SIS: the next large-scale EU information system to come under CSC purview

On March 7th, the amended SIS regulations enter into operation. With this, the Schengen Information System (SIS) will become the next large-scale EU information system to come under the purview of the Coordinated Supervision Committee (CSC). The CSC brings together the national data protection authorities and the European Data Protection Supervisor (EDPS) to ensure coordinated supervision of large-scale IT systems and of EU bodies, offices and agencies, in accordance with Art. 62 of Regulation (EU) 2018/1725 or - as in the case of SIS - with the EU legal act establishing the large-scale IT system or the EU body, office or agency.

SIS is a large-scale IT system which supports internal security and the exchange of information on persons and objects between national police, border control, customs, visa and judicial authorities within the Schengen area. In order to better address counter-terrorism and irregular migration, the existing SIS regulations were amended. Among others, a more extensive use of biometric data and the creation of new categories of alerts, as well as the inclusion of more items in the already existing categories was foreseen. In addition, there will be wider access by Europol, and access for Frontex hotspot teams is also a part of the legislation.

We sat down with CSC Coordinator, Clara Guerra, to discuss this latest development.

How does the CSC contribute to the supervision of large-scale IT systems like SIS?

The CSC will play a key role in the supervision of SIS. The data processed in SIS is provided by the individual Schengen Member States, which requires a high amount of coordination. In addition, other EU information systems that interact with SIS, like Europol or Eurojust, are under the purview of the CSC as well. This allows for a comprehensive approach in supervision.

Having this in mind, the CSC has already included in its work programme for 2022-2024 a supervisory activity regarding a new kind of SIS alert: the information alert, which will also cover Europol supervision. This is the first time a CSC work item will cover cross-system activity between two systems. As both systems are under the CSC, this will lead to more coordinated supervision.

SIS was the very first European system to have data protection supervision. Therefore, data protection authorities have gained valuable experience in joint activities regarding SIS for more than 25 years. This will be most valuable for the supervision of SIS by the CSC.

How will SIS coming into the scope of the CSC impact your workload?

We estimate the impact will be significant. SIS is the biggest system in the world in the area of border control, which means a challenge from the start. Moreover, with the new legal framework, SIS is enhanced with new functionalities and broader purposes for data processing that will require additional monitoring and checks at national level, in particular regarding the lawfulness of the alerts, data quality and the access and use of the data by the authorities using SIS. It is important to underline that data subjects exercise their rights more often under SIS than in other systems.

However, we are prepared for it. We will take on board some activities that were being developed by the SIS II Supervision Coordination Group (SCG), such as the coordinated inspections on the alerts regarding discreet and specific checks under Art. 36 of the SIS II Decision, or the updated Guide for the exercise of data subjects’ rights. In addition, as I mentioned before, the CSC will carry out a joint supervisory activity on the new ‘information alerts’, which also involves Europol. This kind of alert raises concerns for several reasons and that is why we decided to follow its practical implementation from the outset.

How do you see the CSC moving forward with more large-scale IT systems set to join in the near future?

To become the single forum for data protection coordinated supervision of the EU systems presents many challenges of course. We have to make sure that our monitoring actions are relevant and effective, in particular in an area where data processing has a huge impact on the rights of individuals.

The horizontal approach in the CSC allow us to have a comprehensive overview of all data processing by EU systems and, thus, enables better monitoring of the data flows across systems and a reinforced supervision of this complex matrix. This is rather important, especially when it will come to achieving interoperability of six large-scale IT systems (SIS, EES, ETIAS, ECRIS-TCN, VIS and Eurodac).

At the same time, the CSC enables more synergies and enhanced cooperation between data protection authorities, including between the national and the European level, which we intend to explore in full. For that, we need to build on experience, use flexible working methods and remain focused on the important issues. I would say that we are on the right track, but it is essential that data protection authorities have sufficient resources to perform their legal tasks and engage actively in this new model of coordinated supervision of EU information systems.