On December 3, 2024, the European Data Protection Board EDPB published a Consultation draft of the Guidelines 02/2024 on Article 48 GDPR published. Comments can be submitted until January 27, 2025.
Article 48 GDPR allows a Data transfer by order of a court or authority of a third country only on the basis of a Mutual legal assistance treaty or another agreement:
- This includes all official requests; the name does not matter, and explicitly not whether non-compliance is threatened with sanctions in any form.
- This includes, for example, inquiries from law enforcement, tax, supervisory or licensing authorities.
The EDPB’s guidelines on this are limited to transmission by Private and only those that Art. 3 para. 1 fall under the GDPR – companies in Switzerland that only fall under the GDPR due to an offer orientation or behavioral observation according to Art. 3 para. 2 are therefore not addressed (although it remains unclear to what extent the legal situation should differ under Art. 3 para. 2).
In the event of a transfer to a third country, the Two-stage testThe transfer must firstly comply with the other provisions of the GDPR and secondly comply with the requirements of Art. 44 ff GDPR.
In the first stage, the transmission in compliance with a corresponding judgment or order requires a Legal basisand the judgment or order is not one (because the GDPR generally only recognizes EEA or Member State law as a legal basis). However, the following are possible
- the fulfillment of a Legal obligation within the meaning of Art. 6 para. 1 lit. c GDPR, provided that a mutual legal assistance or other agreement exists that applies in the Member State concerned and requires disclosure;
- the fulfillment of a public task within the meaning of lit. e, if the agreement does not require disclosure but permits it – perhaps a somewhat far-fetched view;
- legitimate interests are also possible (lit. f), provided that the balance of interests is in favor of disclosure. However, the EDPB is expected to be strict here:
26. […] a private business operator, acting as controller, cannot rely on Article 6(1)(f) for the collection and storing of personal data in a preventive manner in order to be able to share such information, upon request, with law enforcement authorities so as to prevent, detect and prosecute criminal offenses, where such processing activities are unrelated to its own actual (economic and commercial) activities. Furthermore, the EDPB has, with respect to a specific situation, previously taken the view that the interests or fundamental rights and freedoms of the data subject in those particular circumstances would override the controller’s interest of adhering to the request of a third country law enforcement authority in order to avoid sanctions for noncompliance.
On the other hand, the fulfillment of a contract (Art. 6 para. 1 lit. b GDPR) and only in special exceptions the protection of vital interests (Art. 6 para. 1 lit. d GDPR) hardly come into question.
Secondly, the requirements of Art. 44 et seq. GDPR must be met, and Art. 48 is not a permissive provision. However, Art. 46 para. 2 lit. a GDPR, a “legally binding and enforceable document between public authorities or bodies”, e.g. a Agreement within the meaning of Art. 48 GDPR, whereby the minimum safeguards determined by the EDPB must be complied with. In their absence, the agreement may provide the legal basis under Art. 6, but for the purposes of Art. 44 et seq. another basis is required in the opinion of the EDPB
The EDSA illustrates the procedure as follows: