On 3 December 2024, the EDPB adopted guidelines on Article 48 of the GDPR and a letter to the European Commission on the need to carefully monitor the conditions of access to and use of personal data by third-country authorities in the context of future reviews of its adequacy decisions.
Letter to the European Commission on the review of eleven adequacy decisions adopted before the GDPR
On 15 January 2024, the European Commission concluded its review of the eleven adequacy decisions adopted under Directive 95/46/EC. The European Commission found that personal data transferred from the European Union (EU) to Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to benefit from an adequate level of protection. Therefore, these transfers can take place without additional safeguards.
In its report and working document , the European Commission examined the data protection frameworks in the eleven countries and territories concerned, and, for the first time, the rules on access to personal data by public authorities in these countries for law enforcement and national security purposes.
In his letter , the EDPS provides the Commission with methodological observations on certain aspects of his assessment that could have been described in more detail: the rule of law , certain elements of the data protection framework ( key concepts, grounds for lawfulness, rights of individuals, safeguards for automated decision-making, onward transfers, etc.), as well as access to and use of personal data by third-country authorities. The EDPS considers that these aspects should be carefully monitored by the Commission in its future reassessments of the laws and practices of third countries and territories.
This letter was sent by the EDPS Chair to the European Commissioner for Justice, Michael McGrath, on 5 December 2024.
Guidelines 02/2024 on Article 48 of the GDPR
Article 48 of the GDPR provides that “any decision of a court or administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may be recognised or enforceable in any manner only if it is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer under this Chapter”.
Guidelines 02/2024 aim to clarify the logic and objective of this Article and to provide practical recommendations to controllers and processors in the EU who may receive requests for disclosure or transfer of personal data from third country authorities.
According to the EDPS, the aim of Article 48 is to clarify that judgments or decisions issued by authorities of third countries cannot be automatically and directly recognised or enforced in an EU Member State. As a general rule, the recognition and enforcement of foreign judgments and decisions are guaranteed by applicable international agreements.
Irrespective of the existence of an applicable international agreement, if a controller or processor in the EU receives and responds to a request for the transmission of personal data from an authority of a third country, this data flow constitutes a transfer within the meaning of the GDPR and must comply with Article 6 and the provisions of Chapter V.
An international agreement can constitute both a legal basis and a transfer instrument.
In the absence of an international agreement, or if the agreement does not provide a legal basis under Article 6 GDPR, other legal bases could be considered. Similarly, in the absence of an international agreement or if the agreement does not provide appropriate safeguards under Article 46 GDPR, other transfer instruments could apply, including the derogations provided for in Article 49.
These guidelines are subject to public consultation until 27 January 2025. Contributions can be submitted using the form available on the EDPS website .
https://www.cnil.fr/fr/transferts-de-donnees-hors-de-lue-deux-nouveaux-documents-du-cepd