So you have a court order from a U.S. court seeking data? In the words of Shania Twain, “That don’t impress me much!”
The European Data Protection Board recently issued an opinion on cross border transfers pursuant to Art 48 of GDPR (ie when required by a court order of a non-EU court).
This is what we are discussing with clients:
- If you have an international agreement/treaty in place, you can generally rely on 6(1)(c) (compliance with law) or 6(1)(e) (public interest). If the international agreement does not provide adequate safeguards, however, you still need a transfer mechanism.
- If there is NO international agreement in place, you need to find a legal basis. 6(1)(a) (consent) generally wont do. 6(1)(d) (vital interest) can work when it applies. 6(1)(f) (legitimate interest) also can work, but it is subject to the three part test. You also will need a transfer mechanism (SCCs etc).
- In either case, you can only transfer the data which is actually necessary.