EU's revamped data transfer tools will have more safeguards

The EU's new data transfer tools are fully compliant with the GDPR and will allow citizens' data to be encrypted or pseudonymised

The European Commission is set to adopt revamped data transfer tools,which will provide more legal and privacy safeguards to enable companies to transfer European users' data securely around the world.

In a press conference on Wednesday, European Commissioner for Justice Didier Reynders said EU officials have "incorporated some elements of transparency, accountability" in data transfer tools, which are fully compliant with the General Data Protection Regulation (GDPR).

Reynders said companies sending data to third countries (outside the EU) could seek to protect it from being accessed by foreign governments by encrypting the data or sending it anonymously. Companies will have to make the decision on a case-by-case basis.

"It is the task of companies to see if they only use SCCs (standard contractual clauses), or put additional safeguards like encryption and pseudonymised personal data," Reynders said.

He promised that new SCCs would be easier for companies to use, while also meeting the requirements of the GDPR and Schrems II.

SCCs are a standardised form of document that, once approved by the European Commission, allow companies to transfer data for services ranging from cloud infrastructure, hosting, finance, payroll, etc., without further reference to the authorities.

Last July, the European Court of Justice (ECJ) told privacy regulators to suspend transfers via SCCs outside the EU if data protection in other countries could not be assured. The court also invalidated the four-year-old Privacy Shield agreement between the EU and the USA, on the grounds that it had failed to adequately protect European users' data from US surveillance.

In its ruling, the Court said that US laws did not match the strict data protection requirements established by the GDPR, so European citizens' personal data cannot be safely processed in the US without additional safeguards.

However, the Court still allowed cloud companies to use SCCs as a legal mechanism for data transfers, with some adjustments.

The EU and USA are currently in talks about a new data protection agreement to resolve the issue facing thousands of companies.

Reynders, who is discussing the new agreement with the US Secretary of Commerce, Gina Raimondo, said any agreement between the two parties would have to acknowledge the enforcement of an individual's rights.

The goal of these discussions is to avoid "Schrems III," he said.

The EU's adoption of new data transfer tools comes as the European Data Protection Supervisor (EDPS) has opened an investigation to examine whether EU agencies and institutions using AWS and Microsoft Azure cloud services are effectively protecting the personal data of European users in accordance with GDPR guidelines.

The EDPS is also investigating in a separate probe into whether the European Commission's use of Microsoft Office 365 complied with earlier recommendations.

Earlier this year, AWS said it had 'strengthened contractual commitments that go beyond what's required by the Schrems II ruling.'

Last month, Microsoft announced a new programme, dubbed the 'EU Data Boundary for the Microsoft Cloud,' which would apply to all of Microsoft's core cloud services, including Azure, Dynamics 365 and Microsoft 365, and allow the company's commercial and public sector customers (in the EU) to store and process the majority of their data within the Union by the end of 2022.