On Decem­ber 3, 2024, the Euro­pean Data Pro­tec­tion Board EDPB published a Con­sul­ta­ti­on draft of the Gui­de­lines 02/2024 on Artic­le 48 GDPR published. Comm­ents can be sub­mit­ted until Janu­ary 27, 2025.

Artic­le 48 GDPR allo­ws a Data trans­fer by order of a court or aut­ho­ri­ty of a third coun­try only on the basis of a Mutu­al legal assi­stance trea­ty or ano­ther agreement:

  • This inclu­des all offi­ci­al requests; the name does not mat­ter, and expli­ci­t­ly not whe­ther non-com­pli­ance is threa­ten­ed with sanc­tions in any form.
  • This inclu­des, for exam­p­le, inqui­ries from law enforce­ment, tax, super­vi­so­ry or licen­sing authorities.

The EDPB’s gui­de­lines on this are limi­t­ed to trans­mis­si­on by Pri­va­te and only tho­se that Art. 3 para. 1 fall under the GDPR – com­pa­nies in Switz­er­land that only fall under the GDPR due to an offer ori­en­ta­ti­on or beha­vi­oral obser­va­ti­on accor­ding to Art. 3 para. 2 are the­r­e­fo­re not addres­sed (alt­hough it remains unclear to what ext­ent the legal situa­ti­on should dif­fer under Art. 3 para. 2).

In the event of a trans­fer to a third coun­try, the Two-stage testThe trans­fer must first­ly com­ply with the other pro­vi­si­ons of the GDPR and second­ly com­ply with the requi­re­ments of Art. 44 ff GDPR.

In the first stage, the trans­mis­si­on in com­pli­ance with a cor­re­spon­ding judgment or order requi­res a Legal basisand the judgment or order is not one (becau­se the GDPR gene­ral­ly only reco­gnizes EEA or Mem­ber Sta­te law as a legal basis). Howe­ver, the fol­lo­wing are possible

  • the ful­fill­ment of a Legal obli­ga­ti­on within the mea­ning of Art. 6 para. 1 lit. c GDPR, pro­vi­ded that a mutu­al legal assi­stance or other agree­ment exists that applies in the Mem­ber Sta­te con­cer­ned and requi­res disclosure;
  • the ful­fill­ment of a public task within the mea­ning of lit. e, if the agree­ment does not requi­re dis­clo­sure but per­mits it – per­haps a some­what far-fet­ched view;
  • legi­ti­ma­te inte­rests are also pos­si­ble (lit. f), pro­vi­ded that the balan­ce of inte­rests is in favor of dis­clo­sure. Howe­ver, the EDPB is expec­ted to be strict here:

    26. […] a pri­va­te busi­ness ope­ra­tor, acting as con­trol­ler, can­not rely on Artic­le 6(1)(f) for the coll­ec­tion and sto­ring of per­so­nal data in a pre­ven­ti­ve man­ner in order to be able to share such infor­ma­ti­on, upon request, with law enforce­ment aut­ho­ri­ties so as to pre­vent, detect and pro­se­cu­te cri­mi­nal offen­ses, whe­re such pro­ce­s­sing acti­vi­ties are unre­la­ted to its own actu­al (eco­no­mic and com­mer­cial) acti­vi­ties. Fur­ther­mo­re, the EDPB has, with respect to a spe­ci­fic situa­ti­on, pre­vious­ly taken the view that the inte­rests or fun­da­men­tal rights and free­doms of the data sub­ject in tho­se par­ti­cu­lar cir­cum­stances would over­ri­de the controller’s inte­rest of adhe­ring to the request of a third coun­try law enforce­ment aut­ho­ri­ty in order to avo­id sanc­tions for noncompliance.

On the other hand, the ful­fill­ment of a con­tract (Art. 6 para. 1 lit. b GDPR) and only in spe­cial excep­ti­ons the pro­tec­tion of vital inte­rests (Art. 6 para. 1 lit. d GDPR) hard­ly come into question.

Second­ly, the requi­re­ments of Art. 44 et seq. GDPR must be met, and Art. 48 is not a per­mis­si­ve pro­vi­si­on. Howe­ver, Art. 46 para. 2 lit. a GDPR, a “legal­ly bin­ding and enforceable docu­ment bet­ween public aut­ho­ri­ties or bodies”, e.g. a Agree­ment within the mea­ning of Art. 48 GDPR, wher­eby the mini­mum safe­guards deter­mi­ned by the EDPB must be com­plied with. In their absence, the agree­ment may pro­vi­de the legal basis under Art. 6, but for the pur­po­ses of Art. 44 et seq. ano­ther basis is requi­red in the opi­ni­on of the EDPB

The EDSA illu­stra­tes the pro­ce­du­re as follows: