Using a new legal tool doesn't have to mean starting from scratch. Parts of the Safe Harbor agreement can be recycled, and the EU's Binding Corporate Rules are fairly similar, Ustaran said.
Microsoft said Tuesday it's all set to continue data transfers and legally protect customers of its cloud services, including Azure Core Services and Office 365. It's using the EU Model Clauses.
In addition, about 70 companies are using the Binding Corporate Rules. But for most of the approximately 4,000 organizations that have been relying on Safe Harbor, many of which are small and medium-sized businesses, there's a lot of work ahead.
"Many companies will be in limbo," Ustaran said.
They should start by deciding which kinds of data transfers are critical and address those first, looking at which alternatives would work for them.
Each country in the EU has its own data protection authority, and they're likely to take different approaches, Kuner of Wilson Sonsini said. Some might decide Safe Harbor is still adequate. Should companies take a chance on that? "I wouldn't advise it," Kuner said.
He also warned that it's easy to download standard contractual clauses, print them out and sign them, but you actually have to make sure you can comply with them and may need to have them approved by a country's data protection authority.
However much Tuesday's ruling may affect enterprises, the U.S. and EU haven't tackled the greatest threat to data privacy, which is government surveillance, said Nuala O'Connor, president and CEO of the Center for Democracy & Technology. "I don't think anybody's privacy is any better today than it was yesterday," she said.
The U.S. and EU have been working on a new Safe Harbor agreement since, but with issues like government spying to work out, it may take a while.
"I wouldn't be holding my breath for Safe Harbor 2," Ustaran said.
Sign up for CIO Asia eNewsletters.