75 Amendments of Birgit SIPPEL related to 2022/0425(COD)
Amendment 28 #
Proposal for a regulation
Recital 1
Recital 1
(1) The transnational dimension of serious and organised crime and the continuous threat of terrorist attacks on European soil call for action at Union level to adopt appropriate measures to ensure security within an area of freedom, security and justice without internal borders. Information on air travellers, such as Passenger Name Records (PNR) and in particular Advance Passenger Information (API), is essential in orderhelps to identify high-risk travellers, including those who are not otherwise known to law enforcement authorities, and to establish links between members of criminal groups, and countering terrorist activities.
Amendment 29 #
Proposal for a regulation
Recital 2
Recital 2
(2) While Council Directive 2004/82/EC27 establishes a legal framework for the collection and transfer of API data by air carriers with the aims of improving border controls and combating illegal immigration, it also states that Member States may use API data for law enforcement purposes. However, only creating such a possibility leads to several gaps and shortcomings. In particular, it means that, despite its relevance for law enforcement purposes,This means that API data is not in all casessystematically collected and transferred by air carriers for those purposes. It also means that, wlaw enforcement purposes. Where Member States have acted upon the possibility, air carriers are faced with diverging requirements under national law as regardsing when and how to collect and transfer API data for this purpose. Those divergences lead not only to unnecessary costs and complications for the air carriers, but they are also prejudicial tomay also complicate the Union’s internal security and effective cooperation between the competent law enforcement authorities of the Member States. Moreover, in view of the completely different nature of the purposes of facilitating border controls and law enforcement, it is appropriate to establish a distinct legal framework for the collection and transfer of API data for each of thoselaw enforcement purposes. _________________ 27 Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ L 261, 6.8.2004, p. 24).
Amendment 32 #
Proposal for a regulation
Recital 3
Recital 3
(3) Directive (EU) 2016/681 of the European Parliament and of the Council28 (‘PNR Directive') lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national Passenger Information Unit (‘PIU’) established under thatPNR Directive to the extent that they have already collected such data in the normal course of their business. Consequently, that Directive does not guarantee the collection and transfer of API data in all cases, as air carriers do not have any business purpose to collect a full set of such data. Ensuring that PIUs receive API data together with PNR data is important, since the joint processing of such data is needed for the competent law enforcement authorities of the Member States to be able to effectively prevent, detect, investigate and prosecute terrorist offences and serious crimfor the purposes of the Directive. In particular, such joint processing allows for the accurate identification of those passengers that may need to be further examined, in accordance with the applicable law, by those authorities. In addition, thate PNR Directive does not specify in detail which information constitutes API data. For those reasons, complementary rules should be established requiring air carriers to collect and subsequently transfer a specifically defined set of API data, which.These requirements should apply to the extent that the air carriers are bound under that Directive to collect and transfer PNR data on the same flight. _________________ 28 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, p. 132).
Amendment 34 #
Proposal for a regulation
Recital 4
Recital 4
(4) It is therefore necessary to establish at Union level clear, harmonised and effective rules at the Union level on the collection and transfer of API data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
Amendment 36 #
Proposal for a regulation
Recital 5
Recital 5
(5) Considering the close relationship between both acts, this Regulation should be understood as complementing the rules provided for in the PNR Directive (EU) 2016/681. Therefore, API data is to be collected and transferred in accordance with the specific requirements of this Regulation, including as regards to the situations and the manner in which that is to be done. However, the rules of thate PNR Directive apply in respect of matters not specifically covered by this Regulation, especially regarding the rules on the subsequent processing of the API data received by the PIUs, exchange of information between Member States, conditions of access by the European Union Agency for Law Enforcement Cooperation (Europol), transfers to third countries, retention and depersonalisation, as well as the protection of personal data. Insofar as those rules apply, the rules of that Directive on penalties and the national supervisory authorities apply as well. This Regulation should leave those rules unaffected.
Amendment 37 #
Proposal for a regulation
Recital 6
Recital 6
(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the APIprocessing of any API data collected and transferred under this Regulation do not lead to any form of discrimination precluded by the Charter.
Amendment 44 #
Proposal for a regulation
Recital 7
Recital 7
(7) In view of the complementary nature of this Regulation in relation to the PNR Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under the Directive (EU) 2016/681, namely flights, including both scheduled and non- scheduled flights, both between Member States and third countries (extra-EU flights), and between severalcertain Member States (intra-EU flights) insofar as those flights have been selected in accordance with the PNR Directive (EU) 2016/681, irrespective of the place of establishment of the air carriers conducting those flights.
Amendment 47 #
Proposal for a regulation
Recital 8
Recital 8
(8) Accordingly, given that the PNR Directive (EU) 2016/681 does not cover domestic flights, that is, flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be covered by this Regulation either. This Regulation should not be understood as affecting the possibility for Member States to provide, under their national law and in compliance with Union law, for obligations on air carriers to collect and transfer API data on such domestic flights.
Amendment 49 #
Proposal for a regulation
Recital 9
Recital 9
(9) In view of the close relationship between the acts of Union law concerned and in the interest of consistency and coherence, the definitions set out in this Regulation should as much possible be aligned with, and be interpreted and applied in the light of, the definitions set out in the PNR Directive (EU) 2016/681 andand the Regulation (EU) [API border management] 29 . _________________ 29 OJ C , , p. .
Amendment 52 #
Proposal for a regulation
Recital 10
Recital 10
(10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be the same as those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that traveller. Under this Regulation, such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned only where applicable, that is, not when the API data relate to intra-EU flights.
Amendment 56 #
Proposal for a regulation
Recital 11
Recital 11
(11) In order to ensure as consistent approach as possible on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. Thatis concerns, in particular, the rules on data quality, the air carriers’ use of automated means for such collection, the precise manner in which they are to transfer the collected API data to the router and the deletion of the API data. The collection of API data by automated means should be strictly limited to the alphanumercial data contained in the travel document and should not lead to the collection of any biometric data from it. As the collection of API data is part of the check-in process, either online or at the airport, it should not imply any checks of the traveller at the moment of boarding. Compliance with this regulation should not imply any obligation to carry a travel document at the moment of boarding.
Amendment 62 #
Proposal for a regulation
Recital 12
Recital 12
(12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union, and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the sole competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner.
Amendment 67 #
Proposal for a regulation
Recital 13
Recital 13
(13) For the extra-EU flights, the PIU of the Member State on thwhose territory of which the flight will land and or from twhe territory of whichre the flight will depart should receive the API data from the router for all those flights, given that that PNR data is collected for all those flights, in accordance with the PNR Directive (EU) 2016/681. The router should identify the flight and the corresponding PIUs using the information contained in the PNR record locator, a data element common to both the API and PNR data sets allowing for the joint processing of API data and PNR data by the PIUs.
Amendment 68 #
Proposal for a regulation
Recital 13 a (new)
Recital 13 a (new)
(13a) In order to allow for the effective supervision of the compliance of the Member States with the requirements of the Court of Justice of the European Union (‘CJEU’) by the national data protection authorities, this Regulation lays down a common methodology for carrying out the threat assessment based on which the Member States should operate a selection of intra-EU flights. In order to avoid divergent practices among Member States, this Regulation also sets out a list of criteria, regarding both quantitative and qualitative evidence, to be used by Member States when carrying out such assessment. Given that API can be processed for the purpose of this Regulation only insofar as PNR data is processed, the outcome of the threat assessment should be valid for the transfer and processing of both API and PNR data.
Amendment 73 #
Proposal for a regulation
Recital 14
Recital 14
(14) As regards to the intra-EU flights, in line with the case law of the Court of Justice of the European Union (CJEU)JEU, in order to avoid unduly interfering with the relevant fundamental rights of the travellers protected under the Charter and to ensure compliance with the requirements of the Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of the PNR Directive (EU) 2016/681. For those reasons, API data on those flights should only be transmitted from the router to the relevant PIUs, where the Member States have selected the flights concerned in application of Article 2 of the PNR Directive (EU) 2016/681. As recalled by the CJEU, the selection entails Member States targeting the obligations in question only at, inter alia, certain routes, travel patterns or airports, subject to thea regular review of that selection.
Amendment 78 #
Proposal for a regulation
Recital 15
Recital 15
(15) In order to enable the application of that selective approach under this Regulation in respect of intra-EU flights, the Member States should be required to draw up and submit to the eu-LISA the lists of the flights they selected, so that eu- LISA can ensure that API data of only for those flights API data is transmitted from the router to the relevant PIUs and that the API data on other intra-EU flights is immediately and permanently deleted.
Amendment 82 #
Proposal for a regulation
Recital 16
Recital 16
(16) In order not to endanger the effectiveness of the system that relies on the collection and transfer of API data set up by this Regulation, and of PNR data under the system set up by Directive (EU) 2016/681, for the purpose of preventing, detecting, investigating and prosthe PNR Direcuting terrorist offences and serious crimve, in particular by creating the risk of circumvention, information on which intra- EU flights the Member States have selected should be treated in a confidential manner. For that reason, such information should not be shared with the air carriers and they should therefore be required to collect API data on all flights covered by this Regulation, including all intra-EU flights, and then transfer it to the router, where the necessary selection should be enacted. Moreover, by collecting API data on all intra-EU flights, passengers are not made aware on which selected intra-EU flights API data, and hence also PNR data, is transmitted to the PIUs in accordance with the assessment of Member States’ assessment. That approach also ensures that any changes relating to that selection can be implemented swiftly and effectively, without imposing any undue economic and operational burdens on the air carriers. Nonetheless, API data should not be collected and transferred on those flights where neither the Member State of departure nor the Member State of arrival of intra-EU flights have notified the Commission with their decision to apply PNR Directive to intra-EU flights, pursuant to Article 2 of that Directive. Since such notifications are published in the Official Journal of the Union, and hence known to the public, there is in these cases no risk of circumvention.
Amendment 84 #
Proposal for a regulation
Recital 17
Recital 17
(17) In the interest of ensuring compliance with the fundamental right tof the travellers to the protection of their personal data and in line with Regulation (EU) [API border management], this Regulation should identify the controllers. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be understood as complementing the generally applicable acts of Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council 30 , Directive (EU) 2016/680 of the European Parliament and the Council31 and Regulation (EU) 2018/1725 of the European Parliament and the Council32 . Those acts, which also apply to the processing of personal data under this Regulation in accordance with the provisions thereof, should not be affected by this Regulation. Taking due consideration of the right of the travellers to be informed of the processing of their personal data for the purposes of this Regulation, the air carriers should inform travellers, at the moment of booking and at the moment of check-in, of the purpose of the collection of their personal data and of their rights as data subjects. _________________ 30 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1. 31 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89. 32 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39
Amendment 87 #
Proposal for a regulation
Recital 18
Recital 18
Amendment 90 #
Proposal for a regulation
Recital 20
Recital 20
(20) In accordance with Regulation (EU) 2018/1726, Member States may entrust eu-LISA with the task of facilitating connectivity wiorder to allow both the air carriers and the PIUs to make the most efficient use of their connections to the router, to prevent any duplication of passenger data transfers and processing, and to ensure compliance with the CJEU case-law and enhance the related monitoring and supervision, this Regulation provides for the mandatory use of the router by the air carriers in order to assist Member States in the implementation of Directive (EU) 2016/681, particularly by collecting andfor transferring PNR data, and for the PIUs for receiving such data. This should constitute the only necessary and available means for the Member States to require air carriers to comply with the obligations related to transferring of PNR data via the routeras foreseen by the PNR Directive.
Amendment 92 #
Proposal for a regulation
Recital 21
Recital 21
(21) It cannot be excluded that, due to exceptional circumstances and despite all reasonable measures having been taken in accordance with this Regulation and, as regards the router, Regulation (EU) [API border management], the router or the systems or infrastructure connecting the PIUs and the air carriers thereto fail to function properly, thus leading to a technical impossibility to use the router to transmit API and PNR data. Given the unavailability of the router and that it will generally not be reasonably possible for air carriers to transfer the API and PNR data affected by the failure in a lawful, secure, effective and swift manner through alternative means, the obligation for air carriers to transfer that API and PNR data to the router should cease to apply for as long as the technical impossibility persist. In order to minimise the duration and negative consequences thereof, the parties concerned should in such a case immediately inform each other and immediately take all necessary measures to address the technical impossibility. This arrangement should be without prejudice to the obligations under this Regulation of all parties concerned to ensure that the router and their respective systems and infrastructure function properly, as well as the fact that air carriers are subject to penalties when they fail to meet those obligations, including when they seek to rely on this arrangement where such reliance is not justified. In order to deter such abuse and to facilitate supervision and, where necessary, the imposition of penalties, air carriers that rely on this arrangement on account of the failure of their own system and infrastructure should report thereon to the competent supervisory authority.
Amendment 93 #
Proposal for a regulation
Recital 22
Recital 22
(22) In order to ensure that the rules of this Regulation are applied effectively by air carriers, provision should be made for the designation and empowerment of national authorities charged with the supervision of those rules. The rules of this Regulation on such supervision, including as regards to the imposition of penalties where necessary, should leave the tasks and powers of the supervisory authorities established in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680 unaffected, including in relation to the processing of personal data under this Regulation.
Amendment 95 #
Proposal for a regulation
Recital 23
Recital 23
(23) Effective, proportionate and dissuasive penalties, including financial ones, should be provided for by Member States against those air carriers failing to meet their obligations regarding the collection and transfer of API and PNR data under this Regulation.
Amendment 96 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
Amendment 100 #
Proposal for a regulation
Recital 25
Recital 25
(25) All interested parties, and in particular the air carriers and the PIUs, should be afforded sufficient time to make the necessary preparations to be able to meet their respective obligations under this Regulation, taking into account that some of those preparations, such as those regarding the obligations on the connection to and integration with the router, can only be finalised when the design and development phases of the router have been completed and the router starts operations. Therefore, this Regulation should apply only from an appropriate date after the date at which the router starts operations, as specified by the Commission in accordance with this Regulation and the Regulation (EU) [API border management]. However, it should be possible for the Commission to adopt delegated acts under this Regulation already from an earlier date, so as to ensure that the system set up by this Regulation is operational as soon as possible.
Amendment 107 #
Proposal for a regulation
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data and PNR data on extra-EU flights and selected intra-EU flights.
Amendment 117 #
Proposal for a regulation
Article 3 – paragraph 1 – point c
Article 3 – paragraph 1 – point c
(c) ‘intra-EU flight’ means any flight as defined in Article 3, point (3), of Directive (EU) 2016/681, with the exception of those flights for which neither the Member State from where the flight is scheduled to depart, nor the Member State where the flight is scheduled to land, have notified their decision to apply Directive 2016/681 to intra-EU flights, pursuant to Article 2 of that Directive;
Amendment 120 #
Proposal for a regulation
Article 3 – paragraph 1 – point g
Article 3 – paragraph 1 – point g
(g) ‘crew’ means any person as defined in Article 3, point (hi), of Regulation (EU) [API border management];
Amendment 124 #
Proposal for a regulation
Article 3 – paragraph 1 – point h
Article 3 – paragraph 1 – point h
(h) ‘traveller’ means any person as defined in Article 3, point (ij), of Regulation (EU) [API border management];
Amendment 125 #
Proposal for a regulation
Article 3 – paragraph 1 – point i
Article 3 – paragraph 1 – point i
(i) ‘advance passenger information data’ or ‘API data’ means the data as defined in Article 3, point (jk), of Regulation (EU) [API border management];
Amendment 126 #
Proposal for a regulation
Article 3 – paragraph 1 – point n
Article 3 – paragraph 1 – point n
(n) ‘the router’ means the router as defined in Article 5c (new) and Article 3, point (km) of Regulation (EU) [API border management];
Amendment 128 #
Proposal for a regulation
Article -4 (new)
Article -4 (new)
Amendment 129 #
Proposal for a regulation
Article 4 – title
Article 4 – title
Amendment 130 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
Amendment 138 #
Proposal for a regulation
Article 4 – paragraph 3 – subparagraph 1
Article 4 – paragraph 3 – subparagraph 1
Air carriers shall collect the alphanumerical API data referred to in Article 43a(new)(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine- readable data of the travel document of the traveller concerned. Air carriers shall collect that data during the check-in procedures, either as part of the online check-in or as part of the check-in at the airport. They shall do so in accordance with the detailed technical requirements and operational rules referred paragraph 5, where such rules have been adopted and are applicable. Specifically, the collection of API data with automated means shall not lead to the collection of any biometric data contained in the travel document. The collection of API data shall not imply any checks at the moment of boarding of the traveller. Compliance with this Regulation shall not imply any obligation to carry a travel document at the moment of boarding.
Amendment 143 #
Proposal for a regulation
Article 4 – paragraph 3 – subparagraph 2
Article 4 – paragraph 3 – subparagraph 2
Amendment 148 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in Article 43a(new)(2), points (a) to (d), of Regulation (EU) [API border management] using automated means in accordance with paragraphs 3 and 4 of this Article.
Amendment 161 #
Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 2
Article 4 – paragraph 8 – subparagraph 2
Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received thesuch API data transmitted through the router.
Amendment 164 #
Proposal for a regulation
Article 4 – paragraph 9 a (new)
Article 4 – paragraph 9 a (new)
9a. In accordance with Directive 2016/681, air carriers shall also transfer PNR data to the router, insofar as these data are collected in the normal course of their business, for the transmission of these data from the router to the respective PIUs in accordance with Article 5(4). This shall be the only necessary and available means for air carriers to transfer PNR data in accordance with Article 8(1) of Directive 2016/681.
Amendment 167 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1
Article 5 – paragraph 1 – subparagraph 1
The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on thwhose territory of which the flight will land or from the territory of which the flight will depart from, or to both in the case of intra- EU-flights. Where a flight has one or more stop-overs at the territory of another Member States than the one from which it departed, the router shall transmit the API data to the PIUs of all the Member States concerned.
Amendment 171 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 2
Article 5 – paragraph 1 – subparagraph 2
For the purpose of such transmissions, eu- LISA shall establish and keep up-to-date a table of correspondence between the different airports of origin and destination and the countries to which they belong.
Amendment 175 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
Article 5 – paragraph 1 – subparagraph 3
However, for intra-EU flights, the router shall only transmit theonly API data to that PIU in respect of the flights included in the list referred to in paragraph 2 to the applicable PIUs.
Amendment 184 #
Proposal for a regulation
Article 5 – paragraph 3 a (new)
Article 5 – paragraph 3 a (new)
3a. This provision shall apply mutatis mutandis to the transmission of PNR data from the router to the PIUs of the Member States in accordance with Article 8(1) of Directive 2016/681. This shall be the only means for PIUs to receive PNR data from air carriers.
Amendment 186 #
Proposal for a regulation
Article 5 a (new)
Article 5 a (new)
Article5a Methodology for the selection of intra-EU flights 1. For the purpose of establishing the list referred to in paragraph 2 of Article 5, Member States shall carry out a thorough threat assessment. 2. Such threat assessment shall be carried out in an objective, duly reasoned and non-discriminatory manner. In particular such assessment shall not be purely based on the nationality, sex, age, race, colour, ethnic origin, language, religion or belief, or membership of a national minority of the travellers. 3. The outcome of that threat assessment shall be subject to regular review. Its validity shall be limited in time to what is strictly necessary and shall in any case not exceed 3 months unless it is extended, based on objective necessity. The frequency of the review shall reflect the nature of information referred to in 5b(new)(2)(b). 4. Member States shall keep all relevant documentation justifying the outcome of the threat assessment and its possible prolongation. In order to allow for effective supervision, Member States shall make that documentation available to the competent national data protection authorities referred to in article 41 of Directive 2016/680.
Amendment 188 #
Proposal for a regulation
Article 5 b (new)
Article 5 b (new)
Article5b Substantive criteria for the selection of intra-EU flights 1. Member States shall base their threat assessment, referred to in Article 5a(new) on information and considerations regarding: a. the proportionality of interferening with the fundamental rights laid down in Articles 7 and 8 of the Charter in relation to the importance of the objective of general interest;b. the duration of the selection and thus interference with fundamental rights;c. the general level of threat identified at national and Union level, solely in relation to terrorist and serious criminal offences within the scope of this Regulation; and d. the specific level of threat identified on a particular intra-EU flight, in the context of one or several terrorist and serious criminal offences within the scope of this Regulation, relating, inter alia, to a certain route, travel pattern or airport. 2. When assessing the specific level of threat identified on a particular flight, Member States shall use: a. Statistical information on the previous results of the automated processing of PNR data of passengers on that particular flight or route; b. Objective, duly reasoned, non- discriminatory and documented information received by their authorities competent for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, such as information on new criminal trends and changes in the modus operandi. Such assessment shall not be purely based on the nationality sex, age, race, colour, ethnic origin, language, religion or belief, or membership of a national minority of the travellers.
Amendment 191 #
Proposal for a regulation
Chapter 2 a (new)
Chapter 2 a (new)
2a PROVISIONS RELATING TO THE ROUTER
Amendment 192 #
Proposal for a regulation
Article -6 (new)
Article -6 (new)
Amendment 193 #
Proposal for a regulation
Article -6 a (new)
Article -6 a (new)
Article-6a Exclusive use of the router Notwithstanding the use of the router in Article 10 of Regulation (EU) [API border management], the router shall only be used by air carriers to transfer API and PNR data, and by PIUs to receive API and PNR data for extra-EU flights and selected intra-EU flights, in accordance with this Regulation.
Amendment 194 #
Proposal for a regulation
Article -6 b (new)
Article -6 b (new)
Amendment 195 #
Proposal for a regulation
Article 6 – paragraph -1 (new)
Article 6 – paragraph -1 (new)
Amendment 198 #
Proposal for a regulation
Article 6 – paragraph 4 – subparagraph 2
Article 6 – paragraph 4 – subparagraph 2
However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, air carriers mayshall keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.
Amendment 201 #
Proposal for a regulation
Article 7 – paragraph 2 a (new)
Article 7 – paragraph 2 a (new)
Amendment 203 #
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article7a Personal data processor eu-LISA shall be the processor within the meaning of Article 3, point (9), of Directive 2016/680 (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation.
Amendment 205 #
Proposal for a regulation
Article 7 b (new)
Article 7 b (new)
Amendment 206 #
Proposal for a regulation
Article 7 c (new)
Article 7 c (new)
Article7c Fundamental Rights 1. Collection and processing of personal data in accordance with this Regulation and Regulation (EU) [API border management] by air carriers and competent authorities shall not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. 2. This Regulation shall fully respect human dignity and the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life, to the protection of personal data and to freedom of movement. 3. Particular attention shall be paid to children, the elderly, persons with a disability and vulnerable persons. The best interests of the child shall be a primary consideration when implementing this Regulation.
Amendment 207 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. PIUs and air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation.
Amendment 209 #
2. PIUs and air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other and with eu- LISA to ensure such security.
Amendment 210 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2a. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu- LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.
Amendment 211 #
Proposal for a regulation
Article 8 – paragraph 2 b (new)
Article 8 – paragraph 2 b (new)
2b. In particular, eu-LISA shall take the necessary measures to ensure the security of the router and the API data, in particular API data constituting personal data, transmitted through the router, including by establishing, implementing and regularly updating a security plan, a business continuity plan and a disaster recovery plan, in order to: (a) physically protect the router, including by making contingency plans for the protection of critical components thereof; (b) prevent any unauthorised processing of the API data, including any unauthorised access thereto and copying, modification or deletion thereof, both during the transfer of the API data to and from the router and during any storage of the API data on the router where necessary to complete the transmission, in particular by means of appropriate encryption techniques; (c) ensure that it is possible to verify and establish to which competent border authorities or PIUs the API data is transmitted through the router; (d) properly report to its Management Board any faults in the functioning of the router; (e) monitor the effectiveness of the security measures required under this Article and under Regulation (EU) 2018/1725, and assess and update those security measures where necessary in the light of technological or operational developments. The measures referred to in the first subparagraph of this paragraph shall not affect Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679.
Amendment 213 #
Proposal for a regulation
Article 9 a (new)
Article 9 a (new)
Article9a Personal data protection audits 1. The competent national data protection authorities referred to in Article 41 of Directive 2016/680 shall ensure that an audit of processing operations of API data constituting personal data performed by the PIUs for the purposes of this Regulation is carried out, in accordance with relevant international auditing standards, at least once every two years. 2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu-LISA for the purposes of this Regulation is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted. 3. In relation to the processing operations referred to in paragraph 2, upon request, eu-LISA shall supply information requested by the European Data Protection Supervisor, shall grant the European Data Protection Supervisor access to all the documents it requests and to the logs referred to in Article 6, and shall allow the European Data Protection Supervisor access to all eu-LISA’s premises at any time.
Amendment 217 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article11a eu-LISA’s tasks relating to the design and development of the router 1. eu-LISA shall be responsible for the design of the physical architecture of the router, including defining the technical specifications. 2. eu-LISA shall be responsible for the development of the router, including for any technical adaptations necessary for the operation of the router. The development of the router shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination of the development phase. 3. eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation, and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in 4(5) and (9), Article 5(3), Article 10(2), Article 11(2). 4. Where eu-LISA considers that the development phase has been completed, it shall, without undue delay, conduct a comprehensive test of the router, in cooperation with the competent border authorities, PIUs and other relevant Member States’ authorities and air carriers and inform the Commission of the outcome of that test.
Amendment 219 #
Proposal for a regulation
Article 11 b (new)
Article 11 b (new)
Amendment 220 #
Proposal for a regulation
Article 11 c (new)
Article 11 c (new)
Article11c eu-LISA’s support tasks relating to the router 1. eu-LISA shall, upon their request, provide training to competent border authorities, PIUs and other relevant Member States’ authorities and air carriers on the technical use of the router. 2. eu-LISA shall provide support to the competent border authorities and PIUs regarding the reception of API data through the router pursuant to this Regulation, in particular as regards the application of Articles 5 and 10 of this Regulation
Amendment 221 #
Proposal for a regulation
Article 12 – title
Article 12 – title
Costs of eu-LISA and of Member States’ costs
Amendment 222 #
Proposal for a regulation
Article 12 – paragraph 1 – subparagraph 1
Article 12 – paragraph 1 – subparagraph 1
Costs incurred by eu-LISA and the Member States in relation to their connections to and integration with the router referred to in Article 10 shall be borne by the general budget of the Union.
Amendment 226 #
Proposal for a regulation
Article 14 a (new)
Article 14 a (new)
Article14a Start of operations of the router The Commission shall determine, without undue delay, the date from which the router starts operations by means of an implementing act once eu-LISA has informed the Commission of the successful completion of the comprehensive test of the router referred to in Article 11a(new)(4). That implementing act shall be adopted in accordance with the examination procedure referred to in Article 18a(new)(2). The Commission shall set the date referred to in the first subparagraph to be no later than 30 days from the date of the adoption of that implementing act.
Amendment 227 #
Proposal for a regulation
Article 14 b (new)
Article 14 b (new)
Amendment 228 #
Proposal for a regulation
Article 14 c (new)
Article 14 c (new)
Article14c Use of the router for PNR data The provisions of Chapters 3 and 4 shall apply mutatis mutandis to the mandatory transfer and transmission of PNR data through the router.
Amendment 232 #
Proposal for a regulation
Article 16 a (new)
Article 16 a (new)
Amendment 237 #
Proposal for a regulation
Article 18 a (new)
Article 18 a (new)
Article18a Committee procedure 1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), the third subparagraph, of Regulation (EU) No 182/2011 shall apply.
Amendment 240 #
Proposal for a regulation
Article 20 – paragraph -1 (new)
Article 20 – paragraph -1 (new)
-1. eu-LISA shall ensure that procedures are in place to monitor the development of the router in light of objectives relating to planning and costs, and to monitor the functioning of the router in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.
Amendment 241 #
Proposal for a regulation
Article 20 – paragraph -1 a (new)
Article 20 – paragraph -1 a (new)
-1a. By [one year after the date of entry into force of this Regulation] and every year thereafter during the development phase of the router, eu-LISA shall produce a report, and submit it to the European Parliament and to the Council on the state of play of the development of the router. That report shall contain detailed information about the costs incurred and about any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 12.
Amendment 242 #
Proposal for a regulation
Article 20 – paragraph -1 b (new)
Article 20 – paragraph -1 b (new)
-1b. Once the router starts operations, eu-LISA shall produce a report and submit it to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.
Amendment 247 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
It shall apply from two years from the date at which the router starts operations, specified by the Commission in accordance with Article 27 of Regulation (EU) [API border management]14a(new).
Amendment 248 #
However, Article 4(5) and (9), Article 5(3), Article 10(2), Article 11(2), Article 18a(new) and Article 19 shall apply from [Date of entry into force of this Regulation].