Privacy & Information Security Law Blog

Data Transfers to Third Country Authorities

On June 4, 2025, the European Data Protection Board (“EDPB”) published the final version of Guidelines 02/2024 on Article 48 of the GDPR (the “Guidelines”) regarding data transfers to third country authorities.

The predominant focus of the Guidelines is to clarify that judgements or decisions from third country authorities cannot be automatically or directly recognized or enforced in an EU Member State, reaffirming that a request from a foreign authority does not inherently constitute a legal basis for the processing or a ground for the transfer.

The Guidelines highlight that international agreements may provide for both a legal basis and a ground for transfer, although the Guidelines also recognize that other legal bases or grounds for transfer could be considered where no international agreement exists or where such agreement lacks adequate safeguards. However, while other bases under Article 6 may be suitable, the EDPB clarified that Article 6(1)(b), which provides a lawful basis where processing is necessary for the performance of a contract, cannot be relied upon by a private entity in the EU as an appropriate legal basis to answer a request for transfer or disclosure from a third country authority.

For more information on the Guidelines, read our previous blog on the topic.

Training Materials on AI and Data Protection

During its June plenary meeting, the EDPB presented two new Support Pool of Experts projects, Law & Compliance in AI Security and Data Protection (aimed at data privacy officers and privacy professionals) and Fundamentals of Secure AI Systems with Personal Data (aimed at cybersecurity professionals, developers or deployers of high-risk AI systems), to provide training materials on AI and data protection.

The EDPB hopes that the projects will help provide professionals with essential competences in AI and data protection, creating a “more favorable environment for the enforcement of data protection legislation.”

With the reports, the EDPB, factoring in the “very fast evolution of AI,” has launched a one-year pilot project consisting of a modifiable community version of the reports, enabling external contributors to propose changes or add comments to the documents.