Activities of José GUSMÃO related to 2022/0424(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC
Amendments (61)
Amendment 71 #
Proposal for a regulation
Recital 2
Recital 2
(2) The use of travellpassenger data and flight information transferred ahead of the arrival of travellers, known as advance passenger information (‘API’) data, contributes to speeding up the process of carrying out the required checks during the border-crossing process. For the purposes of this Regulation that process concerns, more specifically, the crossing of borders between a third country or a Member State not participating in this Regulation, on the one hand, and a Member State participating in this Regulation, on the other hand. Such use strengthens checks at those external borders by providing sufficient time to enable detailed and comprehensive checks to be carried out on all travellers, without having a disproportionate negative effect on persons travelling in good faith. Therefore, in the interest of the effectiveness and efficiency of checks at external borders, an appropriate legal framework should be provided for to ensure that Member States’ competent border authorities at such external border crossing points have access to API data prior to the arrival of travellers. (This should apply throughout the text.)
Amendment 76 #
Proposal for a regulation
Recital 7
Recital 7
(7) In order to achieve its objectives, this Regulation should apply to all carrierommercial carriers and to private aircrafts conducting flights into the Union , as defined in this Regulation, covering both scheduled and non-scheduled flights, irrespective of the place of establishment of the air carriers conducting those flights. General aviation such as flight schools, military or medical flights, should be exempted from this Regulation.
Amendment 79 #
Proposal for a regulation
Recital 7 a (new)
Recital 7 a (new)
(7a) For transit passengers whose initial point of departure and final destination are outside of the territory of the Member States participating in this Regulation, and who therefore will not cross the external borders, air carriers should not be under the obligation to transfer API data.
Amendment 80 #
Proposal for a regulation
Recital 8
Recital 8
(8) In the interest of effectiveness and legal certainty, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be listed clearly and exhaustively, covering both information relating to each traveller and information on the flight of that traveller. Such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned in all cases covered by this Regulation, but that information should be collected only where applicable under Regulation (EU) [API law enforcement], that is, not when the API data do not relate to intra-EU flights .
Amendment 84 #
Proposal for a regulation
Recital 10
Recital 10
(10) Automated means enable travellersThe passenger should be enabled to provide certain API data themselves during an online check-in process , either manually or by using automated means. Such means could, for example, include a secure app on a travellers’ smartphone, computer or webcam with the capability to read the machine-readable data of the travel document. Where the travellers did not check-in online, air carriers should in practice provide them with the possibility to provide the machine-readable API data concerned during check-in at the airport with the assistance of a self-service kiosk or of airline staff at the counter. This provision of data by the passenger must be made possible at no cost to the passenger.
Amendment 89 #
Proposal for a regulation
Recital 12
Recital 12
(12) In view of the advantages offered by using automated means for the collection of machine-readable API data and the clarity resulting from the technical requirements in that regard to be adopted under this Regulation, it should be clarified that air carriers that decide to use automated means in addition to manual collection to collect the information that they are required to transmit under Directive 2004//82/EC have the possibility, but not the obligation, to apply those requirements, once adopted, in connection to such use of automated means, insofar as that Directive permits. Any such voluntary application of those specifications in application of Directive 2004/82/EC should not be understood as affecting in any way the obligations of the air carriers and the Member States under that Directive.
Amendment 91 #
Proposal for a regulation
Recital 13
Recital 13
(13) In view of ensuring that the pre- checks carried out in advance by competent border authorities are effective and efficient, the API data transferred to those authorities should contain data of travellers that are effectively set to cross the external borders, that is, of travellers that are effectively on board of the aircraft. Therefore, the air carriers should transfer API data directly after flight closure. Moreover, API data helps the competent border authorities to distinguish legitimate travellers fromhelps the competent authorities to identify travellers who may be of interest and therefore may require additional verifications, which would necessitate further coordination and preparation of follow-up measures to be taken upon arrival. That could occur, for example, in cases of unexpected number of travellers of interest whose physical checks at the borders could adversely affect the border checks and waiting times at the borders of other legitimate travellers. To provide the competent border authorities with an opportunity to prepare adequate and proportionate measures at the border, such as temporarily reinforcing or reaffecting staff, particularly for flights where the time between the flight closure and the arrival at the external borders is insufficient to allow the competent border authorities to prepare the most appropriate response, API data should also be transmitted prior to boarding, at the moment of check-in of each traveller.
Amendment 107 #
Proposal for a regulation
Recital 19
Recital 19
(19) The router should serve only to facilitate the transmission of API data from the air carriers to the competent border authorities in accordance with this Regulation and to PIUs in accordance with Regulation (EU) [API law enforcement], and should not be a repository of API data. Therefore, and in order to minimise any risk of unauthorised access or other misuse and in accordance with the principle of data minimisation, anyno storage of the API data on the router should remain limited to what ishould take place unless strictly necessary for technical purposes related to the transmission and the API data should be deleted from the router, immediately, permanently and in an automated manner, from the moment that the transmission has been completed or, where relevant under Regulation (EU) [API law enforcement], the API data is not to be transmitted at all.
Amendment 112 #
Proposal for a regulation
Recital 23
Recital 23
(23) In view of the Union interests at stake, the costs incurred by the European Data Protection Supervisor and eu-LISA for the performance of its tasks under this Regulation and Regulation (EU) [API law enforcement] in respect of the router should be borne by the Union budget. The same should go for appropriate costs incurred by the Member States in relation to their connections to, and integration with, the router, as required under this Regulation and in accordance with the applicable legislation, subject to certain exceptions. The costs covered by those exceptions should be borne by each Member State concerned itself. The costs incurred by the independent national supervisory authorities in relation to the tasks entrusted to them under this Regulation and Regulation (EU) [API law enforcement] shall be borne by the respective Member States as well.
Amendment 121 #
Proposal for a regulation
Recital 35
Recital 35
Amendment 125 #
Proposal for a regulation
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
For the purposes of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and of combating illegal immigration, this Regulation lays down the rules on:
Amendment 132 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
This Regulation applies to air carriers conducting scheduled or non-scheduled flights into the Union. General aviation shall be exempted from this Regulation.
Amendment 136 #
Proposal for a regulation
Article 3 – paragraph 1 – point a
Article 3 – paragraph 1 – point a
(a) ‘air carrier’ means an air transport undertaking as defined in Article 3, point 1, of Directive (EU) 2016/681 , other than air transport undertakings performing general aviation operations;
Amendment 137 #
Proposal for a regulation
Article 3 – paragraph 1 – point a a (new)
Article 3 – paragraph 1 – point a a (new)
(aa) 'general aviation' means all civil aviation operations other than scheduled air services and non-scheduled air transport operations for remuneration or hire as defined in the classification of the International Civil Aviation Organization (ICAO);
Amendment 143 #
Proposal for a regulation
Article 3 – paragraph 1 – point f
Article 3 – paragraph 1 – point f
(f) ‘non-scheduled flight’ means a commercial flight or private flight that does not operate according to a fixed timetable and that is not necessarily part of a regular or scheduled route;
Amendment 146 #
Proposal for a regulation
Article 3 – paragraph 1 – point h
Article 3 – paragraph 1 – point h
(h) ‘passenger’ means any person, excluding members of the crew, unless they are off duty, carried or to be carried in an aircraft with the consent of the air carrier, such consent being manifested by that person's registration in the passengers list;
Amendment 148 #
Proposal for a regulation
Article 3 – paragraph 1 – point j
Article 3 – paragraph 1 – point j
Amendment 151 #
1. Air carriers shall collect API data of travellers, consisting of the traveller data and the flight information specified in paragraphs 2 and 3 of this Article, respectively, on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with Article 6. Where the flight is code- shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.
Amendment 154 #
Proposal for a regulation
Article 4 – paragraph 2 – introductory part
Article 4 – paragraph 2 – introductory part
2. The API data shall consist only of the following traveller data relating to each traveller on the flight:
Amendment 157 #
Proposal for a regulation
Article 4 – paragraph 2 – point e
Article 4 – paragraph 2 – point e
Amendment 158 #
Proposal for a regulation
Article 4 – paragraph 2 – point g
Article 4 – paragraph 2 – point g
(g) the seating information, such as the number of the seat in the aircraft assigned to a passenger, where the air carrier collects such information;
Amendment 162 #
Proposal for a regulation
Article 4 – paragraph 3 – point a
Article 4 – paragraph 3 – point a
(a) the flight identification number or, where the flight is code-shared between one or more air carriers, the, flights identification numbers, or if no such number exists, other clear and suitable means to identify the flight;
Amendment 166 #
2a. Where air carriers provide an online check-in process, they shall enable passengers to provide the API data referred to in Article 4(2), points (a) to (d) during the online check-in process, either manually or using automated means.
Amendment 167 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up- to-date. Any personal data that is processed in connection with such automated means shall be used exclusively for the purpose of providing API data and not processed further.
Amendment 170 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Air carriers shall transfer the encrypted API data to the router by electronic means. They shall do so in a way that ensures the confidentiality, integrity and authenticity of data and in accordance with the detailed rules referred to in paragraph 3, where such rules have been adopted and are applicable.
Amendment 182 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. Air carriers shall store, for a time period of 248 hours from the moment of departure of the flight, the API data relating to that passenger that they collected pursuant to Article 4. They shall immediately and permanently delete that API data after the expiry of that time period.
Amendment 189 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The competent border authorities shall store, for a time period of 248 hours from the moment of departure of the flight, the API data relating to that passenger that they received through the router pursuant to Article 11. They shall immediately and permanently delete that API data after the expiry of that time period.
Amendment 193 #
Proposal for a regulation
Article 8 a (new)
Article 8 a (new)
Article8a Non-discrimination and fundamental rights Processing of personal data in accordance with this Regulation and Regulation (EU)[API law enforcement] shall not have the effect of discrimination against data subjects on the grounds of sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. It shall fully respect human dignity and integrity and fundamental rights, including the right to respect for respect for private and family life and to the protection of personal data and including the right to travel as enshrined in Article 13 of the Universal Declaration of Human Rights . Particular attention shall be paid to children, the elderly and persons with a disability. The best interests of the child shall be a primary consideration.
Amendment 194 #
Proposal for a regulation
Article 8 b (new)
Article 8 b (new)
Article8b The processing of personal data in accordance with this Regulation and Regulation (EU)[API law enforcement] shall not hamper the right to request asylum, guaranteed by Article 18 of the EU Charter of Fundamental Rights.
Amendment 195 #
Proposal for a regulation
Article 8 c (new)
Article 8 c (new)
Article8c Member States shall ensure that the persons affected by the measures provided for under this Regulation have the right to an effective legal remedy in order to uphold their rights.
Amendment 197 #
Proposal for a regulation
Article 9 – paragraph 2 – point b
Article 9 – paragraph 2 – point b
(b) a secure communication channel between the central infrastructure and the competent border authorities and the PIUs, and a secure communication channel between the central infrastructure and the air carriers, for the transfer and transmission of API data and for any communications relating thereto.
Amendment 198 #
Proposal for a regulation
Article 9 – paragraph 2 a (new)
Article 9 – paragraph 2 a (new)
2a. The router shall ensure that all transfers to and from the router guarantee the confidentiality, integrity and authenticity of the data transferred.
Amendment 199 #
Proposal for a regulation
Article 9 – paragraph 2 b (new)
Article 9 – paragraph 2 b (new)
2b. The router shall automatically extract and make available to eu-LISA the statistics in accordance with Article 31.
Amendment 201 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
3. Without prejudice to Article 10 of this Regulation, the router shall, to the extent technically possiblemay, where technically and economically advantageous, share and re- use the technical components, including hardware and software components, of the web service referred to in Article 13 of Regulation (EU) 2017/2226 of the European Parliament and of the Council48 , the carrier gateway referred to in Article 6(2), point (k), of Regulation (EU) 2018/1240, and the carrier gateway referred to in Article 2a, point (h), of Regulation (EC) 767/2008 of the European Parliament and of the Council49 . _________________ 48 Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20). 49 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).
Amendment 208 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
The router shall only be used by air carriers to transfer encrypted API data and by competent border authorities and PIUs to receive encrypted API data, in accordance with this Regulation and Regulation (EU) [API law enforcement], respectively.
Amendment 212 #
Proposal for a regulation
Article 11 – paragraph 1 – subparagraph 2
Article 11 – paragraph 1 – subparagraph 2
Amendment 216 #
Proposal for a regulation
Article 11 – paragraph 3
Article 11 – paragraph 3
3. The Member States shall ensure that only the duly authorised and trained staff of the competent border authorities have access to the API data transmitted to them through the router. They shall lay down the necessary rules to that effect. Those rules shall include rules on the creation and regular update of a list of those staff and their profiles.
Amendment 218 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. The Commission is empowered to adopt delegated acts in accordance with Article 37 to supplement this Regulation by laying down the necessary detailed technical and procedural rules for the transmissions of encrypted API data from the router referred to in paragraph 1.
Amendment 224 #
Proposal for a regulation
Article 12 – paragraph 1 – point a a (new)
Article 12 – paragraph 1 – point a a (new)
(aa) in cases of technical impossibility of the router to subsequently transmit the API data to the competent national authorities, after 12 hours;
Amendment 230 #
Proposal for a regulation
Article 13 – paragraph 1 – subparagraph 1 – point c
Article 13 – paragraph 1 – subparagraph 1 – point c
(c) the date and time of the transfers referred to in points (a) and (b), and place of transferorigin, destination and flight number of the flight concerned;
Amendment 231 #
Proposal for a regulation
Article 13 – paragraph 2
Article 13 – paragraph 2
2. Air carriers shall create logs of all processing operations under this Regulation undertaken by using the automated means referred to in Article 5(2). Those logs shall cover the date, time and place of transfer of the API data. Those logs shall not contain any personal data.
Amendment 234 #
Proposal for a regulation
Article 13 – paragraph 5 – subparagraph 2
Article 13 – paragraph 5 – subparagraph 2
However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and these procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, eu- LISA and the air carriers mayshall keep those logs for as long as necessary for those procedures after informing and justifying it to the Commission. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.
Amendment 239 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
The competent border authorities shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, in relation to the processing of API data constituting personal data through the router , including the transmission and the storage for technical reasons of that data in the router, as well as in relation to their processing of API data constituting personal data referred to in Article 7 of this Regulation.
Amendment 240 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
The air carriers shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router under this Regulation.
Amendment 242 #
eu-LISA shall be the processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation and Regulation (EU) [API law enforcement].
Amendment 244 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
1. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation and Regulation (EU) [API law enforcement]. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu- LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.
Amendment 247 #
Proposal for a regulation
Article 17 – paragraph 2 – subparagraph 1 – introductory part
Article 17 – paragraph 2 – subparagraph 1 – introductory part
In particular, eu-LISA shall take the necessary measures to ensure the security of the router and the API data, in particular API data constituting personal data, transmitted through the router, including by establishing, implementing and regularly updating a security plan, a business continuity plan and a disaster recovery plan, in order to:
Amendment 248 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
The air carriers and competent authorities shall monitor their compliance with their respective obligations under this Regulation, in particular as regards their processing of API data constituting personal data, including through frequent verification of the logs referred to in Article 13.
Amendment 249 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The competent national data protection independent supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679 shall ensure that an audit of processing operations of API data constituting personal data performed by the competent border authorities for the purposes of this Regulation is carried out, in accordance with relevant international auditing standards, at least once every four years.
Amendment 261 #
Proposal for a regulation
Article 25 – paragraph 1
Article 25 – paragraph 1
1. Costs incurred by eu-LISA, the European Data Protection Supervisor, the national supervisory authorities in relation to the design, development, hosting and technical management of the router under this Regulation and Regulation (EU) [API law enforcement] shall be borne by the general budget of the Union.
Amendment 263 #
Proposal for a regulation
Article 25 – paragraph 2 a (new)
Article 25 – paragraph 2 a (new)
2a. Costs incurred by the European Data Protection Supervisor in relation to the tasks entrusted to it under this Regulation shall be borne by the general budget of the Union.
Amendment 264 #
Proposal for a regulation
Article 25 – paragraph 2 b (new)
Article 25 – paragraph 2 b (new)
2b. Costs incurred by independent national supervisory authorities in relation to the tasks entrusted to them under this Regulation shall be borne by the Member States.
Amendment 267 #
Proposal for a regulation
Article 30 – paragraph 2 a (new)
Article 30 – paragraph 2 a (new)
Member States shall ensure that a systematic or persistent failure to comply with the obligations set in this Regulation, including fundamental rights obligations, is subject to financial penalties of up to EUR 10 billion, notwithstanding the Member States’ right to impose non- financial penalties in addition.
Amendment 272 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
Amendment 288 #
Proposal for a regulation
Article 31 – paragraph 5 – subparagraph 1 (new)
Article 31 – paragraph 5 – subparagraph 1 (new)
Nothing in this paragraph shall affect the anonymous nature of the statistical data.
Amendment 290 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
Amendment 293 #
Proposal for a regulation
Article 31 – paragraph 6 a (new)
Article 31 – paragraph 6 a (new)
6a. The use of the data referred to in paragraph 5 of this Article for automated or non-automated risk analysis, profiling or predictive risk assessment shall be prohibited.
Amendment 296 #
The Commission shall, in close cooperation with the competent border authorities, other relevant Member States’ authorities, the air carriers and relevant Union agencies, in particular the European Data Protection Supervisor and the Fundamental Rights Agency, prepare and make publicly available a practical handbook, containing guidelines, recommendations and best practices for the implementation of this Regulation, including on fundamental rights compliance as well as on penalties in accordance with Article 30.
Amendment 298 #
Proposal for a regulation
Article 32 a (new)
Article 32 a (new)
Article32a API Contact Group 1. An API Contact Group shall be established with effect from [one month after the entry into force of this Regulation] in accordance with the horizontal rules on the creation and operation of Commission expert groups. It shall facilitate cooperation and the exchange of information on obligations stemming from and issues relating to this Regulation among Member States, EU institutions and stakeholders. 2. The API Contact Group shall be composed of representatives of the European Commission, of Member States’ relevant authorities, of the European Parliament and of eu-LISA. Where relevant for the performance of its tasks, the API Contact Group may invite relevant stakeholders, in particular representatives of air carriers, the EDPS and the independent national supervisory authorities, to participate in its work. The Commission’s representative shall chair the API Contact Group.
Amendment 300 #
Proposal for a regulation
Article 35
Article 35
Regulation (EU) 2019/817
Article 39 paragraph 1 and 2
Article 39 paragraph 1 and 2
Amendment 302 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. By [one year after the date of entry into force of this Regulation] and every year thereafter during the development phase of the router, eu-LISA shall produce a report, and submit it to the European Parliament and to the Council on the state of play of the development of the router. That report shall contain detailed information about the costs incurred and about any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 25. From the date at which the router starts operations and every year thereafter, the Commission shall assess whether the budget under the MFF budget line 4.11.10.02 (“eu-LISA”) covers the needs necessary for good design, development, hosting and technical management of the router and, if appropriate, immediately propose amendment to the budget appropriations.