Microsoft's top lawyer has set out a four-point plan for trans-Atlantic data sharing, which he thinks can revive the EU-US Safe Harbor pact that Europe's top court scuttled earlier this month.
Microsoft president and chief legal officer Brad Smith argues in a blog post that a solution to the data-transfer issue is essential for preserving a global internet.
Without a fundamental long-term change, new laws might simply say personal information must stay within its owner's country or perhaps even on its owner's personal devices. "But that would require a return to the digital dark ages," Smith said.
The European Court of Justice threw out the 15-year-old agreement because it didn't guarantee the protection of Europeans' fundamental rights once their data - sent by companies such as Facebook - arrived in the US, where Safe Harbor protections were trumped by US national security laws that enable mass surveillance.
The decision has caused jitters in the tech sector since it killed off a shortcut to compliance with Europe's data-protection laws, and has left the European Commission and the US in search of a replacement, such as Safe Harbor 2.0.
Meanwhile companies like Microsoft prepared alternative arrangements, such as contracts for its cloud services that comply with EU Model Clauses.
It remains to be seen whether either of these options will stand up to legal challenges downstream. Some privacy experts think they cannot. Max Schrems, the Austrian law student whose legal challenge triggered the ruling, has pointed out, "These contractual solutions do not properly protect the fundamental rights of the data subject."
But Microsoft's Brad Smith thinks there is a way to conform to the court's decision without 'Balkanising' the internet - by requiring data to stay within the subject's country - and sacrificing national-security powers.
Achieving this goal would include ensuring that people's legal rights move with their data, which would require the US government to agree only to access EU data in the US in a manner that conforms with EU law.
The second step touches on Microsoft's Irish email court battle in the US, and would include new shortcuts for the US and EU governments to information in the cloud if citizens' data is moved outside its own territory.
"We need to create an expedited process for governmental entities in the US and EU to access personal online information that is moved across the Atlantic and belongs to each other's citizens by serving lawful requests directly with the appropriate authority in an individual's home country," Smith explained.
"The requesting government would seek information only within the limits of its own laws, and its request then would be reviewed promptly by the appropriate government authority in the user's country of nationality. If the designated authority determines the request is consistent with the privacy protections and other requirements of the citizen's local law, it would validate and give it legal effect, authorizing disclosure."
If the US government were to follow this process for EU data that is stored in the United States, Smith said, it would satisfy the ECJ's requirement that the US provides "essentially equivalent" legal protection to that which Europeans would have at home. This protection should also apply to a US subject's data moved to Europe.
However, Smith believes an exception could be made for citizens who moved across the Atlantic, allowing governments to access data outside their jurisdiction.