New EDPB guidance clarifies data sharing with non-EU authorities

The EDPB has confirmed new guidance limiting when EU data can be handed over to non-EU authorities, launched training to improve professional skills on AI and privacy, and begun reviewing plans to ease compliance for smaller businesses under the GDPR.
New EDPB guidance clarifies data sharing with non-EU authorities

The European Data Protection Board (EDPB) has published the final version of its guidelines on how organisations should handle requests from authorities outside the European Union to transfer personal data. At the same meeting, the Board also introduced new training resources on artificial intelligence (AI) and data protection, and began work on a joint opinion with the European Data Protection Supervisor (EDPS) regarding simplified record-keeping rules under the GDPR.

Clarifying rules on data transfers

The updated guidelines focus on Article 48 of the General Data Protection Regulation (GDPR), which governs when data can be shared with authorities in non-EU countries (known as ‘third countries’). The EDPB stressed that court rulings or administrative decisions from outside the EU cannot automatically be enforced in Europe. Generally, such transfers need to be covered by an international agreement that includes proper safeguards.

If no such agreement exists, transfers may still be possible, but only under strict conditions and on a case-by-case basis. The final version of the guidelines adds clarifications following public feedback. These include how processors (companies handling data on behalf of others) should respond to requests, and how subsidiaries in the EU should react if their parent company in a third country is asked to hand over personal data.

Training to bridge AI and privacy skills gap

To address the shortage of expertise in AI and data protection, the EDPB unveiled two new training projects developed through its Support Pool of Experts (SPE).

  • Law & Compliance in AI Security and Data Protection: targeted at lawyers, data protection officers, and other compliance professionals.
  • Fundamentals of Secure AI Systems with Personal Data: aimed at technical specialists such as developers and cybersecurity experts working with high-risk AI systems.

Both projects are designed to help professionals balance innovation in AI with privacy protections. Alongside releasing the reports as PDFs, the EDPB will pilot a community-driven version hosted on a Git repository. This allows external contributors to propose edits or comments under an open Creative Commons license, reflecting the rapidly changing nature of AI technologies.

Record-keeping simplification under review

The Board also discussed a request from the European Commission to provide a joint opinion with the EDPS on simplifying GDPR record-keeping obligations for smaller organisations, including SMEs and businesses with under 750 employees. This would involve a targeted amendment of Article 30(5) GDPR. The joint opinion is expected within eight weeks.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top