Indeed, there are two sets of regulations that would provide clarity in order to allow business to flourish, said Brad Smith, general counsel at Microsoft.

When Smith is in Brussels, he said, people commonly point out that the EU has data privacy laws while the U.S. doesn't. That's only partly true, he said. The EU has laws that govern practices companies must follow regarding consumer data, but there is no European-level legislation governing data retention between the government and citizens. The U.S. doesn't have legislation around how companies must handle consumer data but it does have laws, like ECPA, about how the government can access data.

Microsoft thinks it's very important to have clear and balanced laws in both areas. "We are supportive of this because we see it as essential in the long term for building a healthy marketplace," Smith said.

Laws around the use of personal data by companies would help track down security holes, said Chris Hoofnagle, a professor at the University of California Berkeley School of Law.

"We have no ability to tell how personal information traverses the market economy," he said. As a result, if someone tries to sue a company because of identity theft, the company has a great defense because hundreds of organizations likely have the same personal information about the person. That means the person can't prove where the data leak happened.