Art.48 GDPR

GDPR Art.48: Transfers or Disclosures Not Authorised by Union Law

What This Control Requires

Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

In Plain Language

When a foreign court or government authority demands that you hand over EU personal data, you cannot simply comply. Article 48 establishes that such orders are only recognisable or enforceable if they are based on an international agreement - typically a Mutual Legal Assistance Treaty (MLAT) - between the requesting country and the EU or a Member State.

This matters enormously in the age of extraterritorial data access laws. The US CLOUD Act, for instance, lets US law enforcement compel US-based providers to disclose data regardless of where it is stored. Article 48 makes clear that such demands alone are not a lawful basis for transferring personal data from the EU. Organisations caught between foreign law and the GDPR face a genuine tension that requires careful navigation.

Article 48 does not create an absolute block, though. Other Chapter V transfer grounds remain available - you could potentially rely on Article 49(1)(d) (public interest derogation) or another applicable mechanism. In practice, any organisation receiving a third-country data request should get legal advice immediately and follow an established procedure for handling these situations.

How to Implement

Create a clear procedure for handling third-country government data access requests and court orders. Define who receives and assesses such requests, require immediate escalation to legal counsel and the DPO, set out criteria for determining whether the request is based on an international agreement, outline the response process including any permitted disclosures, and establish how to communicate with the requesting authority.

Train the staff most likely to encounter these requests - legal, IT, security, and customer-facing teams. Make it absolutely clear that nobody should simply comply with a foreign government demand for EU personal data without legal review first. Set up unambiguous escalation paths so requests do not get handled informally at the wrong level.

Assess your exposure to third-country data access laws. If you use providers subject to the US CLOUD Act, Chinese data security laws, or other extraterritorial legislation, evaluate the risk that they could be compelled to disclose EU personal data. Fold this assessment into your Transfer Impact Assessments and consider whether supplementary measures can reduce the risk.

Address government access scenarios in your data processing agreements. Require processors to notify you promptly if they receive a third-country government demand for data they process on your behalf (unless local law prohibits notification). Require them to challenge disproportionate demands where legally possible and to disclose only the minimum data legally required.

Stay current on international agreements and cross-border data access frameworks. New instruments like the EU-US Data Privacy Framework and evolving MLATs change what counts as a lawful basis for disclosure. Track these developments through regulatory guidance, legal updates, and industry groups.

Evidence Your Auditor Will Request

Procedure for handling third-country government data access requests
Training records for staff on handling foreign data demands
Assessment of exposure to third-country extraterritorial data access laws
Contractual provisions in DPAs addressing government access requests
Records of any third-country data requests received and how they were handled

Common Mistakes

Complying with third-country government data demands without assessing whether they are based on an international agreement
No procedure for handling foreign government data access requests
Staff unaware that foreign court orders do not automatically authorise data transfers from the EU
DPAs with processors not addressing the scenario of third-country government access demands
No assessment of exposure to third-country extraterritorial data access laws

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related
ISO 27001	A.5.31	Related

Frequently Asked Questions

What should we do if we receive a US CLOUD Act request for EU personal data?

Do not hand anything over straight away. Escalate to legal counsel and your DPO immediately. Check whether the request is routed through an MLAT or other international agreement. Evaluate whether any GDPR derogation applies. Challenge the request where you legally can. Notify data subjects and the supervisory authority where appropriate. If you are ultimately compelled to disclose, limit it to the minimum necessary. Document the entire process from start to finish.

Does Article 48 block all data transfers requested by foreign governments?

Not entirely. It says foreign judgments and administrative decisions can only be enforced if grounded in an international agreement. But other Chapter V transfer grounds still apply, including Article 49 derogations. Each request needs to be assessed on its own merits with proper legal advice - there is no blanket answer.

What is a Mutual Legal Assistance Treaty (MLAT)?

An MLAT is a formal agreement between countries that sets up procedures for governments to request and provide help in legal and criminal matters, including access to evidence and data. When a request goes through the MLAT channel, it is processed by the requested country's own authorities, which provides judicial oversight and ensures local laws are respected. It is the proper route for cross-border government data requests.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment