New EDPB guidelines clarify rules for disclosing personal data to third countries
The European Data Protection Board’s new guidelines on Article 48 GDPR clarify that EU-based organisations may only disclose personal data to third-country authorities if an international agreement is in place. The guidelines reinforces legal safeguards against extraterritorial data access and outlines strict conditions for lawful transfers, ensuring EU data protection standards are not undermined.
On 4 June 2025, the European Data Protection Board (EDPB) adopted new guidelines on the application of Article 48 of the General Data Protection Regulation (GDPR), offering greater clarity on how EU-based organisations should handle personal data requests from authorities in third countries. These guidelines are especially relevant for private entities that receive such requests directly from foreign courts, regulators, or law enforcement bodies.
Article 48 of the GDPR establishes that foreign decisions requiring access to personal data are only enforceable in the EU if they are based on an international agreement, such as a mutual legal assistance treaty (MLAT), concluded with the Union or a Member State. The EDPB’s new guidelines reinforce this legal requirement and provide a framework to help organisations navigate these situations while maintaining compliance with EU data protection standards.
Defining the legal boundaries
The guidelines clarify that third-country authorities cannot bypass EU law by directly requesting data from EU-based controllers or processors. Without a valid international agreement, such requests carry no legal weight in the EU and do not, by themselves, constitute a legal basis for data processing or transfer.
Importantly, Article 48 must be read in conjunction with the rest of Chapter V of the GDPR, which governs international data transfers. This means that any such transfer must:
- Have a valid legal basis under Article 6 GDPR (e.g. legal obligation, public interest).
- Rely on a recognised mechanism under Chapter V GDPR (e.g. adequacy decision, appropriate safeguards, or narrowly defined derogations).
The EDPB underlines that the absence of a treaty does not create an exception to this rule. Even if responding to a foreign request seems lawful under the requesting country’s laws, it is not sufficient to justify a data transfer under the GDPR.
Practical implications for EU organisations
Organisations in the EU receiving foreign requests must carefully assess the legal framework before responding. If the request is made under a valid international agreement that includes appropriate safeguards, it may be possible to comply. Otherwise, entities are advised to refer the requesting authority to the relevant domestic channels, such as through mutual legal assistance procedures.
In cases of uncertainty, organisations should consult national authorities like the Ministry of Justice or supervisory data protection bodies. If the recipient is a data processor, they must also notify and follow the instructions of the data controller unless prohibited by law.
The guidelines also explore the limitations of relying on legal bases such as consent, legitimate interest, or vital interest. These alternatives may be theoretically available, but are often inappropriate or insufficiently robust to justify data sharing in sensitive contexts.
Why this matters
These guidelines reinforce the EU’s stance on safeguarding personal data against extraterritorial overreach and provide clarity for businesses facing growing pressure from global regulatory bodies. For civil society organisations, the guidelines affirm the importance of strong legal protections in cross-border data exchanges and highlight the ongoing need for oversight, transparency, and the rule of law in digital cooperation.
As data access demands from non-EU countries increase, often in the name of national security or commercial regulation, the EDPB’s guidance ensures that EU privacy rights remain a legal priority, not a secondary consideration.
