The European Commission has released its report on EU-U.S. data flows, including a critique of the widely-criticized Safe Harbor framework, which makes 13 recommendations to improve the data-transfer mechanism. The commission says U.S. authorities have until summer of 2014 to implement the recommendations, at which point it will revisit the review. The recommendations call for self-certified companies to disclose their privacy policies and any privacy conditions based on relationships with third-party vendors; improved facilitation to redress methods, including links on certified companies’ privacy policies to alternative dispute resolution (ADR) providers; notification to EU authorities when complaints are filed with the U.S. Federal Trade Commission (FTC), and for the national security exception-which allows law enforcement access to data-to be used “only to an extent that is strictly necessary or proportionate.” There is also a call for self-certified companies to include, within their privacy policies, information on “the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor.” Dutch MEP Sophie in’ t Veld, vice president of Parliament’s Civil Liberties and Home Affairs Committee, said she’s glad the commission is taking steps, but, “We’ve been calling for an evaluation or even suspension action for many years, so this report is overdue.” She said the report is a signal that things are starting to shift.