The court's ruling also threw into question the alternative mechanisms that some companies have chosen to ensure they comply with European law. The changes the Commission is seeking now should help to protect data transferred under those mechanisms, too.
Jourová highlighted four areas where there were still obstacles to an agreement.
First, there is a need for further safeguards against access to Europeans' personal data by U.S. public authorities.
"The U.S. framework has evolved since the Snowden revelations," she said. The insights former U.S. National Security Agency contractor Edward Snowden's leaks provided into the agency's operations triggered the court case that ended the Safe Harbor agreement.
There have already been important reforms that introduced stronger oversight and more transparency, she said, but the Commission is still waiting for written assurances that there will be no indiscriminate mass surveillance and that U.S. authorities' access to Europeans' personal data will be limited to what is necessary and proportionate. These assurances will be reviewed.
Second, she said, there must be independent oversight of government access to data, and the possibility for individual redress, even in cases involving the intelligence services. The U.S. Senate has not yet voted on the Judicial Redress Act, which goes some way towards this, although the House of Representatives has already approved the bill.
While the Judicial Redress Act provides that EU citizens will have the same right to redress as U.S. citizens through the courts, Jourová hinted that this may not be sufficient. In the case of complaints about the intelligence services, "This could be done by an ombudsperson with a real capacity to act, which would give a response to individual complaints," she said, according to a transcript of her speech.
In the third area, settling complaints about privacy violations by companies, a number of mechanisms have already been agreed. First, a company can try to resolve the problem itself. If that doesn't work, there is an alternative dispute resolution service. Finally, the U.S. Department of Commerce or the U.S. Federal Trade Commission could take it up. European data protection authorities will be able to channel complaints to those agencies.
These mechanisms might still leave some complaints unresolved. That's a problem, because the EU's Charter of Fundamental Rights says citizens have the right to a legal remedy, Jourová said.
"Therefore, we are working on a 'last resort' mechanism to ensure that all complaints are resolved through a binding and enforceable decision."
The fourth stumbling block is the need for commitments from the U.S. that are formal and binding, Jourová said. Since this is not a treaty but simply an exchange of letters, "We need signatures at the highest political level and publication of the commitments in the Federal Register," she said.
Sign up for CIO Asia eNewsletters.