• Home 
  • -
  • Privacy 
  • -
  • Data trans­fers under Artic­le 48 GDPR – ana­ly­sis of the draft EDPB guidelines 

Data trans­fers under Artic­le 48 GDPR – ana­ly­sis of the draft EDPB guidelines

On Decem­ber 3, 2024, the Euro­pean Data Pro­tec­tion Board (EDPB) adopted a Con­sul­ta­ti­on draft of the gui­de­lines 02/2024 on Artic­le 48 GDPR published (see here). Artic­le 48 GDPR sti­pu­la­tes that data may only be trans­fer­red by order of a court or aut­ho­ri­ty of a third coun­try on the basis of a mutu­al legal assi­stance trea­ty or other agree­ment. Howe­ver, other grounds for a trans­fer under Chap­ter V GDPR remain unaffected.

The gui­de­lines pri­ma­ri­ly deal with pos­si­ble trans­fers by EU com­pa­nies to third coun­try aut­ho­ri­ties and courts. While trans­fers under mutu­al legal assi­stance agree­ments usual­ly take place bet­ween aut­ho­ri­ties, the EDPB points out that such trans­fers can also be made by companies:

[…] the­re has been a recent ten­den­cy to nego­tia­te inter­na­tio­nal agree­ments to also pro­vi­de for direct requests from law enforce­ment aut­ho­ri­ties in third count­ries for access to per­so­nal data pro­ce­s­sed by pri­va­te enti­ties in the EU.” (EDPB, Draft Gui­de­lines 02/2024, page 5, foot­no­te 3).

The EDPB’s opi­ni­on is wel­co­me in that it cla­ri­fi­es that Artic­le 48 does not func­tion as a so-cal­led blocking sta­tu­te. This means that trans­fers to third coun­try courts and aut­ho­ri­ties can also be based on a trans­fer basis from Chap­ter V GDPR out­side of a mutu­al legal assi­stance agreement.

Exami­na­ti­on sche­me of the EDSA

Howe­ver, the assess­ment sche­me pro­vi­ded by the EDPB pro­ves to be pro­ble­ma­tic. The EDPB is of the opi­ni­on that Artic­le 48 GDPR does not con­sti­tu­te a ground for aut­ho­rizati­on for a trans­fer to the third coun­try in the case of a mutu­al legal assi­stance agree­ment and that ano­ther ground for trans­fer from Chap­ter V GDPR is required:

Unli­ke the other pro­vi­si­ons of Chap­ter V, Artic­le 48 is not a ground for trans­fer. The pro­vi­si­on its­elf con­ta­ins no data pro­tec­tion safe­guards but cla­ri­fi­es that decis­i­ons or judgments from third coun­try aut­ho­ri­ties can­not be reco­gnized or enforced in the EU/EEA unless an inter­na­tio­nal agree­ment pro­vi­des for this. The­r­e­fo­re, befo­re respon­ding to a request from a third coun­try aut­ho­ri­ty fal­ling under Artic­le 48, the con­trol­ler or pro­ces­sor in the EU/EEA must iden­ti­fy an appli­ca­ble ground for the trans­fer else­whe­re in Chap­ter V.” (EDPB, Draft Gui­de­lines 02/2024, para. 29)

The EDPB cites a data trans­fer based on appro­pria­te safe­guards in accordance with Artic­le 46(2)(a) GDPR, a legal­ly bin­ding and enforceable docu­ment bet­ween the aut­ho­ri­ties or public bodies, as a pos­si­ble aut­ho­rizati­on cri­ter­ion. At the same time, howe­ver, the EDPB points out that in this case, the trans­fer­ring EU com­pa­ny must check and ensu­re that the mutu­al legal assi­stance agree­ment also con­ta­ins the neces­sa­ry appro­pria­te safe­guards. As with the use of stan­dard con­trac­tu­al clau­ses, the trans­fer­ring com­pa­ny must the­r­e­fo­re also check whe­ther the data pro­tec­tion prin­ci­ples, such as enforceable rights and effec­ti­ve legal reme­dies, inde­pen­dent super­vi­si­on and rest­ric­tions on onward trans­fers, are pro­vi­ded for in the con­text of mutu­al legal assi­stance agreements.
If this is not the case, the trans­fer­ring EU com­pa­ny must iden­ti­fy ano­ther rea­son for the trans­fer, such as Artic­le 49 GDPR. Howe­ver, Artic­le 49 GDPR should be inter­pre­ted nar­row­ly. Con­se­quent­ly, this means that in the absence of a basis for the trans­fer, an EU com­pa­ny may not be able to respond to a request made under a valid mutu­al legal assi­stance agree­ment for data pro­tec­tion rea­sons, even though the com­pa­ny would be obli­ged to do so under Mem­ber Sta­te law.

Artic­le 48 GDPR as a sym­bo­lic pro­gram sentence

Due to the unclear wor­ding, the regu­la­to­ry con­tent of Artic­le 48 GDPR is asses­sed dif­fer­ent­ly in the lite­ra­tu­re. Some repre­sen­ta­ti­ves see Artic­le 48 GDPR as mere­ly a “pro­gram sen­tence with sym­bo­lic mea­ning”, which cla­ri­fi­es that a decis­i­on by a third coun­try does not con­sti­tu­te a basis for a data trans­fer (Taeger/Gabel/Gabel, 4th ed. 2022, GDPR Art. 48 para. 3; Simitis/Hornung/Spiecker gen. Döhmann/Schantz, 2nd ed. 2925, Data Pro­tec­tion Law Art. 48, para. 1; Ehmann/Selmayr/Zerdick, 3rd ed. 2024, GDPR Art. 48 para. 6; Beck­OK DatenschutzR/Jungkind, 50th ed. 1.2.2024, GDPR Art. 48 para. 3). Howe­ver, the legal con­se­quen­ces of this view are unclear. Only Zer­dick and Spie­ker point out that the­re must be ano­ther rea­son for trans­fer from Chap­ter V GDPR. As explai­ned abo­ve, this would mean that com­pa­nies may not be able to respond to valid requests for data pro­tec­tion rea­sons and would the­r­e­fo­re be in breach of the Mem­ber Sta­te law appli­ca­ble to them.

The other pro­pon­ents of this view main­tain that the aut­ho­rizati­on to trans­fer data fol­lows from the legal act its­elf and not from Artic­le 48 GDPR. They the­r­e­fo­re lea­ve open the ext­ent to which Artic­le 48 GDPR nevert­hel­ess con­sti­tu­tes an aut­ho­rizati­on to use the respec­ti­ve agree­ment as a basis for trans­fer out­side of the GDPR.

Artic­le 48 GDPR as a per­mis­si­on standard

Other repre­sen­ta­ti­ves of the lite­ra­tu­re are of the opi­ni­on that, despi­te the unclear wor­ding, Artic­le 48 GDPR allo­ws data to be trans­fer­red on the basis of an inter­na­tio­nal agree­ment and the­r­e­fo­re con­sti­tu­tes a per­mis­si­ve ele­ment (Sydow/Marsch DS-GVO/BDS­G/Tow­fig­h/Ul­rich, 3rd ed. 2022, GDPR Art. 48 para. 10; Kühling/Buchner/Schröder, 4th ed. 2024, GDPR Art. 48 para. 12; Gola/Heckmann/Klug, 3rd ed. 2022, GDPR Art. 48 para. 2). This view must be endorsed.
Artic­le 48 GDPR, like the cate­go­ries of cases in Artic­le 49 GDPR, con­ta­ins an excep­ti­on to the prin­ci­ple that the trans­fer­ring body must deter­mi­ne or estab­lish the ade­qua­cy of the level of data pro­tec­tion in each indi­vi­du­al case. This is appro­pria­te as the trans­fer is based on a mutu­al legal assi­stance agree­ment, i.e. appli­ca­ble Mem­ber Sta­te law. A trans­fer­ring com­pa­ny must be able to rely on this law being com­pli­ant with other regu­la­ti­ons, such as data pro­tec­tion law or fun­da­men­tal rights, and not be expo­sed to pos­si­ble fines. In its effect, Artic­le 48 GDPR the­r­e­fo­re has the cha­rac­ter of an aut­ho­rizati­on standard.

As reci­tal 102 GDPR makes clear, the respon­si­bi­li­ty for an ade­qua­te level of pro­tec­tion lies with the Mem­ber Sta­tes and not with the com­pa­nies: “Mem­ber Sta­tes may con­clude inter­na­tio­nal agree­ments invol­ving the trans­fer of per­so­nal data to third count­ries or inter­na­tio­nal orga­nizati­ons, pro­vi­ded that such agree­ments do not affect this Regu­la­ti­on or other pro­vi­si­ons of Uni­on law and pro­vi­de an ade­qua­te level of pro­tec­tion for the fun­da­men­tal rights of data subjects.”

Lex spe­cia­lis

Artic­le 48 GDPR con­ta­ins a more spe­ci­fic pro­vi­si­on than the other pro­vi­si­ons of Chap­ter V GDPR, which is why it is lex spe­cia­lis (Kühling/Buchner/Schröder, 4th ed. 2024, GDPR Art. 48 para. 23). Unli­ke Artic­le 49 GDPR, for exam­p­le, Artic­le 48 GDPR does not con­tain any reser­va­ti­on regar­ding an ade­qua­cy decis­i­on or sui­ta­ble safe­guards. In the case of extra­ter­ri­to­ri­al requests from aut­ho­ri­ties for which an inter­na­tio­nal agree­ment exists, refe­rence should the­r­e­fo­re be made to the mutu­al legal assi­stance agree­ment even if the­re are other grounds for trans­fer under the GDPR. The EDPB also sta­tes accor­din­gly: “If an inter­na­tio­nal agree­ment such as a mutu­al legal assi­stance agree­ment exists, com­pa­nies in the EU should gene­ral­ly refu­se direct requests and refer the reque­st­ing aut­ho­ri­ty of the third coun­try to the exi­sting mutu­al legal assi­stance agree­ment or the cor­re­spon­ding agree­ment.” (EDPB, Gui­de­lines 2/2018, p. 6.)

Con­clu­si­on

The inter­pre­ta­ti­on of Artic­le 48 GDPR by the EDPB leads to uncer­tain­ties and is not con­vin­cing as a result. Of cour­se, every com­pa­ny must check whe­ther it is com­ply­ing with the appli­ca­ble law, i.e. whe­ther it is also acting in accordance with the pro­ce­du­ral rules within the frame­work of a mutu­al legal assi­stance agree­ment. Howe­ver, trans­fer­ring com­pa­nies can­not be requi­red to check the admis­si­bi­li­ty of such an agree­ment, i.e. the Mem­ber Sta­te law appli­ca­ble to them. In the inte­rests of legal cer­tain­ty, com­pa­nies must also not be expo­sed to the pos­si­bi­li­ty of being fined for com­ply­ing with Mem­ber Sta­te law. The EDPB should the­r­e­fo­re adapt its draft accor­din­gly in order to avo­id a con­flict bet­ween data pro­tec­tion law and Mem­ber Sta­te law.

Eng­lish ver­si­on: Data Trans­fers under Artic­le 48 GDPR – Ana­ly­sis of the Draft EDPB Guidelines

On Decem­ber 3, 2024, the Euro­pean Data Pro­tec­tion Board (EDPB) published a con­sul­ta­ti­on draft of its Gui­de­lines 02/2024 on Artic­le 48 GDPR (see here). Artic­le 48 GDPR sti­pu­la­tes that a data trans­fer based on a court or aut­ho­ri­ty order from a third coun­try may only be reco­gnized or enforceable if based on an inter­na­tio­nal agree­ment in force bet­ween the reque­st­ing third coun­try and the Uni­on or a Mem­ber Sta­te. Other grounds for trans­fer under Chap­ter V GDPR remain unaffected.

The gui­de­lines pri­ma­ri­ly address poten­ti­al trans­fers by EU com­pa­nies to third-coun­try aut­ho­ri­ties and courts. While trans­fers under mutu­al legal assi­stance trea­ties typi­cal­ly occur bet­ween aut­ho­ri­ties, the EDPB points out that such trans­fers can also be made by companies:

[…] the­re has been a recent ten­den­cy to nego­tia­te inter­na­tio­nal agree­ments to also pro­vi­de for direct requests from law enforce­ment aut­ho­ri­ties in third count­ries for access to per­so­nal data pro­ce­s­sed by pri­va­te enti­ties in the EU.”
(EDPB, Draft Gui­de­lines 02/2024, page 5, foot­no­te 3)

The EDPB’s cla­ri­fi­ca­ti­on that Artic­le 48 GDPR does not func­tion as a so-cal­led blocking sta­tu­te is wel­co­me. This means that trans­fers to third-coun­try courts and aut­ho­ri­ties can also be based on a trans­fer ground from Chap­ter V GDPR out­side of a mutu­al legal assi­stance treaty.

EDPB’s Assess­ment Framework

Howe­ver, the assess­ment frame­work pro­po­sed by the EDPB is pro­ble­ma­tic. The EDPB sta­tes that Artic­le 48 GDPR does not con­sti­tu­te a legal basis for trans­fers to third count­ries on the strength of a mutu­al legal assi­stance trea­ty. Instead, EDPB says that ano­ther trans­fer ground from Chap­ter V GDPR is required:

Unli­ke the other pro­vi­si­ons of Chap­ter V, Artic­le 48 is not a ground for trans­fer. The pro­vi­si­on its­elf con­ta­ins no data pro­tec­tion safe­guards but cla­ri­fi­es that decis­i­ons or judgments from third coun­try aut­ho­ri­ties can­not be reco­gnized or enforced in the EU/EEA unless an inter­na­tio­nal agree­ment pro­vi­des for this. The­r­e­fo­re, befo­re respon­ding to a request from a third coun­try aut­ho­ri­ty fal­ling under Artic­le 48, the con­trol­ler or pro­ces­sor in the EU/EEA must iden­ti­fy an appli­ca­ble ground for the trans­fer else­whe­re in Chap­ter V.”
(EDPB, Draft Gui­de­lines 02/2024, para. 29)

As a pos­si­ble legal basis, the EDPB refers to data trans­fers based on appro­pria­te safe­guards under Artic­le 46(2)(a) GDPR‑a legal­ly bin­ding and enforceable docu­ment bet­ween aut­ho­ri­ties or public bodies. At the same time, the EDPB empha­si­zes that the trans­fer­ring EU com­pa­ny must veri­fy and ensu­re that the mutu­al legal assi­stance trea­ty inclu­des the neces­sa­ry appro­pria­te safe­guards. Simi­lar to using stan­dard con­trac­tu­al clau­ses, the trans­fer­ring com­pa­ny must assess whe­ther the trea­ty pro­vi­des for data pro­tec­tion prin­ci­ples such as enforceable rights, effec­ti­ve reme­dies, inde­pen­dent over­sight, and rest­ric­tions on onward transfers.

If the­se con­di­ti­ons are not met, the trans­fer­ring EU com­pa­ny must iden­ti­fy ano­ther trans­fer ground, such as Artic­le 49 GDPR. Howe­ver, EDPB sta­tes that Artic­le 49 GDPR must be inter­pre­ted nar­row­ly. Con­se­quent­ly, under the EDPB’s inter­pre­ta­ti­on, an EU com­pa­ny might be unable to respond to a valid request under a mutu­al legal assi­stance trea­ty for data pro­tec­tion rea­sons, even if requi­red to do so under appli­ca­ble Mem­ber Sta­te law.

Artic­le 48 GDPR as a Sym­bo­lic Statement

Due to its ambi­guous wor­ding, the legal natu­re of Artic­le 48 GDPR is inter­pre­ted dif­fer­ent­ly in the lite­ra­tu­re. Some com­men­ta­tors view Artic­le 48 GDPR mere­ly as a “sym­bo­lic state­ment” cla­ri­fy­ing that a third-coun­try decis­i­on does not gene­ral­ly ser­ve as a basis for data trans­fers (Taeger/Gabel/Gabel, 4th ed., 2022, GDPR Art. 48 para. 3; Simitis/Hornung/Spiecker gen. Döhmann/Schantz, 2nd ed., 2025, Daten­schutz­recht Art. 48 para. 1; Ehmann/Selmayr/Zerdick, 3rd ed., 2024, DS-GVO Art. 48 para. 6; Beck­OK DatenschutzR/Jungkind, 50th ed., Feb. 1, 2024, DS-GVO Art. 48 para. 3). Howe­ver, the legal con­se­quence of this view remains unclear. Only Zer­dick and Spie­ker point out that ano­ther trans­fer ground from Chap­ter V GDPR is neces­sa­ry. As out­lined abo­ve, this could lead to com­pa­nies being unable to respond to valid requests due to data pro­tec­tion con­cerns, poten­ti­al­ly vio­la­ting appli­ca­ble Mem­ber Sta­te laws.

Other com­men­ta­tors argue that the aut­ho­ri­ty to trans­fer data stems from the legal act its­elf and not from Artic­le 48 GDPR. Howe­ver, they lea­ve open whe­ther Artic­le 48 GDPR could still allow the respec­ti­ve agree­ment to ser­ve as a trans­fer basis out­side the GDPR.

Artic­le 48 GDPR as a Legal Basis

Other com­men­ta­tors argue that Artic­le 48 GDPR, despi­te its ambi­guous wor­ding, per­mits data trans­fers based on an inter­na­tio­nal agree­ment, thus con­sti­tu­ting a legal basis (Sydow/Marsch DS-GVO/BDS­G/Tow­fig­h/Ul­rich, 3rd ed., 2022, DS-GVO Art. 48 para. 10; Kühling/Buchner/Schröder, 4th ed., 2024, DS-GVO Art. 48 para. 12; Gola/Heckmann/Klug, 3rd ed., 2022, DS-GVO Art. 48 para. 2). This view is persuasive.
Artic­le 48 GDPR, like the sce­na­ri­os under Artic­le 49 GDPR, pro­vi­des an excep­ti­on to the prin­ci­ple that the trans­fer­ring enti­ty must indi­vi­du­al­ly estab­lish or ensu­re the ade­qua­cy of the data pro­tec­tion level. This is appro­pria­te, as the trans­fer is based on a mutu­al legal assi­stance trea­ty, i.e., appli­ca­ble Mem­ber Sta­te law. Trans­fer­ring com­pa­nies must be able to rely on the treaty’s com­pli­ance with other regu­la­ti­ons, such as data pro­tec­tion laws or fun­da­men­tal rights, wit­hout being expo­sed to poten­ti­al fines. Artic­le 48 GDPR, the­r­e­fo­re, has the cha­rac­ter of a legal basis.
Reci­tal 102 GDPR unders­cores that respon­si­bi­li­ty for an ade­qua­te level of pro­tec­tion lies with the Mem­ber Sta­tes, not companies:

Mem­ber Sta­tes may con­clude inter­na­tio­nal agree­ments which invol­ve the trans­fer of per­so­nal data to third count­ries or inter­na­tio­nal orga­nizati­ons, as far as such agree­ments do not affect this Regu­la­ti­on or any other pro­vi­si­ons of Uni­on law and include an appro­pria­te level of pro­tec­tion for the fun­da­men­tal rights of the data subjects…”

Lex Spe­cia­lis

Artic­le 48 GDPR con­ta­ins a more spe­ci­fic pro­vi­si­on com­pared to other rules in Chap­ter V GDPR, making it lex spe­cia­lis (Kühling/Buchner/Schröder, 4th ed., 2024, DS-GVO Art. 48 para. 23). Unli­ke, for instance, Artic­le 49 GDPR, Artic­le 48 GDPR does not requi­re an ade­qua­cy decis­i­on or appro­pria­te safe­guards. In the case of extra­ter­ri­to­ri­al aut­ho­ri­ty requests cover­ed by an inter­na­tio­nal agree­ment, refe­rence should, the­r­e­fo­re, be made to the mutu­al legal assi­stance trea­ty, even when other GDPR trans­fer grounds are available. Simi­lar­ly, the EDPB states:

In situa­tions whe­re the­re is an inter­na­tio­nal agree­ment, such as a mutu­al legal assi­stance trea­ty (MLAT), EU com­pa­nies should gene­ral­ly refu­se direct requests and refer the reque­st­ing third coun­try aut­ho­ri­ty to exi­sting MLAT or agreement.”
(EDPB, Gui­de­lines 2/2018, p. 5)

Con­clu­si­on

The EDPB’s inter­pre­ta­ti­on of Artic­le 48 GDPR leads to uncer­tain­ties and is ulti­m­ate­ly uncon­vin­cing. While com­pa­nies must ensu­re com­pli­ance with appli­ca­ble law, inclu­ding adherence to pro­ce­du­ral requi­re­ments under a mutu­al legal assi­stance trea­ty, they can­not be requi­red to second guess the vali­di­ty of the trea­ty, i.e. Mem­ber Sta­te law appli­ca­ble to them. For legal cer­tain­ty, com­pa­nies must not be expo­sed to the risk of fines for com­ply­ing with Mem­ber Sta­te laws.
The EDPB should amend its draft to avo­id con­flicts bet­ween data pro­tec­tion laws and Mem­ber Sta­te legal provisions.