This article reviews the announcement of the European Data Protection Board on the transfer of personal data on the basis of legal obligations deriving from international agreements.
With a recent announcement made by the European Data Protection Board (EDPB) along with the national Supervisory Authorities, EDPB recalled the requirements imposed by Article 96 of the General Data Protection Regulation (GDPR) and Article 61 of the Law Enforcement Directive (LED). These provisions deal with international agreements concluded by the EU Member States concluded prior to 24 May 2016 or 6 May 2016 respectively that involve the transfer of personal data to third countries or international organisations. These international agreements comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.
This announcement was made after the EDPB and national Supervisory Authorities have received and evaluated concerns/questions regarding the exchange of personal data between public authorities under existing international agreements in different areas.
While Article 96 of the GDPR deals with general relationships created via previously concluded international agreements, Article 61 of LED addresses specifically international agreements concerning judicial cooperation in criminal matters and police cooperation.
The EDPB deems that, in order to ensure that the level of protection of natural persons guaranteed by the GDPR and the LED is not undermined when personal data is transferred outside the European Union under such international agreements, such agreements should be brought in line with the GDPR and LED requirements for data transfers where this is not yet the case.
Therefore, all Member States are invited to examine and, where necessary, review the international agreements they have concluded that involve international transfers of personal data, (such as those relating to taxation), which were concluded prior to 24 May 2016 (for the agreements relevant to the GDPR) or 6 May 2016 (for the agreements relevant to the LED).
This review should be done in order to ensure the pursuance of important public interests covered by these agreements, while creating an alignment with current EU legislation and case law on data protection.
The EDPB recommends that, such a review should be made by the Member States on the basis of the provisions of the GDPR and LED themselves, as well as relevant EDPB guidelines applicable to international transfers, and case-law of the European Court of Justice.
In the light of the above, organizations that transfer personal data outside the EU based on specific international agreements should be extra careful and ensure that such international transfers are made in compliance with GDPR.
 In particular, the EDPB issued Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies2 in December 2020 which can be found here.
 All relevant case law including the Schrems II judgment of 16 July 2020.