The European Union's changing data protection laws could make life more difficult for companies that want to transfer information out of the 28-member trading bloc and into the United States.

Currently, companies can move data between the EU countries and the United States under a formal “safe harbor” treaty between the two jurisdictions if the U.S. party gets certification confirming their data procedures comply with seven principles set out in EU data law.

But the inaugural Compliance Week Europe conference heard last week that in the haggling over the final form of Europe's new data protection laws, this safe harbor might well be scrapped.

The warning came from Simon McDougall, a speaker at the conference and managing director of Promontory, a consulting group that follows the EU legislative process closely.

The EU Parliament's Civil Liberties, Justice and Home Affairs committee (known as LIBE) is running an inquiry into revelations that the U.S. National Security Agency engaged in mass electronic surveillance of EU Citizens. It could conclude that safe harbor needs to go, says McDougall.

There's a view on the committee that “you just can't trust the Americans anymore,” he said. “So if you are moving data to the United States under safe harbor, that's something you need to watch. It will be a live issue over the next few months.”

Companies can still move data from Europe to other jurisdictions that the EU has assessed as providing “adequate protection” of data. But there are not many countries on its list.

Data can be moved around inside a group of companies if a European national regulator has certified there are “binding corporate rules” in place to keep the data safe. McDougall said that kind of certification could develop as a data protection “badge of approval” that companies might rely on when moving data to a third party.

“I see it gaining popularity as a way of not having complex contracts or safe harbor. It's not a trend yet, but it wouldn't surprise me if that's one way that large companies will decide whether each other's data rules are credible or not.”