On June 5, 2025, the European Data Protection Board (EDPB) published its definitive guidelines on Article 48 of the General Data Protection Regulation (GDPR). This crucial article addresses legal requests for personal data originating from non-EU authorities. The core principle reinforced by these guidelines is that EU data controllers and processors are prohibited from simply complying with foreign orders, even those from governmental bodies, unless there is a binding international mutual legal assistance treaty (MLAT) or an equivalent cooperation agreement in place. This means that informal or internal arrangements are no longer considered sufficient justification for such data transfers.
Why These Changes Matter Significantly
These updated guidelines represent a substantial shift for organizations operating across multiple jurisdictions. Businesses with offices in both the EU and “third countries” (nations outside the EU/EEA) such as the United States, China, or Australia must now exercise extreme caution. What might have previously been a routine data request from an overseas parent company or a foreign regulator could now be deemed an unlawful disclosure under the GDPR.
The implications of non-compliance are severe and far-reaching:
- Substantial Fines: The GDPR allows for significant financial penalties for violations, potentially amounting to millions of euros or a percentage of global annual turnover.
- User Backlash: Data subjects whose rights have been infringed upon may pursue legal action or express public disapproval, leading to a loss of trust.
- Reputational Damage: Non-compliance can severely harm an organization’s public image and its standing with customers and partners.
Moreover, these guidelines extend beyond EU-based entities. Even non-EU businesses that engage in significant processing of EU personal data are now compelled to comprehensively revise their governance processes to meet these stringent requirements.
Â
Context & Revised Guidelines: Understanding the EDPB’s Stance on Cross-Border Data Transfers
On June 5, 2025, the European Data Protection Board (EDPB) published its definitive guidelines on Article 48 of the General Data Protection Regulation (GDPR). This crucial article addresses legal requests for personal data originating from non-EU authorities. The core principle reinforced by these guidelines is that EU data controllers and processors are prohibited from simply complying with foreign orders, even those from governmental bodies, unless there is a binding international mutual legal assistance treaty (MLAT) or an equivalent cooperation agreement in place. This means that informal or internal arrangements are no longer considered sufficient justification for such data transfers.
Â
Recommended Actions for Compliance
To navigate these new requirements effectively and ensure compliance, organizations should implement the following actions:
- Update Standard Operating Procedures (SOPs): It is imperative to integrate a mandatory two-step process into existing SOPs. This process should ensure that all cross-border data requests are immediately escalated to legal and/or compliance teams for thorough MLAT or equivalent agreement verification before any data is transferred.
- Comprehensive Staff Training: Provide robust training to all relevant teams, including legal, IT, and operations personnel. This training should clearly explain the new dual-confirmation requirement and the heightened scrutiny now placed on foreign data requests.
- Audit and Reporting Mechanisms: Establish a rigorous system to log every data request received, as well as every instance of refusal to comply. This meticulous record-keeping will serve as crucial evidence of due diligence and demonstrate an organization’s readiness for compliance in the event of an audit.
By proactively addressing these areas, organizations can mitigate risks and ensure their data processing practices align with the EDPB’s reinforced guidelines on Article 48 GDPR.
- We can help you become FADP compliant!
Expert Guidance, Affordable Solutions, and a Seamless Path to Compliance
