The European Parliament adopted by 492 votes to 33, with 10 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC.

The European Parliament’s position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:

Subject matter

To enhance and facilitate the effectiveness and efficiency of border checks at external borders and of combating illegal immigration, this Regulation lays down the rules on: (a) the collection by air carriers of advance passenger information; (b) the transfer by air carriers to the router of the API data; (c) the transmission from the router to the competent border authorities of the API data. The Regulation should also apply to air carriers conducting flights into the Union.

Collection and transfer of API data

Air carriers should collect API data of each passenger on flights to the EU to be transferred to the router. The API data should consist only of the following data relating to each passenger on the flight : the surname, the date of birth, sex and nationality; the type and number of the travel document and the three-letter code of the issuing country of the travel document; the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator); seating and baggage information.

In addition, air carriers should collect certain flight information, such as the flight identification number, airport code, departure and arrival times and the air carrier's contact details.

Where air carriers provide an online check-in process, they should enable passengers to provide API data by automated means during this online check-in process. For passengers that do not check-in online, air carriers should enable those passengers to provide those API data by automated means during check-in at the airport with the assistance of a self-service kiosk or of airline staff at the counter.

During a transitional period, air carriers should provide the possibility to passengers to provide API data manually as part of the online check-in. Air carriers should transfer the API data: (a) per passenger at the moment of check-in, but not earlier than 48 hours prior to the scheduled departure time, and: (b) for all boarded passengers immediately after flight closure.

Any processing of API data and, in particular, of API data constituting personal data must remain strictly limited to what is necessary and proportionate to achieve the objectives pursued by the Regulation. Furthermore, the processing of API data collected and transferred under the Regulation must not lead to any form of discrimination prohibited by the Charter of Fundamental Rights of the European Union. Particular attention must be paid to children, the elderly, people with disabilities and vulnerable persons.

Where an air carrier becomes aware that the data that it stores under this Regulation was processed unlawfully, or that the data does not constitute API data, it should immediately and permanently delete, that data.

The router

The European Union Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) should design, develop, host and technically manage a router to facilitate the transfer of encrypted API data by air carriers to the competent border authorities.

The router should verify, in an automated manner and on the basis of real-time air traffic data, whether the air carrier has transferred the API data. Where the router has verified that the data has not been transferred by the air carrier, it should immediately and in an automated manner inform the air carrier concerned and the competent border authorities of the Member States to which the data was to be transferred. In this case, the air carrier should transfer the API data immediately.

Data protection

The air carriers should be controllers, within the meaning of the GDPR, for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router under this Regulation. Each Member State should designate a competent authority as data controller and communicate those authorities to the Commission, eu-LISA and the other Member States.

Air carriers should provide passengers, on flights covered by this Regulation, with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise the data subject rights.

Governance

No later than the date of entry into force of the Regulation, the Management Board of eu-LISA should establish a Programme Management Board consisting of ten members. The Programme Management Board should ensure the proper execution of eu-LISA's tasks relating to the design and development of the router. At the request of the Programme Management Board, eu-LISA should provide detailed and up-to-date information on the design and development of the router, including the resources allocated by eu-LISA.

Technical matters related to the usage and functioning of the router should be discussed in the API-PNR Contact Group where eu-LISA representatives should be also present.

Sanctions

Member States should ensure that a recurrent failure to transfer API data is subject to proportionate financial penalties of up to 2% of the air carrier's global turnover for the previous financial year. Failure to comply with the other obligations set out in the Regulation should be subject to proportionate penalties, including financial penalties.

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Jan-Christoph OETJEN (Renew, DE) on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

API data to be collected by air carriers

The amended text stated that air carriers should collect API data of passengers, consisting of the passenger data and the flight information, respectively, on the flights for the purpose of transferring that API data to the router. Where the flight is code-shared between one or more air carriers, the obligation to transfer the API data should be on the air carrier that operates the flight.

Means of collecting API data

The collection of API data should not include an obligation for air carriers to check the travel document at the moment of boarding the aircraft or an obligation for passengers to carry a travel document when travelling, without prejudice to acts of national law that are compatible with Union law. The collection of API data by automated means should not lead to the collection of any biometric data from the travel document.

Where air carriers provide an online check-in process, they should enable passengers to provide the API data during the online check-in process, using automated means .

Air carriers should ensure that API data is encrypted during the transmission of the data from the passenger to the air carriers.

Obligations on air carriers regarding transfers of API data

At the moment of check-in, air carriers should transfer the API data in accordance with this Regulation and relevant international standards. Air carriers should receive an acknowledgement of receipt of the transfer of the API data.

Processing of API data received

The competent border authorities should be prohibited from processing API data for the purposes of profiling under any circumstances.

Storage and deletion of API data

Members suggested that air carriers should store, for a time period of 24 hours (as opposed to the 48 hours proposed by the Commission) from the moment of departure of the flight, the API data relating to that passenger that they collected. They should immediately and permanently delete that API data after the expiry of that time period.

Air carriers or competent border authorities should immediately and permanently delete API data where they become aware that the API data collected was processed unlawfully or that the data transferred does not constitute API data.

Fundamental Rights

The collection and processing of personal data by air carriers and competent authorities should not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.

The router

Members clarified the functioning of the router. It should allow for the reception and transmission of encrypted API data and automatically extract and make available the statistics to the central repository for reporting and statistics.

eu-LISA should design and develop the router in a way that any API data transferred from the air carriers to the router and any API data transmitted from the router to the competent border authorities and to the central repository for reporting and statistics are encrypted.

Information to passengers

Air carriers should provide passengers with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise the data subject rights. This information should be communicated to passengers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the personal data at the moment of check-in.

Costs of eu-LISA, the European Data Protection Supervisor, the national supervisory authorities and of Member States

Member underlined that the financial appropriation to the functioning of the router will determine its success, therefore eu-LISA should be provided with the necessary resources. In addition, in view of the expected increase in tasks for the EDPS and national data protection authorities, the report includes provisions regarding the coverage of cost costs incurred by them as well.

Penalties

Member States should ensure that a systematic or persistent failure to comply with obligations set out in this Regulation is subject to financial penalties of up to 2% of an air carrier's global turnover of the preceding business year.

API Expert Group

The committee called for an API Expert Group to be set up to facilitate cooperation and the exchange of information on obligations stemming from and issues relating to this Regulation among Member States, EU institutions and stakeholders.

The Group should be composed of representatives of the European Commission, Member States’ relevant authorities, the European Parliament and eu-LISA.

Monitoring and evaluation

Members considered that this Regulation should be subject to regular evaluations to ensure the monitoring of its effective application. In particular, the collection of API data should not be to the detriment of the travel experience of legitimate passengers. The overall regulatory burden for the aviation sector should be kept under close review.

Moreover, the report should assess the extent to which the objectives of the Regulation have been met and to which extent it has impacted the competitiveness of the sector.

PURPOSE: to present new rules on the collection and transfer of advance passenger information (API) to facilitate external border controls, combat illegal immigration and increase internal security.

PROPOSED ACT: Regulation of the European Union and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: Advance Passenger Information (API) is information on a passenger collected at check-in or at boarding. It includes information about the passenger and information about their flight. In 2019, the International Civil Aviation Organisation (ICAO) reported 4.5 billion passengers globally carried by air transport on scheduled services, with over half a billion passengers that enter or leave the EU every year. This puts a strain on the external air borders of the EU as all travellers, meaning non-EU nationals, and EU citizens crossing the external borders, should be effectively and systematically checked against the relevant databases. To ensure that checks can be performed efficiently on every air passenger, there is a need to speed up border controls at airports and ensure the facilitation of passenger flows while at the same time maintaining a high level of security.

The existing legal framework on API data, which consists of Council Directive 2004/82/EC and national law transposing that Directive, has proven important in improving border controls, notably by setting up a framework for Member States to introduce provisions for laying down obligations on air carriers to transfer API data on passengers transported into their territory. However, divergences remain at national level. In particular, API data is not systematically requested from air carriers and air carriers are faced with different requirements regarding the type of information to be collected and the conditions under which the API data needs to be transferred to competent border authorities. Those divergences lead not only to unnecessary costs and complications for the air carriers, but they are also prejudicial to ensuring effective and efficient pre-checks of persons arriving at external borders.

The existing legal framework should therefore be updated and replaced to ensure that the rules regarding the collection and transfer of API data for the purpose of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and for combating illegal immigration are clear, harmonised and effective .

CONTENT: this proposed Regulation presents new rules on the collection and transfer of advance passenger information (API) to facilitate external border controls, combat illegal immigration and increase internal security. It lays down the rules on:

- the collection by air carriers of advance passenger information (‘API data’) on flights into the Union;

- the transfer by air carriers to the router of the API data;

- the transmission from the router to the competent border authorities of the API data.

It will apply to air carriers conducting scheduled or non-scheduled flights into the Union.

Overall, the proposal contains:

- provisions for the collection and transfer of API data, namely a clear set of rules for the collection of API data by air carriers, rules regarding the transfer of API data to the router, the processing of API data by competent border authorities, and the storage and deletion of API data by air carriers and those authorities;

- provisions for the transmission of API data through a central router which will act as the single point of reception and onward distribution of data, replacing the current system comprised of multiple connections between air carriers and national authorities. More specifically, it includes provisions describing the main features of the router, rules on the use of the router, the procedure for the transmission of API data from the router to the competent border authorities, deletion of API data from the router, the keeping of logs, and the procedures in case of a partial or full technical impossibility to use the router;

- specific provisions on the protection of personal data . More specifically, it specifies who the data controllers and data processor are for the processing of API data constituting personal data pursuant to this Regulation. It also sets out measures required from eu-LISA to ensure the security of data processing, in line with the provisions of Regulation (EU) 2018/1725. It sets out measures required from air carriers and competent border authorities to ensure their self-monitoring of compliance with the relevant provisions set out in this Regulation and rules on audits;

- specific issues relating to the router . It contains requirements on the connections to the router of competent border authorities and air carriers. It also sets out the tasks of eu-LISA relating to the design and development of, the hosting and technical management of, and other support tasks relating to, the router. It also contains provisions concerning the costs incurred by eu-LISA and Member States under this Regulation, in particular as regards Member States’ connections to and integration with the router. It also sets out provisions regarding liability for damage cause to the router, the start of operations of the router and the possibility of voluntary use of the router by air carriers subject to certain conditions;

- provisions on supervision, possible penalties applicable to air carriers for non-compliance of their obligations set out in this Regulation, rules relating to statistical reporting by eu-LISA, and on the preparation of a practical handbook by the Commission;

Budgetary implications

This proposal will have an impact on the budget and staff needs of eu-LISA and Member States’ competent border authorities.

For eu-LISA, it is estimated that an additional budget of around EUR 45 million (33 million under current MFF) to set-up the router and EUR 9 million per year from 2029 onwards for the technical management thereof, and that around 27 additional posts would be needed for to ensure that eu-LISA has the necessary resources to perform the tasks attributed to it in this proposed Regulation and in the proposed Regulation for the collection and transfer of API data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

For Member States, it is estimated that EUR 27 million (EUR 8 million under the current Multiannual Financial Framework) dedicated to upgrading the necessary national systems and infrastructures for border management authorities, and progressively up to EUR 5 million per year from 2028 onwards for the maintenance thereof, could be entitled for reimbursement by Border Management and Visa Instrument fund. Any such entitlement will ultimately have to be determined in accordance with the rules regulating those funds as well as the rules on costs contained in the proposed Regulation.