Europe's top data privacy watchdog called on firms to limit transfers of Europeans' personal data to the United States, sounding a warning after a court struck down a pact between the regions over concerns about U.S. government surveillance.
Yet Isabelle Falque-Pierrotin, who heads a working group of 28 European data protection regulators, also sought to reassure by saying companies would have three months' grace to comply with the court decision before countries begin enforcement actions.
The Court of Justice of the European Union (ECJ) earlier this month struck down a 15-year-old system enabling companies to easily transfer Europeans' personal data across the Atlantic.
The landmark decision stemmed from a complaint by Austrian law student Max Schrems, who challenged Facebook's (FB.O) transfers of European users' data to its American servers because of the risk of U.S. snooping.
The United States and European governments are scrambling to negotiate a replacement for the so-called Safe Harbor pact, but some are sceptical they will succeed.
Meanwhile corporations are exploring back-up plans, such as building more local data centers in Europe to store information, and alternate legal measures such as consent forms or contracts.
Falque-Pierrotin pledged European regulators and governments would look for "pragmatic and realistic" solutions but also warned things could not continue as before.
"No one wants data transfers to stop completely, but neither does anyone want information on European citizens, who have certain rights under our laws, to be completely without protection when they leave Europe," said Falque-Pierrotin.
"We must all comply, including the companies who should reconsider, maybe critically, the organization of their cross-border data flows ... They should ask themselves, are all these transfers justifiable?"
Groups like Google (GOOGL.O) and Microsoft (MSFT.O) are particularly affected by the end of the data transfer pact, since their web-based services often require shifting user data around. But so are companies with global workforces, and a slew of smaller firms with fewer resources to devote to compliance.
Under EU data protection law, companies are not allowed to transfer Europeans' personal data to countries with inadequate privacy safeguards, of which the United States is one.