When Does GDPR Act as a Blocking Statute: The Relevance of a Lawful Basis for Transfer

Abstract

This paper addresses an important practical topic – when does the EU General Data Protection Regulation (GDPR) act as a “blocking statute,” to prohibit transfers of personal data in response to requests by non-EU law enforcement agencies? Since the GDPR went into effect in 2018, there has been considerable discussion of this issue, most notably when there is a request from US law enforcement for emails and other records held by cloud service providers. This paper builds upon Theodore Christakis’ recent article on the effects of Article 48 and 49 of GDPR on when the GDPR acts as a blocking statute. This paper expands the discussion by addressing the full set of GDPR legal provisions that govern such transfers of personal data from the EU to a non-member country, including the lawful bases for transfer under Articles 45 and 46 of GDPR. This paper concludes, in certain circumstances, that there is a “lawful basis” for transferring personal data out of the EU, without a blockage by Article 48. This article examines the text and legislative history of the GDPR, and provides an overall interpretation that is consistent with all of the GDPR provisions that govern such cross-border transfers. The European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB), by contrast, omitted any analysis of GDPR Articles 45 and 46 from their “initial legal assessment” of these issues. Part 1 of this paper presents the relevant EU and US legal texts. Part 2 explains why a US court order would be effective on a company headquartered in the US when the data is already in the US. Part 3 presents insights from the legislative history of Article 48. The GDPR narrowed the earlier proposed version of the blocking provision in at least five respects. Part 4 explains one significant blocking effect that does exist under Article 48 as adopted – where there is no pre-existing lawful basis for transfer, then Article 48 clearly acts as a blocking statute. Part 5 provides a 2x2 table that summarizes the legal conclusions. Overall, the paper supports the conclusion that Article 48 likely blocks in situations where there is a lawful basis for transfer but the data is in the EU. By contrast, there are strong reasons why Article 48 does not block when there is a lawful basis for transfer but the data is in the US, including the lack of extra-territoriality when a US court orders a US company to produce evidence held in the US. Part 6 examines a separate piece of the EDPS/EDPB initial legal assessment, concerning GDPR Article 6. That legal assessment took a surprisingly narrow view of what constitutes legal processing under GDPR with respect to transfers to third countries. The discussion here queries whether this narrow view is consistent with Article 6. In sum, overall, the GDPR has a narrower blocking effect than prior analysis have suggested.