Activities of Jeroen LENAERS related to 2022/0425(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818
Amendments (25)
Amendment 55 #
Proposal for a regulation
Recital 11
Recital 11
(11) In order to ensure a consistent approach on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. That concerns, in particular, the rules on data quality, the air carriers’ use of automated means for such collection, the precise manner in which they are to transfer the collected API data to the router and the deletion of the API data. The requirements set out by this Regulation and by the corresponding delegated and implementing acts should lead to a uniform implementation by the airlines, thereby minimizing the cost of the interconnection of their respective systems. To facilitate a harmonized implementation of these requirements by the airlines, notably as regards the data structure, format and transmission protocol, the Commission, based on its cooperation with the PIUs, other Member States authorities, air carriers, and relevant Union agencies, should ensure that the practical handbook provides all the necessary guidance and clarifications.
Amendment 60 #
Proposal for a regulation
Recital 12
Recital 12
(12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner. Member States may establish a single data entry point that receives the API data from the router and that immediately and in an automated manner forwards it to the PIU of the Member State concerned. To ensure the proper functioning of this Regulation and in the interest of transparency, that information should be made public. Member States may designate the same single data entry point for the purposes of this Regulation and of Regulation [API law enforcement].
Amendment 66 #
Proposal for a regulation
Recital 12 a (new)
Recital 12 a (new)
(12a) Where air carriers are required to transfer the same API data both under this Regulation and under Regulation [API border management], air carriers might send this API data to the router only once. In this case, by fulfilling the obligations for the transfer of such API data under this Regulation, air carriers also fulfil the obligations for the transfer of that API data under Regulation [API border management].
Amendment 72 #
Proposal for a regulation
Recital 14
Recital 14
(14) As regards intra-EU flights, in line with the case law of the Court of Justice of the European Union (CJEU), in order to avoid unduly interfering with the relevant fundamental rights protected under the Charter and to ensure compliance with the requirements of Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of Directive (EU) 2016/681. For those reasons, API data on those flights should only be transmitted from the router to the relevant PIUs, where the Member States have selected the flights concerned in application of Article 2 of Directive (EU) 2016/681. As recalled by the CJEU, the selection entails Member States targeting the obligations in question only at, inter alia, certain routes, travel patterns or airports, subject to the regular review of that selection. As recalled by the CJEU, a Member State may select all intra-EU flights under this approach when duly justified.
Amendment 85 #
(17a) In the interest of ensuring compliance with the fundamental right to protection of personal data, this Regulation should also set out rules on audits. The audits that Member States are responsible for should be carried out by the supervisory authorities referred to in Article 41 of Directive (EU) 2016/680 or by an auditing body entrusted with this task by the supervisory authority.
Amendment 110 #
Proposal for a regulation
Article 1 – paragraph 1 – point c a (new)
Article 1 – paragraph 1 – point c a (new)
(ca) the possibility for the Member States to require air carriers to also transfer PNR data to their Passenger Information Units, pursuant to Article 8(1) of Directive 2016/681.
Amendment 136 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. Air carriers shall collect the API data in such a manner that the API data that they transfer in accordance with paragraph 6 is accurate, complete and up-to- date. Compliance with this obligation does not require air carriers to check the travel document at the moment of boarding the aircraft, without prejudice to acts of national law that are compatible with Union law.
Amendment 139 #
Proposal for a regulation
Article 4 – paragraph 3 – subparagraph 1
Article 4 – paragraph 3 – subparagraph 1
Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine-readable data of the travel document of the traveller concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred paragraph 5, where such rules have been adopted and are applicable. In particular, air carriers shall do so by using the most reliable automated means available to collect the machine-readable data of the respective travel document.
Amendment 144 #
Proposal for a regulation
Article 4 – paragraph 3 a (new)
Article 4 – paragraph 3 a (new)
Amendment 146 #
Proposal for a regulation
Article 4 – paragraph 4 a (new)
Article 4 – paragraph 4 a (new)
4a. Air carriers shall not be prevented from storing API data referred to in Article 4(2), points (a) to (d) of Regulation (EU) [API border management] in their systems, with a view to facilitate subsequent check-in procedures of travellers, upon their consent.
Amendment 159 #
Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 2
Article 4 – paragraph 8 – subparagraph 2
Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received the API data transmitted through the router. eu-LISA shall ensure that the data is encrypted during transfer to the router and transmission from the router to the PIUs.
Amendment 162 #
Proposal for a regulation
Article 4 – paragraph 9
Article 4 – paragraph 9
9. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the common protocols and supported data formats to be used for the transfers of API data to the router referred to in paragraph 6, including on requirements for data security. Such detailed rules shall ensure that airlines transmit API data using the same structure and content.
Amendment 177 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
1a. Each Member State may establish a single entry point that receives the API data transmitted to it from the router and that immediately and in an automated manner forwards the API data to the PIU of the Member State concerned. The Commission shall, on the basis of those notifications and updates, compile and make publicly available a list of the notified competent border authorities, including their contact details.
Amendment 181 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. Member States that decide to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2 of that Directive shall each establish a list of the intra-EU flights concerned and shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, provide eu-LISA with that list. Those Member States shall, in accordance with Article 2 of that Directive, regularly review and where necessary update those lists and shall immediately provide eu-LISA with any such updated lists. The information contained on those lists shall be treated confidentially. A Member State may select all intra-EU flights or routes when duly justified, in accordance with Directive (EU) 2016/681.
Amendment 183 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed technical and procedural rules for the transmissions of API data from the router referred to in paragraph 1, including on requirements for data security.
Amendment 187 #
Proposal for a regulation
Article 5 a (new)
Article 5 a (new)
Article5a Optional use of the router for PNR data transfers When adopting measures in accordance with Article 8 of Directive (EU) 2016/681, Member States may require air carriers to transfer other PNR data collected, pursuant to Article 8(1) of that Directive, to the database of the PIU of the Member States concerned, through the router.
Amendment 189 #
Proposal for a regulation
Article 5 b (new)
Article 5 b (new)
Article5b Storage period and deletion of API data Air carriers shall store API data for a time period of 72 hours from the moment of receipt by the router of the API data transferred to it in accordance with Article 4. API data transmitted to PIUs in accordance with this Regulation, shall subsequently be processed by the PIUs in accordance with Directive (EU) 2016/681, and as interpreted by the Court of Justice of the European Union, in particular as regards the rules on the period of data retention and depersonalisation.
Amendment 190 #
Proposal for a regulation
Article 5 c (new)
Article 5 c (new)
Article5c Transfer of API data by PIUs to third countries In accordance with Directive 2016/681, PIUs shall be enabled to transfer API data received under this Regulation with third countries for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
Amendment 199 #
Proposal for a regulation
Article 6 – paragraph 4 a (new)
Article 6 – paragraph 4 a (new)
4a. The national supervisory authority referred to in Article 15 and PIUs shall have access to the relevant logs referred to in paragraph 1 of Article 13 of Regulation [API border management] where necessary for the purposes referred to in paragraph 2.
Amendment 214 #
Proposal for a regulation
Article 9 a (new)
Article 9 a (new)
Article9a Personal data protection audits The supervisory authorities referred to in Article 41 of Directive (EU) 2016/680 shall carry out an audit of processing operations of API data constituting personal data performed by the PIUs for the purposes of this Regulation at least once every four years. Member States shall ensure that their supervisory authorities have sufficient resources and expertise to fulfil the tasks entrusted to them under this Regulation.
Amendment 215 #
2. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1, including on data security requirements.
Amendment 216 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1, including on data security requirements.
Amendment 223 #
Proposal for a regulation
Article 13 – paragraph 1 – subparagraph 2
Article 13 – paragraph 1 – subparagraph 2
During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) shall not apply either toAir carriers shall store the API data until the technical impossibility has been successfully addressed and at that point transfer the API data in question during that time periodto the router in accordance with Article 4(1).
Amendment 224 #
Proposal for a regulation
Article 13 – paragraph 2 – subparagraph 2
Article 13 – paragraph 2 – subparagraph 2
During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar aAir carriers tshat is the case, Article 4(1) shall not apply either to the API data in question during that time periodll store the API data until the technical impossibility has been successfully addressed and at that point transfer the data to the router in accordance with Article 4(1).
Amendment 225 #
Proposal for a regulation
Article 13 – paragraph 3 – subparagraph 2
Article 13 – paragraph 3 – subparagraph 2
During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar aAir carriers tshat is the case, Article 4(1) shall not apply either to the API data in question during that time period. ll store the API data until the technical impossibility has been successfully addressed and at that point transfer the data to the router in accordance with Article 4(1).