EU data experts urge caution with info requests from outside the EU

At its most recent plenary session, the European Data Protection Board (EDPB) adopted the final version of its guidelines for data transfers to authorities in third countries. The decision was preceded by a public consultation. In the paper, the EU data protection authorities primarily address Article 48 of the General Data Protection Regulation (GDPR) in more detail. In particular, they state that judgments or decisions by authorities from countries outside the EU cannot be automatically recognized or enforced in Europe.

Article 48 GDPR deals with transfers or disclosures of personal information that are not permitted under EU law. In principle, an international agreement can provide both a legal basis and a reason for a transfer, the EDPB now explains. However, applicable agreements must stipulate, among other things, "that the main data protection principles are guaranteed by both parties". Enforceable and effective rights of data subjects should therefore be guaranteed and barriers to onward transfer and data exchange should be included. In addition, protective measures for sensitive data as well as independent redress and control mechanisms should be included.

The guidelines focus on requests aimed at direct cooperation between an authority in a third country and a private company in the EU. According to the EDPB, such requests can be made by all kinds of authorities. This also includes those that control the private sector, such as banking supervisory and tax authorities.

Without an agreement, a case-by-case assessment is necessary

In such cases, the GDPR applies, the committee states. This means that, as with every corresponding transfer, there must be a legal basis for the processing in Article 6 and a reason for a transfer in Chapter V GDPR. This stipulates, for example, that information collected during transfers must be processed lawfully, fairly and in a way that is comprehensible to the data subject. Caution is particularly important here, as many third countries have data protection laws that do not offer the same level of protection as the GDPR.

Without a suitable international agreement, "in exceptional cases and on a case-by-case basis, other legal bases or other reasons for the transfer may be considered", emphasizes the EDPB. In principle, this also applies if the recipient of a request is a processor. General statements can only be made to a limited extent due to the large number of possible situations. In principle, consent in accordance with Article 6 can also be considered as the basis for a transfer to third countries. In certain areas, however, this instrument is "generally unsuitable, especially if the processing of the data is associated with the exercise of official powers".

According to the directive, the principle of relying on the "vital interests of another natural person" should only be applied if there is clearly no other legal basis. In principle, any processing on the basis of a legitimate interest that remains in question is limited to what is demonstrably and specifically necessary for this purpose.

Law enforcement is largely excluded

For the purposes of law enforcement and national security, data is usually exchanged between the authorities involved, explain the inspectors. Article 48 and the GDPR as a whole are therefore not applicable. There is a separate data protection directive for the areas of justice and law enforcement. The EDPB therefore reiterates that in situations where a mutual legal assistance agreement exists, for example, EU companies should generally refuse direct requests and refer the requesting third country authority to the available tool.

Recently, however, more and more international agreements have been concluded that also provide for direct requests from law enforcement authorities in third countries for access to personal data processed by private institutions in the EU, the committee complains that this principle is being undermined. It refers, for example, to the Additional Protocol to the Convention on Cybercrime on the disclosure of electronic evidence (e-evidence). Nevertheless, the rules of criminal procedure of the member state of the body receiving the request would also apply here.

Furthermore, these guidelines do not cover scenarios in which an authority of a third country requests personal data from a parent company based on its territory, but the requested information is held by its subsidiary in the EU. In such a case, the subsidiary would have to comply with the GDPR as an exporter. Depending on the scope, an adequacy decision such as the EU-US data protection framework could then be a relevant instrument for such transfers. However, the European Court of Justice (ECJ) ruled in the "Schrems II" judgment in 2020 that individual US laws continued to enable mass surveillance and that the data protection standard in the US did not correspond to that in the EU.

(nie)