EDPB Guidelines on GDPR Article 48

Feb 04, 202504 minute read

Analysis of US Government Comments on EDPB Guidelines on GDPR Article 48

blogdetail image
HomePage
Analysis of US Government Comments on EDPB Guidelines on GDPR Article 48

The US government (USG) has provided comments on the European Data Protection Board (EDPB) Guidelines 02/2024, particularly regarding data transfers under GDPR Article 48. The comments reflect the US’s position that data transfers should be facilitated for law enforcement and security purposes, while simultaneously criticizing the EU’s restrictions. However, this position appears contradictory given that the US itself restricts data transfers for its own citizens to several countries (e.g., China, Iran).

Key Points in the USG Comments

Objection to the EDPB’s Interpretation of GDPR Article 48

  • The USG argues that the EDPB Guidelines should remove any suggestion that lawful orders requiring data transfers by companies subject to a country’s jurisdiction violate international law.
  • The USG claims this is inconsistent with existing EU law (e.g., the e-Evidence Regulation 2023/1543) and international treaties such as the Budapest Convention on Cybercrime.
  • They emphasize that GDPR itself (Article 49) allows for derogations that permit data transfers under specific conditions.

Argument for Recognizing the Importance of Cross-Border Data Transfers

  • The US highlights that investigations into serious crimes often require international data access.
  • They cite the Budapest Convention and the UN Convention Against Cybercrime as frameworks that enable such cooperation.
  • The CLOUD Act (2018) is referenced as a US legal framework allowing data-sharing agreements with foreign governments (currently under negotiation with the EU).

Position That Third-Country Requests Should Not Be Seen as Violating International Law

  • The USG suggests that Article 48 should be framed within the reality of international cooperation.
  • They claim that denying such requests could harm criminal investigations and hinder security cooperation between democratic nations.
  • The US urges the EDPB to recognize that data transfer restrictions should be managed through cooperation rather than outright refusal.

Contradiction in the US Position

While the US is pushing for greater flexibility in EU data transfers to the US, it simultaneously restricts data flows for its own citizens when it comes to certain foreign nations (e.g., China, Iran, Russia, North Korea).

This raises several issues:

1. US Blocking Data Transfers from Its Own Citizens to Certain Countries

  • The US enforces strict controls over data sharing with countries it considers adversarial, citing national security risks.
  • Example: The US has imposed restrictions on TikTok, Huawei, and other Chinese companies, citing concerns over data access by foreign governments.
  • The US prohibits many American companies from transferring sensitive user data to China, Iran, and other sanctioned nations.

2. Selective Application of Data Transfer Rules

  • The US wants Europe to allow US access to European data, arguing this is necessary for law enforcement and security.
  • However, the US does not apply the same principle when it comes to data transfers from US citizens to other countries.
  • This is a double standard, the US demands open data flows from Europe, while imposing strict restrictions on its own outbound data transfers.

3. US Law vs. European Privacy Standards

  • The US lacks a comprehensive federal data protection law comparable to GDPR.
  • The US CLOUD Act allows the government to access data stored anywhere in the world by US companies, which raises privacy concerns in the EU.
  • The EU Court of Justice (CJEU) invalidated the Privacy Shield framework in 2020, citing concerns over US surveillance laws (e.g., FISA Section 702).
  • If the US is demanding greater access to EU data, then it must address EU concerns over mass surveillance and lack of privacy protections for non-US citizens.

Conclusion: US Demands vs. Its Own Restrictions

The US government's comments on the EDPB guidelines reflect a clear strategic interest in facilitating data transfers from the EU to the US, particularly for law enforcement and security purposes.

However:

  • The US itself blocks similar data transfers when it deems certain countries as national security risks.
  • There is no legal reciprocity, while the US expects the EU to facilitate data access, it does not guarantee privacy protections for EU citizens.
  • If the US wants greater EU cooperation, it must apply the same standards to its own data transfer restrictions.

This contradiction in policy raises questions about the credibility and fairness of the US position. If the US insists on national security exceptions, then the EU is justified in applying similar safeguards for its citizens' data.

Ronni K. Gothard Christiansen

Creator, AesirX.io

Enjoyed this read? Share the blog!

TABLE OF CONTENTS

  1. Key Points in the USG Comments
  2. Contradiction in the US Position
  3. Conclusion: US Demands vs. Its Own Restrictions

share icon

Share Story

Continue Reading

Analysis of the FDPIC Guidelines on Data Processing Using Cookies and Similar Technologies

Analysis of the FDPIC Guidelines on Data Processing Using Cookies and Similar Technologies

Jan 30, 2025

Continue reading
Data Privacy Week 2025: A Comprehensive Digest of Privacy Insights

Data Privacy Week 2025: A Comprehensive Digest of Privacy Insights

Jan 28, 2025

Continue reading
The 2025 Norwegian E-Com Act: Redefining Consent, Compliance, and Privacy

The 2025 Norwegian E-Com Act: Redefining Consent, Compliance, and Privacy

Jan 25, 2025

Continue reading