On 5 June 2025, the European Data Protection Board (EDPB) released the final version of its guidelines on Article 48 of the General Data Protection Regulation (GDPR), which governs data transfers to authorities outside the EU/EEA. This finalisation followed a period of public consultation and aims to address mounting concerns over the legality of responding to requests from foreign law enforcement or government authorities for access to personal data.
In addition to these guidelines, the EDPB also introduced new training materials focused on artificial intelligence (AI) and data protection, and it reviewed the European Commission’s proposal to simplify GDPR record-keeping obligations for smaller organisations.
The updated guidelines make it clear that foreign legal decisions, on their own, do not constitute a lawful basis for transferring personal data under EU law. Organisations cannot automatically comply with data access requests from third-country authorities unless two key conditions under the GDPR are met. First, there must be a valid legal basis for processing under Article 6. Second, the transfer must rely on a legitimate mechanism for international data transfers as set out in Chapter V of the GDPR such as an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or an appropriate derogation under Article 49.
In some cases, international agreements such as Mutual Legal Assistance Treaties (MLATs) may provide a legitimate framework for such transfers. However, in the absence of such agreements or where they do not offer adequate safeguards, each transfer must be assessed and justified individually, based on the specific circumstances involved.
These positions are consistent with the EDPB’s interpretation of Article 48 of the GDPR, which affirms that judgements or decisions issued by non-EU authorities are not, by themselves, valid grounds for data transfers unless recognised under EU or international law.
The final version of the guidelines incorporates feedback from stakeholders received during the public consultation and offers additional clarifications. These include guidance on how data processors should respond to such foreign requests, explanations for scenarios where a non-EU parent company receives a request and then instructs its EU-based subsidiary to provide data; and a clear rejection of speculative data transfers. For example, moving data to a third country in anticipation of possible future requests.
These refinements are intended to support both controllers and processors in navigating complex legal obligations around cross-border data requests while remaining fully compliant with GDPR.
Alongside these guidelines, the EDPB launched two new projects under its Support Pool of Experts (SPE) initiative, in collaboration with the Hellenic Data Protection Authority (HDPA). These projects aim to close the existing skill gap in AI and data protection by providing targeted training resources for professionals in both legal and technical domains. The first, titled “Law & Compliance in AI Security and Data Protection,” is intended for legal professionals such as Data Protection Officers (DPOs) and compliance specialists. The second, “Fundamentals of Secure AI Systems with Personal Data,” is tailored for technical professionals including cybersecurity experts and developers.
These materials are being made available in PDF format and recognise the rapid pace of change in the AI landscape. The EDPB is also piloting a modifiable, community-driven version hosted on a Git-based platform. Under a Creative Commons licence, this version will allow vetted contributors to suggest edits or add commentary, enabling the guidance to evolve with technological developments.
The Board also discussed a draft proposal from the European Commission to amend Article 30(5) of the GDPR. This amendment seeks to simplify record-keeping obligations for small and medium-sized enterprises (SMEs), small mid-cap companies (SMCs), and organisations with fewer than 750 employees, exempting them from maintaining certain records of processing activities unless their processing poses high risks. The EDPB, together with the European Data Protection Supervisor (EDPS), is expected to issue a joint opinion on the proposal within eight weeks.
This potential change is part of broader efforts to ease regulatory burdens on smaller entities while still upholding strong data protection standards.
Taken together, these initiatives highlight the EDPB’s proactive role in reinforcing the GDPR’s relevance in a rapidly evolving technological and regulatory environment. The finalised Article 48 guidelines offer vital clarity for organisations faced with foreign data access demands, emphasising that compliance with the GDPR cannot be circumvented by external legal systems. At the same time, the SPE’s AI training materials and the Commission’s effort to streamline obligations for smaller organisations represent a balanced approach enhancing enforcement capabilities while making compliance more practical and accessible in an AI-driven world.
Ensure comprehensive GDPR compliance and AI-ready data protection with industry experts. Visit www.tsaaro.com
News of the week
1. AT&T Data Leak 86 million Customer Records Exposed
On June 6, 2025, it emerged that 86 million unique AT&T customer records including birth dates, phone numbers, addresses, emails, and alarmingly, 44 million Social Security numbers in plaintext were posted on a Russian-speaking cybercrime forum. Although this may be a resurfacing of data stolen during the 2024 Snowflake breach, its high-quality organization and the presence of decrypted SSNs mark it as a critical risk for identity theft. AT&T is investigating meanwhile, affected customers are urged to activate credit monitoring or frees.
https://www.zdnet.com/article/86-million-a-t-customer-records-reportedly-up-for-sale-on-the-dark-web
2. DOGE Expands Access to Social Security Data – New Privacy Concerns
The U.S. Supreme Court has granted the Department of Government Efficiency (DOGE) broad access to Social Security Administration records, including personal identifiers, medical history, and financial data. The ruling also exempts DOGE from key public records laws, raising alarms among privacy advocates who warn of potential government overreach. While officials claim this will improve efficiency, critics argue it threatens personal privacy and sets a troubling precedent for data access.
3. KiranaPro Startup Data Wipe: Internal Breach, No External Hack
Grocery delivery startup KiranaPro revealed that its servers were deliberately wiped away by a former employee Lava Kumar. The incident disrupted operations, but the company assured that no customer data was compromised. CEO Deepak Ravindran clarified that Kumar was removed during a team restructuring, leading to tensions that resulted in the intentional deletion of critical server logs. Initially suspected as a cyberattack, the breach forced KiranaPro to rebuild its core systems and raise emergency funding. Adding to the turmoil, reports surfaced of delayed employee salaries, with some staff claiming months of unpaid wages. Ravindran attributed the delays to pending investor funds and assured that payments are being processed. To prevent future incidents, KiranaPro has strengthened access controls and audit logging.
