Establishing partnerships in Europe with companies that can replicate a U.S. business may be the most practical and immediate solution available to companies concerned about legal challenges after the European Union invalidated the U.S.-EU data sharing agreement known as Safe Harbor, technology experts said.
The European Court of Justice’s decision to strike down the agreement did not immediately invalidate data transfers cross-continents, but it did open up all transfers to the U.S. and perhaps elsewhere to challenges from every EU-member nation, experts point out.
U.S. companies looking to protect themselves from getting entangled in European privacy challenges have few options at their disposal, partly because the technology to so selectively control cross-border data simply doesn’t exist, said Russell Stern, chief executive of networking company Solarflare.
“The technology for what might be the right thing to do doesn’t exist yet,” Mr. Stern said.
He suggested that the easiest practical solution at the moment is a structural one involving partnerships with European companies to host and mirror content in Europe instead of piping it across the Atlantic. Such a solution won’t work for many companies and it leads to a increase of costs due to duplicating services, but Mr. Stern said such a structural fix skirts the now politically sensitive privacy issues.
“Avoid the technical issues for the moment…let the technical issues settle down,” Mr. Stern said.
Many companies that aren’t large consumer service businesses already have a local data business model that avoids the U.S.-EU transfer altogether. “By keeping the data local no data is being transferred to the United States,” said Viktor Tadijanovic, chief technology officer from Abacus Group, which provides technology support to financial service companies.
With more than 4,500 companies’ European business models at stake after the end of Safe Harbor and few good options available as an alternative to an overarching privacy agreement, companies may assume that the U.S. and EU will be forced to quickly hash out a new arrangement to ensure business keeps moving. To be discussed are technical issues over whether data protection authorities in EU countries can examine complaints over how their personal information is handled and whether the U.S. is a country that poses undue privacy risks to people in the EU because of its information-collection programs run by government agencies such as the National Security Agency.
But Aleecia McDonald, a privacy expert at Stanford Law School, said the nature of the dispute indicates an overarching political solution might not be as forthcoming as businesses hope because of the dramatically different way the U.S. and EU view the problem.
The U.S. bases its data-collection programs on national security, an issue that can be difficult to compromise around. The European court made its decision using a strict human rights framework, Ms. McDonald pointed out.