Coordinated Supervision shifts into higher gear

Today, the Coordinated Supervision Committee (CSC) published its Work Programme for 2022-2024.

The CSC operates within the European Data Protection Board (EDPB), best known for its consistency and guidance role to ensure the consistent application in the European Union of the General Data Protection Regulation and of the Law Enforcement Directive. The CSC functions autonomously within the EDPB and has its own rules of procedures and working methods. The EDPB Secretariat provides the Secretariat of the CSC.

The CSC is a group gathering national supervisory authorities (SAs) and the European Data Protection Supervisor (EDPS) to ensure coordinated supervision of large-scale IT systems and of EU bodies, offices and agencies (EUIs).

A growing framework & expanding responsibilities

Over the last years, EU large-scale information systems connecting EU Member States’ authorities and EUIs have increased and evolved. Through these systems, the EUIs and national authorities share personal data electronically, with an unprecedented speed and volume.

Supervision of these large-scale information systems and EUIs is two-fold: the national SAs supervise data processing by the national competent authorities, such as administrative, police and border control authorities, while the EDPS supervises the EU bodies’ processing of personal data, such as Eurojust, EPPO, and Europol.

Today, the CSC ensures the supervision of Eurojust, the European Public Prosecutor’s Office (EPPO), the European Union Agency for Law Enforcement Cooperation (Europol) and the Internal Market Information System (IMI),

Additional systems that are also large, complex, and some of them new, will soon also fall under the CSC’s purview, such as the Schengen Information System (SIS), the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS), the Visa Information System (VIS), the European Criminal Records Information System on third country nationals (ECRIS-TCN), the Eurodac system, their interoperability, and the Customs Information System (CIS).

It is therefore essential, and it will become even more important in future years, that the national SAs and the EDPS coordinate their activities and jointly make sure that these processing operations are in line with the EU’s data protection framework.

Steering the course

To steer this cooperation and the monitoring activities in the right direction, the national SAs and the EDPS meet at least twice per year.

The CSC will continue working to:

• Ensure that data subjects are able to exercise their rights;
• Promote the exchange of information and joint audits or coordinated inspections by national SAs and the EDPS;
• Reach a common understanding between its participating authorities on their respective scope of supervision, applicable legal basis, and the areas where they need to cooperate and coordinate;
• Prepare the Committee’s work on the supervision of the additional information systems that will soon fall within the Committee’s remit.

Work Programme

The 2022-2024 CSC Work Programme builds upon the coordination work done since the CSC was created in December 2019. In the maze of competent bodies, offices and agencies, it is not easy for individuals to pinpoint the right authority to contact if they have a complaint. Going forward, the CSC wants to make it easier for data subjects to exercise their rights by, among others, pointing individuals in the direction of the authority that is competent for handling their request.

In addition, the CSC will promote the sharing of information among its members, monitor data processing at EU and national levels, and serve to coordinate activities, such as joint audits or inspections on issues including data quality and transfers to third countries, on the systems falling within the CSC’s remit.

The CSC is expected to greatly expand its scope in the coming years, with at least eight additional large-scale EU information systems coming under its purview. In the second half of 2022, the CSC will prepare for the coordinated supervision of those EU information systems, starting with the Schengen Information System (SIS) by September.

A hefty workload

As the number of EUIs and large-scale information system under the CSC’s purview increases, so does its workload and, by extension, that of the EDPB and its members: the SAs. The growing list of the tasks and responsibilities will prove a true challenge for a small EU body like the EDPB and for the majority of its members, as previously indicated in the EDPB contribution to the LED evaluation. In order to be able to ensure proper coordination and handling of requests, and in doing so safeguard the interests of EU data subjects, the EDPB and the SAs’ resources will have to be proportionate to the challenge at hand.