Safe Harbour's replacement could be in place by February as regulators meet

If negotiators fail to agree terms, firms transferring personal data from the EU to the US face sanctions, EU warns

Privacy regulators from the EU and representatives from the US authorities will meet in Brussels on 2 February to finalise the replacement for Safe Harbour, the agreement governing data transfers between the US and EU that was struck down by the European Court of Justice on 6 October. Provided agreement can be reached, a new pact could be in place before the end of February.

Since Safe Harbour was invalidated, companies that transfer personal data from the EU to the US, and those employing the services of cloud providers that do, have been in legal limbo, uncertain of where they stand.

EU data protection laws stipulate that EU citizens' personal data cannot be transferred to countries with insufficient data protection standards. The rules surrounding personal data are, generally, much more relaxed in the US than in the EU, and Safe Harbour had been a way of bridging that gap, although other mechansims, such as binding corporate rules, also exist.

Since the collapse of the deal, negotiators have been thrashing out terms of a new agreement, with a target date of January 2016. In the meantime, the EU has granted a grace period for companies to find alternative legal means to transfer data to the US, but this period is coming to an end.

Should the parties fail to reach a substantive agreement after 2 February meeting, or should the new agreements not offer significantly stronger protections against US snooping than previously, European data protection authorities could start taking action against companies thought to be breaking the rules, Reuters reports.

Once a framework has been agreed, it will be submitted to all 28 EU member states for approval. Further negotiations will follow in order to fine-tune some of the details.

Alternative legal vehicles for transferring data, such as binding corporate rules and model clauses, are likely to come under scrutiny too, to minimise the danger of loopholes that allow companies to bypass the new rules; the way the regulators investigate breaches will also be investigated.

"Part of the decision was to discuss the powers of regulatory bodies and how they use their investigatory powers. How often do they investigate breaches in relation to data transfer? That's not on the top of the audit agenda list for a regulator as opposed to something like data security," Luke Scanlon of technology law firm Pinsent Masons told Computing recently. "The question remains open as to the validity of the other mechanisms."