On Wednesday, German data privacy commissioners will meet in Berlin for their annual conference. On the agenda will be discussions on one thing: whether the Safe Harbor agreement between the EU and the US should be scrapped.
The meeting will allow the German regulators to voice their ongoing frustration over the lack of reform that followed the recent revelations that the US' surveillance agency, the NSA, was collecting German citizens' data.
Safe Harbor is a critical agreement for US-based businesses - and particularly tech companies such as Google, Facebook, and Twitter - as it allows them to legally transfer commercial data from the European Union to the US if they agree to uphold EU citizens' rights over how the data is collected and handled. Even a short suspension of the agreement could mean serious disruption to those US companies' business.
For many German officials and politicians, the NSA's ongoing ability to access the data of European citizens held by US companies violates the privacy principles of the agreement - principles that companies can self-certify they uphold.
"I, as well as several of my German colleagues, have serious doubts whether the US companies that have self-certified under the agreement can be considered to be in a safe harbor," Alexander Dix, Berlin's commissioner for data and information, told ZDNet. He called the NSA's data monitoring "aggressive" and "disproportionate".
Following the NSA spying scandal, there have been many calls across Europe to suspend the Safe Harbor agreement - with some of the loudest calls coming from privacy-conscious Germany. Instead of suspending the agreement, however, in November 2013 the European Commission sent the US a list of 13 reforms it would like to see made to Safe Harbor. The US government has still not fully responded to the request, even though it promised to do so by last summer.
The delay is weighing on many privacy regulators like Dix, who believes that if Safe Harbor doesn't provide adequate protection, alternative measures that do should be considered.
It's unclear what the full impact of suspending Safe Harbor would be. Not being allowed to transfer data outside the EU would certainly cause major problems for companies like Twitter whose servers are all in the US. For companies that do have European servers, it would affect their back-office business, where local data may be transferred across the Atlantic for processing by algorithms, profiles, fraud detection, and other data services that are part of their day-to-day operations. It would also be fundamentally disruptive to cloud service providers that have datacenters in multiple countries and constantly move data among them.
Few think Safe Harbor will be revoked due to the value of the business at stake. As well as hitting US-based firms, a suspension would also impact many European-based companies that have a global reach, such as Siemens and SAP - even car companies like BMW have an interest in moving data in and out of the EU.
One possible alternative to suspending Safe Harbor is a measure already making its way through the European legislative system as part of the European Commission's Data Protection Regulation package.
One of the provisions in the package would require outside companies to obey EU privacy laws when providing services in the EU, regardless of where the company is based. So, for example, US-based Apple would have to adhere to the EU regulations regarding data collection and retention when a customer in Munich or Paris buys something from iTunes.
According to German MEP Birgit Sippel, who will be participating in a panel discussion at the Berlin conference, the provision could potentially make the Safe Harbor agreement unnecessary.
However, the entire Data Protection Regulation package is still being debated, so it's unclear whether that provision will make it into to the final legislation. And, even if it does, Sippel admits it's not cut and dried whether it will solve the NSA problem in its entirety, given the pressure the US government can put on US companies to provide access to data.
That's one reason Ben Scott, program director at the non-profit thinktank Stiftung Neue Verantwortung, believes that Germany should look at other ways to approach the issue.
"I don't think you can solve intelligence and law enforcement debates with economic legislation," Scott said. "I understand why they are doing that. It seems like the only tool in the toolbox that has a chance of working."
Scott, an American who's a former innovation advisor for the US Department of State, believes that the EU and US should move toward a common set of privacy regulations that are more relevant to today's technology. "There is no realistic alternative but to harmonize policy between the EU and the US," he said."We need a modernization of privacy and security policy that reflects democratic values."
Scott plans to tell Germany's data protection commissioners at the conference that they could be the ones to envision what that policy might look like.
However, both Scott and Sippel feel that Germany lacks the moral high ground to ask the US government to change its surveillance activities when it comes to data, when its own policies are not very different in practice.
"If it's unacceptable for the US government to reach into data from Google to spy on a German citizen, why can the German government do the same thing with a German company? Why is it that Germans are doing the same thing to the Turks and that's OK?" Scott said. "These kind of inconsistencies make it difficult to negotiate."
Sippel, a member of Germany's social democrat party (SPD), said the political conversation around data privacy has also changed dramatically following the terrorist attacks in Paris.
"Unfortunately at the moment, it is not easy to talk to the US and say they shouldn't do this [collect German citizens' data] because at the same time some people in our own government are thinking of similar ideas," she said.
Read more on Safe Harbor