Caution Advised on Information Requests from Third Countries, EU Data Protectors Warn

The European Data Protection Board (EDPB) has recently finalized its guidelines concerning the transfer of data to authorities in third countries, emphasizing that judicial rulings or decisions made by foreign authorities, such as those from the United States, cannot be automatically recognized or enforced within the European Union.

These guidelines were adopted following a comprehensive public consultation and focus on Article 48 of the General Data Protection Regulation (GDPR). The EDPB clarifies that international agreements may serve as a legal basis for data transfer; however, they must ensure compliance with fundamental data protection principles by all parties involved.

Importantly, any applicable agreements should guarantee enforceable rights for data subjects and include safeguards against further data transfers. They should also provide protective measures for sensitive data, alongside independent legal recourse and oversight mechanisms.

The guidelines specifically address requests aimed at direct cooperation between authorities in third countries and private companies within the EU. Such requests can originate from a wide range of agencies, including those that regulate the private sector, like banking and tax authorities.

In cases where no international agreement exists, the EDPB stipulates that each request must be assessed on an individual basis. This necessitates a legal basis for processing under Article 6 and a valid reason for transfer as outlined in Chapter V of the GDPR. The regulations dictate that data must be processed legally, in good faith, and in a manner understandable to the individuals concerned.

Particular caution is advised, given that many third countries have data protection laws that do not provide the same level of protection as the GDPR.

In the absence of a suitable international agreement, alternative legal bases or reasons for data transfer may be considered on a case-by-case basis. This applies even when the recipient of a request is a data processor. Generalizations are limited due to the variety of potential scenarios, but obtaining consent under Article 6 could be a viable basis for transferring data to third countries. Nonetheless, this approach is often deemed unsuitable, especially when data processing involves the exercise of governmental authority.

The guideline emphasizes that reliance on 'vital interests of another natural person' should only occur when no other legal grounds are applicable. Moreover, processing based on legitimate interests must be limited to what is demonstrably necessary.

When it comes to law enforcement and national security, data exchanges typically occur between the respective authorities, meaning Article 48 and the GDPR do not apply. There is a separate data protection directive specifically for justice and law enforcement sectors. The EDPB reiterates that, in instances where mutual legal assistance agreements exist, EU companies should generally refuse direct requests and instead direct the third-country authority to the appropriate legal frameworks.

Recently, however, there has been a rise in international agreements that allow direct requests from law enforcement agencies in third countries for access to personal data processed by private entities within the EU, raising concerns about undermining existing principles. The board highlights the additional protocol to the Convention on Cybercrime regarding the disclosure of electronic evidence (E-Evidence) as an example. Still, the enforcement rules of the member state receiving such a request must be adhered to.

These guidelines also do not cover scenarios where a third-country authority requests personal data from a parent company located within its jurisdiction, while the data sought resides with its subsidiary in the EU. In such situations, the subsidiary must comply with the GDPR. Depending on the circumstances, an adequacy decision, such as the EU-US Privacy Shield framework, could serve as a relevant instrument for such transfers. However, the Court of Justice of the European Union (CJEU) determined in its 2020 'Schrems II' ruling that certain US laws still permit mass surveillance, thereby failing to meet the EU's data protection standards.