U.S. businesses from online coupon company RetailMeNot Inc (SALE.O) to security software company Symantec Corp (SYMC.O) said a European change to rules governing transatlantic personal data transfers would hurt U.S. companies and called for a quick fix.
An EU court on Tuesday struck down a deal to let U.S. and European companies easily transfer personal data between continents, leaving some U.S. companies concerned that they will be frozen out of the market or replaced by EU competitors.
“The biggest fear is they’ll lose the opportunity to provide data services in Europe,” said Emery Simon, counselor to BSA | The Software Alliance, an industry group for software companies such as Oracle (ORCL.N), Salesforce (CRM.N) and IBM (IBM.N).
Tech giants like IBM are more prepared for the change, because they have come to use a number of different legal arrangements they say will keep their data flowing.
The so-called Safe Harbor system allowed U.S. companies to self-certify they met stricter European privacy standards, but the European Court of Justice (ECJ) said the provisions used by more than 4,000 firms did not give Europeans sufficient protection against U.S. government access. Companies from all sectors, from pharmaceutical giant Pfizer (PFE.N) to tech firms like Microsoft (MSFT.O), move user and employee data back and forth across the Atlantic. Tech companies, for instance, store data on many global users in the United States, where they can parse user information for lucrative ad targeting.
A U.S. company with overseas operations might transfer data about employees to centralize its human resources functions at its headquarters.
The EU and the United States will step up efforts to craft a new system, but some U.S. software and data storage firms fear the data flow will stop and that companies will instead rely on European competitors for their services.
“Any U.S. company with employees or customers in Europe is potentially impacted by this ruling,” RetailMeNot spokesman Brian Hoyt told Reuters by email. “We also believe it may also create challenges for data sharing necessary to rapidly provide data analysis for business operations.”
Adobe said it was “evaluating options” to transfer personal data between continents and Autodesk also said it was evaluating the decision.
Symantec said it has other mechanisms in place to legally protect data transfers, but the uncertainty following the ruling has made it difficult for such companies to determine their next steps and how much business might be lost.
Even setting up data servers in Europe would not solve their problems, said Ilias Chantzos, Symantec senior director for government affairs in Europe, Africa and the Middle East and privacy advisor.
“You can’t isolate the flow of data only within one territory or jurisdiction,” Chantzos said.
And data storage without processing would not be enough, added Thomas Boue, Director of EMEA Government Affairs at BSA.
“For companies a lot of the added value is on all the tools they use to process the data, what you do with that data,” he said.
Companies could create new agreements with their customers in the European Union, but the lack of clarity and high costs could leave smaller firms with a “disproportionate share” of the burden of new legal requirements, the U.S. Chamber of Commerce said.
One major European telecoms operator expects many customers, both private individuals and businesses, to reassess their data plans and to look at storing their data within Europe, a source close to the company said.
“It is much more likely that companies will need to store their data in the EU and not with U.S.-based providers, challenging the hegemony of U.S. data storage companies,” said Ian De Freitas, a partner at the law firm Berwin LeightonPaisner.
The larger U.S. companies may face a problem of perception that they have abetted U.S. government surveillance. They say, however, that they have broken no laws. IBM, Facebook, Google Inc (GOOGL.O) and Amazon Inc (AMZN.O),all have additional legal arrangements such as “model clauses” which set privacy standards between the sender and receiver of the data and allow them to continue data transfers.
Some also have agreements with European users who consent to having their data transferred to the United States. Facebook, for example, has a registration process that allows it to obtain consent from users when they sign up for the service.
A prime concern of U.S. companies is that without a centralized system like Safe Harbor, EU privacy regulators could adopt diverging approaches to international data transfers.
The European Commission said it would provide guidance to the regulators to ensure they adopted a common approach.