"I realise that some of my criticisms may be mistaken; but to refuse to criticize judgements for fear of being mistaken is to abandon criticism altogether... If any of my criticisms are found to be correct, the cause is served; and if any are found to be incorrect the very process of finding out my mistakes must lead to the discovery of the right reasons, or better reasons than I have been able to give, and the cause is served just as well."

-Mr. HM Seervai, Preface to the 1st ed., Constitutional Law of India.

Thursday, January 18, 2024

European Data Protection Board's Coordinated Enforcement Framework

The EU EDPB (European Data Protection Board) came up with a Coordinated Enforcement Framework (CEF) in 2020 with the objective of facilitating joint actions among Supervisory Authorities under the EU General Data Protection Regulation, 2016.

The objective of the CEF was to facilitate joint actions among supervisory authorities in a coordinated manner. The legal basis of the CEF is contained in Article 61(1) read with Article 57(1)(g) of the GDPR. Article 61(1) reads:

"Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations."

Article 57(1)(g) states: 

"1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory: ...

(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

Article 62, which deals with joint operations of supervisory authorities is also relevant for this purpose. Article 62(1) provides: "The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved."

The role of EDPB is captured in Article 70(1)(u) of the GDPR, which states:

"1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:...

(u) promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;"

These provisions form the legal basis for the CEF, which is basically a structure for coordinating recurring annual activities of the Supervisory Authorities under the GDPR through the EDPB. 

On the CEF, the EDPB Document states: "The objective of the CEF is to facilitate joint actions in the broad sense in a flexible but coordinated manner, ranging from joint awareness raising and information gathering to an enforcement sweep and joint investigations." (Para 5).

Why is the CEF important? The ultimate aim is compliance with GDPR and protection of rights and freedoms. The CEF reduces risks of compliance in wake of new technologies in data protection.

The CEF works in the following way:

In 2022, the EDPB picked the role of Data Protection Officers for its 2023 Study. Now EDPB has come up with the report on the designation and position of Data Protection Officers, which can be accessed from hereThe 2022 study was on use of cloud-based services by the public sector.

For 2024, the topic has been chosen by the EDPB in October 2023, which relates to the implementation of the right of access by controllers.

No comments: