EDPB links cross-border data-transfer rules with AI skills and governance capacity
A June 2025 EDPB update combined finalized guidance on third-country authority requests with new AI and data-protection training material, pointing to a more operational privacy-governance agenda.
What happened
In June 2025, the European Data Protection Board published the final version of its guidelines on Article 48 GDPR, covering how organisations should assess requests for personal data transfers from third-country authorities. In the same plenary update, the Board also presented new Support Pool of Experts training material on AI and data protection, including legal and technical tracks aimed at privacy professionals, cybersecurity practitioners, and developers.
Why it matters
The combination matters as much as the individual documents. The EDPB is not only refining legal interpretation around cross-border data requests. It is also acknowledging that privacy-friendly AI depends on institutional capability, shared methods, and people who can operationalise governance. That is a more serious posture than treating privacy as a static compliance layer sitting outside technical deployment.
Who is affected
- organisations handling cross-border data requests from non-EU authorities
- privacy and legal teams supporting AI deployment decisions
- developers and security teams expected to implement privacy-conscious AI controls
What to watch next
- whether regulators begin tying AI governance more tightly to transfer, access, and disclosure controls
- whether the EDPB’s community-update approach produces living guidance rather than static PDFs
- whether organisations treat AI privacy readiness as a staffing and capability problem, not just a policy one
Sources and links
- EDPB news update on Article 48 guidelines and AI training materials
- EDPB guidelines on Article 48 GDPR
Verification status
This briefing is based on an official EDPB plenary update and linked guidance.