At an informal meeting of the EU Justice Council last week, Vice President Viviane Reding said that the Commission would present a "solid assessment" of the current arrangements to ministers before the end of the year.
The announcement comes shortly after the European Parliament called on the Commission to review Safe Harbour following reports that parties to the agreement were involved in the US intelligence services' PRISM programme. Article 3 of the agreement requires the Commission to reverse or suspend the Safe Harbour agreement if its standards are not complied with.
"The Safe Harbour agreement may not be so safe after all," Reding said. "It could be a loophole for data transfers because it allows data transfers from EU to US companies - although US data protection standards are lower than our European ones."
Current EU data protection laws prevent companies from sending personal data outside of the EEA unless "adequate protections" have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection.
The European Commission and the US Department of Commerce have an agreed framework in place that allows for the transfer of personal data from Europe to the US where data protections meet EU standards. US organisations that self-certify that they conform to the requirements of the Safe Harbour scheme are deemed as having met European safety standards outlined in the Data Protection Directive.
Recent media reports have revealed details about a US computer system called PRISM though which officials at the US National Security Agency (NSA) can access information stored by Google, Facebook and Microsoft, and a number of other technology companies. Amidst uproar from privacy groups, US government and intelligence officials have claimed that data is accessed in line with the US Foreign Intelligence Surveillance Act (FISA). Many of the tech firms have denied knowledge of PRISM and claimed that they do not participate in any surveillance programme that involves granting direct access to their systems.
Reding said that the uncovering of the PRISM programme had been a "wake-up call" to which the EU's ongoing data protection reforms were "Europe's answer".
The Commission outlined plans to reform and update the EU's data protection framework in January 2012. Its proposed General Data Protection Regulation would replace the existing "fragmented and outdated" regime with a single data protection law across all 28 EU member states.
The proposals, which now need to be approved by member states and the European Parliament, would extend "in full" to companies that process the personal data of EU citizens from outside the EEA. According to the Commission, the rules should apply "from the moment of collection to the moment of deletion of the data", with tough sanctions applicable to companies that do not comply. The new rules as drafted also propose "a legal framework that involves judicial control" for third countries that want to access the data of EU citizens.
Data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that given this background, a review of the Safe Harbour agreement was unsurprising.
"Data protection practices and procedures in the EU are in a state of flux at the moment because the legislation in under review," she said. "The Safe Harbour agreement will need to be updated in light of this to reflect the general direction of travel of European data protection legislation, and to reflect changes in market practices."