, 3rd ed. 2022, GDPR Art. 48 para. 10; Kühling/Buchner/Schröder, 4th ed. 2024, GDPR Art. 48 para. 12; Gola/Heckmann/Klug, 3rd ed. 2022, GDPR Art. 48 para. 2). This view must be endorsed.
Article 48 GDPR, like the categories of cases in Article 49 GDPR, contains an exception to the principle that the transferring body must determine or establish the adequacy of the level of data protection in each individual case. This is appropriate as the transfer is based on a mutual legal assistance agreement, i.e. applicable Member State law. A transferring company must be able to rely on this law being compliant with other regulations, such as data protection law or fundamental rights, and not be exposed to possible fines. In its effect, Article 48 GDPR therefore has the character of an authorization standard.
As recital 102 GDPR makes clear, the responsibility for an adequate level of protection lies with the Member States and not with the companies: “Member States may conclude international agreements involving the transfer of personal data to third countries or international organizations, provided that such agreements do not affect this Regulation or other provisions of Union law and provide an adequate level of protection for the fundamental rights of data subjects.”
Lex specialis
Article 48 GDPR contains a more specific provision than the other provisions of Chapter V GDPR, which is why it is lex specialis (Kühling/Buchner/Schröder, 4th ed. 2024, GDPR Art. 48 para. 23). Unlike Article 49 GDPR, for example, Article 48 GDPR does not contain any reservation regarding an adequacy decision or suitable safeguards. In the case of extraterritorial requests from authorities for which an international agreement exists, reference should therefore be made to the mutual legal assistance agreement even if there are other grounds for transfer under the GDPR. The EDPB also states accordingly: “If an international agreement such as a mutual legal assistance agreement exists, companies in the EU should generally refuse direct requests and refer the requesting authority of the third country to the existing mutual legal assistance agreement or the corresponding agreement.” (EDPB, Guidelines 2/2018, p. 6.)
Conclusion
The interpretation of Article 48 GDPR by the EDPB leads to uncertainties and is not convincing as a result. Of course, every company must check whether it is complying with the applicable law, i.e. whether it is also acting in accordance with the procedural rules within the framework of a mutual legal assistance agreement. However, transferring companies cannot be required to check the admissibility of such an agreement, i.e. the Member State law applicable to them. In the interests of legal certainty, companies must also not be exposed to the possibility of being fined for complying with Member State law. The EDPB should therefore adapt its draft accordingly in order to avoid a conflict between data protection law and Member State law.
English version: Data Transfers under Article 48 GDPR – Analysis of the Draft EDPB Guidelines
On December 3, 2024, the European Data Protection Board (EDPB) published a consultation draft of its Guidelines 02/2024 on Article 48 GDPR (see here). Article 48 GDPR stipulates that a data transfer based on a court or authority order from a third country may only be recognized or enforceable if based on an international agreement in force between the requesting third country and the Union or a Member State. Other grounds for transfer under Chapter V GDPR remain unaffected.
The guidelines primarily address potential transfers by EU companies to third-country authorities and courts. While transfers under mutual legal assistance treaties typically occur between authorities, the EDPB points out that such transfers can also be made by companies:
“[…] there has been a recent tendency to negotiate international agreements to also provide for direct requests from law enforcement authorities in third countries for access to personal data processed by private entities in the EU.”
(EDPB, Draft Guidelines 02/2024, page 5, footnote 3)
The EDPB’s clarification that Article 48 GDPR does not function as a so-called blocking statute is welcome. This means that transfers to third-country courts and authorities can also be based on a transfer ground from Chapter V GDPR outside of a mutual legal assistance treaty.
EDPB’s Assessment Framework
However, the assessment framework proposed by the EDPB is problematic. The EDPB states that Article 48 GDPR does not constitute a legal basis for transfers to third countries on the strength of a mutual legal assistance treaty. Instead, EDPB says that another transfer ground from Chapter V GDPR is required:
“Unlike the other provisions of Chapter V, Article 48 is not a ground for transfer. The provision itself contains no data protection safeguards but clarifies that decisions or judgments from third country authorities cannot be recognized or enforced in the EU/EEA unless an international agreement provides for this. Therefore, before responding to a request from a third country authority falling under Article 48, the controller or processor in the EU/EEA must identify an applicable ground for the transfer elsewhere in Chapter V.”
(EDPB, Draft Guidelines 02/2024, para. 29)
As a possible legal basis, the EDPB refers to data transfers based on appropriate safeguards under Article 46(2)(a) GDPR‑a legally binding and enforceable document between authorities or public bodies. At the same time, the EDPB emphasizes that the transferring EU company must verify and ensure that the mutual legal assistance treaty includes the necessary appropriate safeguards. Similar to using standard contractual clauses, the transferring company must assess whether the treaty provides for data protection principles such as enforceable rights, effective remedies, independent oversight, and restrictions on onward transfers.
If these conditions are not met, the transferring EU company must identify another transfer ground, such as Article 49 GDPR. However, EDPB states that Article 49 GDPR must be interpreted narrowly. Consequently, under the EDPB’s interpretation, an EU company might be unable to respond to a valid request under a mutual legal assistance treaty for data protection reasons, even if required to do so under applicable Member State law.
Article 48 GDPR as a Symbolic Statement
Due to its ambiguous wording, the legal nature of Article 48 GDPR is interpreted differently in the literature. Some commentators view Article 48 GDPR merely as a “symbolic statement” clarifying that a third-country decision does not generally serve as a basis for data transfers (Taeger/Gabel/Gabel, 4th ed., 2022, GDPR Art. 48 para. 3; Simitis/Hornung/Spiecker gen. Döhmann/Schantz, 2nd ed., 2025, Datenschutzrecht Art. 48 para. 1; Ehmann/Selmayr/Zerdick, 3rd ed., 2024, DS-GVO Art. 48 para. 6; BeckOK DatenschutzR/Jungkind, 50th ed., Feb. 1, 2024, DS-GVO Art. 48 para. 3). However, the legal consequence of this view remains unclear. Only Zerdick and Spieker point out that another transfer ground from Chapter V GDPR is necessary. As outlined above, this could lead to companies being unable to respond to valid requests due to data protection concerns, potentially violating applicable Member State laws.
Other commentators argue that the authority to transfer data stems from the legal act itself and not from Article 48 GDPR. However, they leave open whether Article 48 GDPR could still allow the respective agreement to serve as a transfer basis outside the GDPR.
Article 48 GDPR as a Legal Basis
Other commentators argue that Article 48 GDPR, despite its ambiguous wording, permits data transfers based on an international agreement, thus constituting a legal basis (Sydow/Marsch DS-GVO/BDSG/Towfigh/Ulrich, 3rd ed., 2022, DS-GVO Art. 48 para. 10; Kühling/Buchner/Schröder, 4th ed., 2024, DS-GVO Art. 48 para. 12; Gola/Heckmann/Klug, 3rd ed., 2022, DS-GVO Art. 48 para. 2). This view is persuasive.
Article 48 GDPR, like the scenarios under Article 49 GDPR, provides an exception to the principle that the transferring entity must individually establish or ensure the adequacy of the data protection level. This is appropriate, as the transfer is based on a mutual legal assistance treaty, i.e., applicable Member State law. Transferring companies must be able to rely on the treaty’s compliance with other regulations, such as data protection laws or fundamental rights, without being exposed to potential fines. Article 48 GDPR, therefore, has the character of a legal basis.
Recital 102 GDPR underscores that responsibility for an adequate level of protection lies with the Member States, not companies:
“Member States may conclude international agreements which involve the transfer of personal data to third countries or international organizations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects…”
Lex Specialis
Article 48 GDPR contains a more specific provision compared to other rules in Chapter V GDPR, making it lex specialis (Kühling/Buchner/Schröder, 4th ed., 2024, DS-GVO Art. 48 para. 23). Unlike, for instance, Article 49 GDPR, Article 48 GDPR does not require an adequacy decision or appropriate safeguards. In the case of extraterritorial authority requests covered by an international agreement, reference should, therefore, be made to the mutual legal assistance treaty, even when other GDPR transfer grounds are available. Similarly, the EDPB states:
“In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.”
(EDPB, Guidelines 2/2018, p. 5)
Conclusion
The EDPB’s interpretation of Article 48 GDPR leads to uncertainties and is ultimately unconvincing. While companies must ensure compliance with applicable law, including adherence to procedural requirements under a mutual legal assistance treaty, they cannot be required to second guess the validity of the treaty, i.e. Member State law applicable to them. For legal certainty, companies must not be exposed to the risk of fines for complying with Member State laws.
The EDPB should amend its draft to avoid conflicts between data protection laws and Member State legal provisions.