On Tuesday the CJEU told the Irish DPC it had a duty to investigate. Then it went much further, deciding that the Safe Harbor agreement was invalid anyway as it only bound companies, not U.S. intelligence and law enforcement agencies, to comply.
That decision will reinforce the Commission's position in its negotiations with U.S. authorities on the new Safe Harbor agreement: Its hands are now tied by the court's ruling, which limits the concessions it can make.
There's no telling how long it will take to conclude negotiations, Jourová warned: "I wanted to finalize them before the summer, but I found we needed more time for the national security items."
Meanwhile, the Commission has two strategies for reducing the legal uncertainty created by the death of safe harbor.
The first strategy is to encourage companies to switch to one of the other methods of protecting data transfers that are provided for in existing law. These, Jourová said, include the use of standard data protection clauses in contracts between companies or binding corporate rules within a corporate group.
Data can also be transferred on the basis of performance of a contract, she said, giving the example of a hotel booking that can only be completed if the data is sent to the hotel, or if it is in the vital interests of the data subject -- for instance, transmitting their medical records in a life-or-death situation.
In the absence of other grounds for transfer, data can still be sent out of the EU with the free and informed consent of the individual, she said. Expect a flurry of revisions to privacy policies in the coming weeks.
With the court giving national data protection authorities carte blanche to conduct their own investigations into privacy policies, the Commission's other strategy for reducing uncertainty is to ensure they all follow the same rules.
"We will come up with clear guidance for DPAs on how to deal with the transfer of data to the U.S. in the light of the ruling," Timmermans said. "As businesses need legal certainty, the guidance should help avoid a patchwork of conflicting decisions by DPAs."
Privacy regulators are evidently thinking along the same lines: The Article 29 Working Party, the umbrella organization for the EU's national privacy regulators, said Tuesday that it will meet shortly to provide a coordinated analysis of the court's decision.
It's a busy time for Brussels privacy experts: The Commission has two other major privacy projects on the go, both of which Jourová is confident can be completed by year's end.
Sign up for CIO Asia eNewsletters.