2022/0425(COD) Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Lead committee dossier:
Progress: Awaiting Parliament's position in 1st reading
| Role | Committee | Rapporteur | Shadows |
|---|---|---|---|
| Lead | LIBE |
KANKO Assita ( ECR)
|
LENAERS Jeroen ( EPP),
TANG Paul ( S&D),
OETJEN Jan-Christoph ( Renew),
STRIK Tineke ( Verts/ALE),
FEST Nicolaus ( ID),
DALY Clare ( GUE/NGL)
|
| Committee Opinion | BUDG | ||
| Committee Opinion | TRAN |
OETJEN Jan-Christoph ( Renew)
|
Marian-Jean MARINESCU ( PPE),
Kosma ZŁOTOWSKI ( ECR),
Josianne CUTAJAR ( S&D),
Clare DALY ( GUE/NGL)
|
Lead committee dossier:
Legal Basis:
TFEU 082-p2, TFEU 087-p2
Legal Basis:
TFEU 082-p2, TFEU 087-p2Subjects
Events
2024/03/19
EP - Approval in committee of the text agreed at 1st reading interinstitutional negotiations
Documents
2024/03/13
CSL - Coreper letter confirming interinstitutional agreement
Documents
2023/12/13
EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
2023/12/11
EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
2023/12/07
EP - Committee report tabled for plenary, 1st reading
Details
The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Assita KANKO (ECR, BE) on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
API data to be collected by air carriers
The amended text stated that air carriers should collect API data of passengers , consisting of the passenger data and the flight information, respectively, on the flights for the purpose of transferring that API data to the router.
API data should include only the following passenger data for each passenger on the flight: (a) surname, given name(s); (b) date of birth, sex and nationality; (c) type and number of travel document and the three-letter code of the country that issued it; (d) expiry date of the validity of the travel document; (e) the Passenger Name Record number used by an air carrier to locate a passenger in its information system (PNR record locator); (f) the aircraft seat number allocated to a passenger; (g) the number and weight of checked baggage.
API data should include only the following flight information : the flight identification number(s); where applicable, the border crossing point of entry into the territory of the Member State; the airport code of entry into the territory of the Member State; the initial point of embarkation; the local date and estimated time of departure and arrival.
Collection of API data
Air carriers should collect the API data, using automated means to collect the machine-readable data of the travel document of the passenger concerned.
Where the use of automated means is not possible, air carriers should collect that data manually , either as part of the online check-in or as part of the check-in at the airport.
The collection of API data by automated means should be strictly limited to the alphanumerical data contained in the travel document and should not lead to the collection of any biometric data from it.
Storage and deletion of API data
Members suggested that air carriers should store, for a time period of 24 hours from the moment of departure of the flight, the API data relating to that passenger that they collected. They should immediately and permanently delete that API data after the expiry of that time period.
Air carriers or competent border authorities should immediately and permanently delete API data where they become aware that the API data collected was processed unlawfully or that the data transferred does not constitute API data.
Fundamental rights
The processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary and proportionate to achieve the objectives pursued by the Regulation. Furthermore, the processing of API data collected and transferred under the Regulation should not lead to any form of discrimination excluded by the Charter of Fundamental Rights of the European Union.
The Router
The report stated that in order to avoid that air carriers have to establish and maintain multiple connections with Passenger Information Units (PIUs) for the transfer of API data and PNR data, and to avoid the related inefficiencies and security risks, provision should be made for a single router, created and operated at the Union level, that should serve as a connection, filter and distribution point for those transfers.
In this regard, eu-LISA should design, develop, host and technically manage, a router for the purpose of facilitating the transfer of encrypted API and PNR data by the air carriers to the PIUs.
Methodology and criteria for the selection of intra-EU flights
Member States that decide to apply Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘PNR Directive’) and consequently this Regulation to intra-EU flights should for the selection of those flights:
- carry out an objective, duly reasoned and non-discriminatory threat assessment ;
- take into account only criteria which are relevant for the prevention, detection, investigation and prosecution of terrorist offences and serious crime having an objective link.
In situations of a genuine and present or foreseeable terrorist threat , Member States may apply Directive (EU) 2016/681 to all intra-EU flights arriving at or departing from its territory, in a decision that is limited in time to what is strictly necessary and that is open to effective review.
Logs
Members suggested that u-LISA should keep logs of all processing operations relating to the transfer of API data through the router under this Regulation.
Actions in the case of technical impossibility to use the router
eu-LISA should immediately notify air carriers and Passenger Information Units in an automated manner of the technical impossibility of using the router and take steps to remedy this technical impossibility.
Information to passengers
Air carriers should provide passengers with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise the data subject rights. This information should be communicated to passengers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the personal data at the moment of check-in.
Penalties
Member States should ensure that a systematic or persistent failure to comply with obligations set out in this Regulation is subject to financial penalties of up to 2% of an air carrier's global turnover of the preceding business year.
Documents
2023/11/28
EP - Vote in committee, 1st reading
2023/11/28
EP - Committee decision to open interinstitutional negotiations with report adopted in committee
2023/09/15
PT_PARLIAMENT - Contribution
Documents
2023/09/05
EP - Amendments tabled in committee
Documents
2023/07/19
EP - Committee opinion
Documents
2023/07/04
EP - Committee draft report
Documents
2023/04/27
ESC - Economic and Social Committee: opinion, report
Documents
2023/04/26
NL_SENATE - Contribution
Documents
2023/03/28
EP - KANKO Assita (ECR) appointed as rapporteur in LIBE
2023/03/23
ES_PARLIAMENT - Contribution
Documents
2023/02/22
EP - OETJEN Jan-Christoph (Renew) appointed as rapporteur in TRAN
2023/02/13
EP - Committee referral announced in Parliament, 1st reading
2023/02/08
EDPS - Document attached to the procedure
Documents
2022/12/14
EC - Document attached to the procedure
Documents
2022/12/13
EC - Legislative proposal published
Details
PURPOSE: to present new rules on the collection and transfer of advance passenger information (API) for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
PROPOSED ACT: Regulation of the European Union and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: over the last decade the EU and other parts of the world have seen an increase in serious and organised crime. According to Europol’s EU Serious and Organised Crime Threat Assessment, most organised crime involves international travel, typically aimed at smuggling persons, drugs or other illicit goods into the EU. Notably, criminals make frequent use of the EU’s main airports as well as smaller regional airports operating low-cost airlines. In this context, information on air travellers is an important tool for law enforcement authorities to counter serious crime and terrorism in the EU.
Air traveller data includes Advance Passenger Information (API) and Passenger Name Records (PNR) which, when used together, are particularly effective to identify high-risk travellers and to confirm the travel pattern of suspected individuals.
In the EU, the PNR Directive does not lead to the collection of the full set of API data, as air carriers do not have any business purpose to collect such data.
The joint processing of API and PNR data by competent law enforcement authorities substantially increases the effectiveness of the fight against serious crimes and terrorism in the EU . The combined use of API data and PNR data enables the competent national authorities to confirm the identity of passengers and greatly improves the reliability of PNR data.
The current EU legal framework only regulates the use of PNR data for fighting serious crime and terrorism but does not do so specifically for API data, which can be requested only on flights coming from third countries, leading to a security gap , notably regarding intra-EU flights for which Member States request air carriers to transfer PNR data. Passenger Information Units obtain the most effective operational results on flights where both API and PNR data are collected. This means that competent law enforcement authorities cannot benefit from the results of the joint processing of API data and PNR data on flights within the EU, for which only PNR data is transferred.
For those reasons, complementary rules should be established requiring air carriers to collect and subsequently transfer a specifically defined set of API data, which requirements should apply to the extent that the air carriers are bound under that Directive to collect and transfer PNR data on the same flight.
It is therefore necessary to establish at Union level clear, harmonised and effective rules on the collection and transfer of API data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
CONTENT: the proposed Regulation aims to lay down better rules for the collection and transfer of API data by air carriers for the purpose of preventing, detecting, investigating, and prosecuting terrorist offences and serious crime. More specifically, it lays down rules on:
- the collection by air carriers of advance passenger information data (‘API data’) on extra EU flights and selected intra EU flights;
- the transfer by air carriers to the router of the API data;
- the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data on extra-EU flights and selected intra-EU flights.
It will apply to air carriers conducting scheduled or non-scheduled extra-EU flights or intra-EU flights.
Overall, the proposal contains:
- the provisions for the collection, transfer to the router and deletion of API data by air carriers, and rules regarding the transmission of API data from the router to the Passenger Information Units;
- specific provisions on logs, specifications as to whom are the personal data controllers in relation to processing of API data constituting personal data under this Regulation, security and self-monitoring by air carriers and PIUs;
- rules on the connections to, and integration with, the router by Passenger Information Units and air carriers, as well as on Member States’ costs in connection thereto. It also contains provisions regulating the situation of a partial or full technical impossibility to use the router and on liability for damage caused to the router;
- provisions on supervision, on possible penalties applicable to air carriers for non-compliance of their obligations set out in this Regulation and on the preparation of a practical handbook by the Commission.
Budgetary implications
This proposal will have an impact on the budget and staff needs of eu-LISA and Member States’ competent border authorities.
For eu-LISA, it is estimated that an additional budget of around EUR 45 million (33 million under current MFF) to set-up the router and EUR 9 million per year from 2029 onwards for the technical management thereof, and that around 27 additional posts would be needed for to ensure that eu-LISA has the necessary resources to perform the tasks attributed to it in this proposed Regulation and in the proposed Regulation for the collection and transfer of API data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
For Member States, it is estimated that EUR 27 million (EUR 8 million under the current Multiannual Financial Framework) dedicated to upgrading the necessary national systems and infrastructures for border management authorities, and progressively up to EUR 5 million per year from 2028 onwards for the maintenance thereof, could be entitled for reimbursement by Border Management and Visa Instrument fund. Any such entitlement will ultimately have to be determined in accordance with the rules regulating those funds as well as the rules on costs contained in the proposed Regulation.
Documents
Documents
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: GEDA/A/(2024)001513
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)001513
- Committee report tabled for plenary, 1st reading: A9-0411/2023
- Contribution: COM(2022)0731
- Amendments tabled in committee: PE752.818
- Committee opinion: PE746.973
- Committee draft report: PE750.253
- Economic and Social Committee: opinion, report: CES0256/2023
- Contribution: COM(2022)0731
- Contribution: COM(2022)0731
- Document attached to the procedure: OJ C 084 07.03.2023, p. 0002
- Document attached to the procedure: N9-0017/2023
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2022)0424
- Legislative proposal published: COM(2022)0731
- Legislative proposal published: EUR-Lex
- Document attached to the procedure: EUR-Lex SWD(2022)0424
- Document attached to the procedure: OJ C 084 07.03.2023, p. 0002 N9-0017/2023
- Economic and Social Committee: opinion, report: CES0256/2023
- Committee draft report: PE750.253
- Committee opinion: PE746.973
- Amendments tabled in committee: PE752.818
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)001513
- Contribution: COM(2022)0731
- Contribution: COM(2022)0731
- Contribution: COM(2022)0731
| Amendments | Dossier |
| 254 |
2022/0425(COD)
2023/05/31
TRAN
30 amendments...
Amendment 10 #
Proposal for a regulation Recital 6 a (new) (6a) Given that this Regulation requires additional adjustment and administrative costs by the air carriers, the overall regulatory burden for the aviation sector should be kept under close review. Against this backdrop, the report evaluating the functioning of this Regulation should assess the extent to which the objectives of the Regulation have been met and to which extent it has impacted the competitiveness of the sector. Therefore, the Commission’s report should also refer to the interaction of this Regulation with other relevant EU legislative acts, notably Regulation (EU) 2017/2226, Regulation (EU) 2018/1240 and Regulation (EC) 767/2008. The report should assess the overall impact of related reporting obligations on air carriers, identifying provisions that may be updated and simplified to mitigate the burden on air carriers, as well as actions and measures that have been or could be taken to reduce the total cost pressure on the aviation sector.
Amendment 11 #
Proposal for a regulation Recital 7 Amendment 12 #
Proposal for a regulation Recital 10 (10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that traveller. Under this Regulation, such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned
Amendment 13 #
Proposal for a regulation Recital 11 (11) In order to ensure a consistent approach on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. That concerns, in particular, the rules on data quality, the air carriers’ use of automated means for such collection, the precise manner in which they are to transfer the collected API data to the router and the deletion of the API data. In order to reduce the impact on air carriers, and with a view to create synergies with other reporting obligations on air carriers in Regulation (EU) 2017/2226, Regulation (EU) 2018/1240 and Regulation (EC) 767/2008 and avoid duplication, air carriers should transfer the API data at the moment of check-in of each traveller by way of interactive API in accordance with international standards, using the existing carrier gateway. Air carriers should receive an acknowledgement of receipt to the transfer of interactive API, in line with international standards.
Amendment 14 #
Proposal for a regulation Recital 11 (11) In order to ensure a consistent approach on the collection and transfer of API data by air carriers as much as
Amendment 15 #
Proposal for a regulation Recital 11 a (new) (11a) The automatic data collection systems and other processes established under this Regulation should not negatively impact the employees in the aviation industry, who should benefit from upskilling and reskilling opportunities that would increase the efficiency and reliability of data collection and transfer as well as the working conditions in the sector.
Amendment 16 #
Proposal for a regulation Recital 11 a (new) (11a) In order to enhance data quality, the router should verify whether the API data transferred to it by the air carriers complies with the supported data formats. Where the router has verified that the data is not compliant with the suported data formats, the router should, immediately and in an automated manner, notify the air carrier concerned.
Amendment 17 #
Proposal for a regulation Recital 12 a (new) (12a) With a view to guaranteeing the fulfilment of the rights provided for under the Charter of Fundamental Rights and to ensuring accessible and inclusive travel options, especially for vulnerable groups and persons with disabilities, air carriers, supported by the Member States, shall ensure that an offline alternative for the check-in and for the provision of the necessary data by the passengers is possible at all times.
Amendment 18 #
Proposal for a regulation Recital 14 Amendment 19 #
Proposal for a regulation Recital 14 (14) As regards intra-EU flights, in line with the case law of the Court of Justice of the European Union (CJEU), in order to avoid unduly interfering with the relevant fundamental rights protected under the Charter and to ensure compliance with the requirements of Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of Directive (EU) 2016/681. For those reasons, API data on those flights should
Amendment 20 #
Proposal for a regulation Recital 15 Amendment 21 #
Amendment 22 #
Proposal for a regulation Recital 23 a (new) (23a) When providing for the penalties applicable to air carriers under this Regulation, Member States shall take into account the technical, operational and economic feasibility of ensuring complete data accuracy. Additionally, when fines are imposed, their application and value shall be established taking into consideration the actions undertaken by the air carrier to mitigate the issue as well as its repeated failure to cooperate with national authorities.
Amendment 23 #
Proposal for a regulation Recital 26 a (new) (26a) When monitoring and evaluating the effective implementation of this Regulation to the benefit of authorities, travellers and air carriers, the Commission shall conduct a holistic assessment of the present Act in relation to other regulations that impact the flow of travellers' data. In this regard, the Commission shall also consider the harmonisation of the channels of transmission of the data air carriers are required to collect and transfer.
Amendment 24 #
Proposal for a regulation Recital 26 b (new) (26b) With a view to ensuring increased data quality and accuracy, the setting up of travel document validation systems, able to automatically verify carrier- submitted passenger data, should be considered.
Amendment 25 #
Proposal for a regulation Recital 26 c (new) (26c) The EU should evaluate the possibility to include other modes of transport within the scope of this Regulation, while taking into account the particularities, business models and ticket purchase practices thereof.
Amendment 26 #
Proposal for a regulation Article 1 – paragraph 1 – point a (a) the collection by air carriers of advance passenger information data (‘API data’) on extra EU flights
Amendment 27 #
Proposal for a regulation Article 1 – paragraph 1 – point c (c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data on extra-EU
Amendment 28 #
Proposal for a regulation Article 3 – paragraph 1 – point c Amendment 29 #
Proposal for a regulation Article 4 – paragraph 3 – subparagraph 1 Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of
Amendment 30 #
Proposal for a regulation Article 4 – paragraph 3 – subparagraph 2 However, where such use of automated means is not possible due to the travel document not containing machine-readable data or due to other technical and operational barriers, air carriers shall collect that data manually, in such a manner as to ensure compliance with paragraph 2.
Amendment 31 #
Proposal for a regulation Article 4 – paragraph 7 7. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the travellers have boarded the aircraft in preparation for departure and it is no longer possible for travellers to board
Amendment 32 #
Proposal for a regulation Article 4 – paragraph 7 a (new) 7a. The router shall verify whether the API data transferred to it in accordance with paragraph 6 complies with the detailed rules on the supported data formats. Where the router has verified that the data is not compliant with the detailed rules, the router shall, immediately and in an automated manner, notify the air carrier concerned.
Amendment 33 #
Proposal for a regulation Article 4 – paragraph 9 9. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the common protocols and supported data formats to be used for the transfers of API data to the router referred to in
Amendment 34 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 1 The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on the territory of which the flight will land or from the territory of which the flight will depart
Amendment 35 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 3 Amendment 36 #
Proposal for a regulation Article 5 – paragraph 2 Amendment 37 #
Proposal for a regulation Article 20 – paragraph 1 – point c a (new) (ca) the impact of this Regulation on the competitiveness of the aviation sector and the burden incurred by businesses. The Commission’s report shall also address this Regulation’s interaction with other relevant EU legislative acts, notably Regulation (EU) 2017/2226, Regulation (EU) 2018/1240 and Regulation (EC) 767/2008, with a view to assess the overall impact of related reporting obligations on air carriers, identify provisions that may be updated and simplified to mitigate the burden on air carriers, and consider actions and measures that could be taken to reduce the total cost pressure on air carriers.
Amendment 38 #
Proposal for a regulation Article 20 – paragraph 1 – point c a (new) (ca) The interaction with other relevant legislative acts, identifying provisions that may be updated and simplified, as well as actions and measures that have been or could be taken to reduce the total cost pressure on the aviation sector.
Amendment 39 #
Proposal for a regulation Article 20 – paragraph 1 a (new) 1a. The report provided for under paragraph 1 of this Article shall also encompass an assessement of the possibility to include other modes of transport within the scope of this Regulation, while taking into account the particularities, business models and ticket purchase practices thereof.
source: 749.216
2023/09/06
LIBE
224 amendments...
Amendment 100 #
Proposal for a regulation Recital 25 (25) All interested parties, and in particular the air carriers and the PIUs, should be afforded sufficient time to make the necessary preparations to be able to meet their respective obligations under this Regulation, taking into account that some of those preparations, such as those regarding the obligations on the connection to and integration with the router, can only be finalised when the design and development phases of the router have been completed and the router starts operations. Therefore, this Regulation should apply only from an appropriate date after the date at which the router starts operations, as specified by the Commission in accordance with this Regulation and the Regulation (EU) [API border management]
Amendment 101 #
Proposal for a regulation Recital 26 a (new) (26a) With a view to ensuring increased data quality and accuracy, the setting up of travel document validation systems, able to automatically verify carrier- submitted passenger data, should be considered.
Amendment 102 #
Proposal for a regulation Recital 26 b (new) Amendment 103 #
Proposal for a regulation Article 1 – paragraph 1 – introductory part For the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime within the meaning of Article 6(2) of Directive (EU) 2016/681, this Regulation lays down the rules on:
Amendment 104 #
Proposal for a regulation Article 1 – paragraph 1 – point a (a) the collection by air carriers of advance passenger information data (‘API data’) on extra EU
Amendment 105 #
Proposal for a regulation Article 1 – paragraph 1 – point a (a) the collection by air carriers of advance passenger information data (‘API data’) on extra EU
Amendment 106 #
Proposal for a regulation Article 1 – paragraph 1 – point a (a) the collection by air carriers of advance passenger information data (‘API data’) on extra EU flights
Amendment 107 #
Proposal for a regulation Article 1 – paragraph 1 – point c (c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data and PNR data on extra-EU flights and selected intra-EU flights.
Amendment 108 #
Proposal for a regulation Article 1 – paragraph 1 – point c (c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data on extra-EU
Amendment 109 #
Proposal for a regulation Article 1 – paragraph 1 – point c (c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data on extra-EU
Amendment 110 #
Proposal for a regulation Article 1 – paragraph 1 – point c a (new) (ca) the possibility for the Member States to require air carriers to also transfer PNR data to their Passenger Information Units, pursuant to Article 8(1) of Directive 2016/681.
Amendment 111 #
Proposal for a regulation Article 1 – paragraph 1 a (new) This Regulation is without prejudice to Regulation (EU) 2016/679 [GDPR], Regulation (EU) 2018/1725 [EUDPR] and Directive (EU) 2016/680 [LED].
Amendment 112 #
Proposal for a regulation Article 2 – paragraph 1 This Regulation applies to air carriers conducting scheduled or non-scheduled extra-EU
Amendment 113 #
Proposal for a regulation Article 2 – paragraph 1 This Regulation applies to air carriers conducting scheduled or non-scheduled extra-EU
Amendment 114 #
Amendment 115 #
Proposal for a regulation Article 3 – paragraph 1 – point c Amendment 116 #
Proposal for a regulation Article 3 – paragraph 1 – point c Amendment 117 #
Proposal for a regulation Article 3 – paragraph 1 – point c (c) ‘intra-EU flight’ means any flight as defined in Article 3, point (3), of Directive (EU) 2016/681, with the exception of those flights for which neither the Member State from where the flight is scheduled to depart, nor the Member State where the flight is scheduled to land, have notified their decision to apply Directive 2016/681 to intra-EU flights, pursuant to Article 2 of that Directive;
Amendment 118 #
Proposal for a regulation Article 3 – paragraph 1 – point d (d) ‘scheduled flight’ means a commercial flight as defined in Article 3, point (e), of Regulation (EU) [API border management];
Amendment 119 #
Proposal for a regulation Article 3 – paragraph 1 – point e (e) ‘non-scheduled flight’ means a commercial flight as defined in Article 3, point (f), of Regulation (EU) [API border management];
Amendment 120 #
Proposal for a regulation Article 3 – paragraph 1 – point g (g) ‘crew’ means any person as defined in Article 3, point (
Amendment 121 #
Proposal for a regulation Article 3 – paragraph 1 – point h Amendment 122 #
Proposal for a regulation Article 3 – paragraph 1 – point h (h) ‘air traveller’ means any person as defined in Article 3, point (i), of Regulation (EU) [API border management];
Amendment 123 #
Proposal for a regulation Article 3 – paragraph 1 – point h (h) ‘traveller’ means any person as defined in Article 3, point (
Amendment 124 #
Proposal for a regulation Article 3 – paragraph 1 – point h (h) ‘traveller’ means any person as defined in Article 3, point (
Amendment 125 #
Proposal for a regulation Article 3 – paragraph 1 – point i (i) ‘advance passenger information data’ or ‘API data’ means the data as defined in Article 3, point (
Amendment 126 #
Proposal for a regulation Article 3 – paragraph 1 – point n (n) ‘the router’ means the router as defined in Article 5c (new) and Article 3, point (
Amendment 127 #
Proposal for a regulation Article 3 – paragraph 1 – point n (n) ‘the router’ means the router as defined in Article 3, point (
Amendment 128 #
Proposal for a regulation Article -4 (new) Amendment 129 #
Proposal for a regulation Article 4 – title Amendment 130 #
Proposal for a regulation Article 4 – paragraph 1 Amendment 131 #
Proposal for a regulation Article 4 – paragraph 1 1. Air carriers shall collect API data of travellers, consisting of the traveller data and the flight information specified in paragraphs 2 and 3 of this Article, respectively, on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with paragraph 6. Where the flight is code- shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.
Amendment 132 #
Proposal for a regulation Article 4 – paragraph 1 1. Air carriers shall collect API data of air travellers on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with paragraph 6. Where the flight is code- shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.
Amendment 133 #
Proposal for a regulation Article 4 – paragraph 1 1. Air carriers shall collect API data of
Amendment 134 #
Proposal for a regulation Article 4 – paragraph 1 a (new) 1a. The API data shall consist of the following traveller data relating to each traveller on the flight: (a) the surname (family name), first name or names (given names); (b) the date of birth, sex and nationality; (c) the type and number of the travel document and the three-letter code of the issuing country of the travel document; (d) the date of expiry of the validity of the travel document; (e) whether the traveller is a passenger or a crew member (traveller’s status); (f) the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator); (g) the seating information, such as the number of the seat in the aircraft assigned to a passenger, where the air carrier collects such information; (h) baggage information, such as number of checked bags, where the air carrier collects such information.
Amendment 135 #
Proposal for a regulation Article 4 – paragraph 1 b (new) 1b. The API data shall also consist of the following flight information relating to the flight of each traveller: (a) the flight identification number or, if no such number exists, other clear and suitable means to identify the flight; (b) when applicable, the border crossing point of entry into the territory of the Member State; (c) the code of the airport of entry into the territory of the Member State; (d) the initial point of embarkation; (e) the local date and estimated time of departure; (f) the local date and estimated time of arrival.
Amendment 136 #
Proposal for a regulation Article 4 – paragraph 2 2. Air carriers shall collect the API data in such a manner that the API data that they transfer in accordance with paragraph 6 is accurate, complete and up-to- date. Compliance with this obligation does not require air carriers to check the travel document at the moment of boarding the aircraft, without prejudice to acts of national law that are compatible with Union law.
Amendment 137 #
Proposal for a regulation Article 4 – paragraph 3 Amendment 138 #
Proposal for a regulation Article 4 – paragraph 3 – subparagraph 1 Air carriers shall collect the alphanumerical API data referred to in Article
Amendment 139 #
Proposal for a regulation Article 4 – paragraph 3 – subparagraph 1 Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine-readable data of the travel document of the traveller concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred paragraph 5, where such rules have been adopted and are applicable. In particular, air carriers shall do so by using the most reliable automated means available to collect the machine-readable data of the respective travel document.
Amendment 140 #
Proposal for a regulation Article 4 – paragraph 3 – subparagraph 1 Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine-readable data of the travel document of the traveller concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred to in paragraph 5, where such rules have been adopted and are applicable.
Amendment 141 #
Proposal for a regulation Article 4 – paragraph 3 – subparagraph 1 Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine-readable data of the travel document of the
Amendment 142 #
Proposal for a regulation Article 4 – paragraph 3 – subparagraph 1 Air carriers shall collect the API data referred to
Amendment 143 #
Proposal for a regulation Article 4 – paragraph 3 – subparagraph 2 Amendment 144 #
Proposal for a regulation Article 4 – paragraph 3 a (new) Amendment 145 #
Proposal for a regulation Article 4 – paragraph 4 Amendment 146 #
Proposal for a regulation Article 4 – paragraph 4 a (new) 4a. Air carriers shall not be prevented from storing API data referred to in Article 4(2), points (a) to (d) of Regulation (EU) [API border management] in their systems, with a view to facilitate subsequent check-in procedures of travellers, upon their consent.
Amendment 147 #
Proposal for a regulation Article 4 – paragraph 5 Amendment 148 #
Proposal for a regulation Article 4 – paragraph 5 5. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in Article
Amendment 149 #
Proposal for a regulation Article 4 – paragraph 6 6. Air carriers shall transfer the encrypted API data collected pursuant to paragraph 1 to the router, by electronic means. They shall do so in accordance with the detailed rules referred to in paragraph 9,
Amendment 150 #
Proposal for a regulation Article 4 – paragraph 7 7. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the travellers have boarded the aircraft in preparation for departure and it is no longer possible for travellers to board or to leave the aircraft. At the moment of check-in, air carriers shall transfer the API data by way of interactive API in accordance with international standards. Air carriers shall receive an acknowledgement of receipt to the transfer of interactive API, as applicable, depending on the flight in scope.
Amendment 151 #
Proposal for a regulation Article 4 – paragraph 7 7. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the air travellers have boarded the aircraft in preparation for departure and it is no longer possible for air travellers to board or to leave the aircraft.
Amendment 152 #
Proposal for a regulation Article 4 – paragraph 7 7. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the
Amendment 153 #
Proposal for a regulation Article 4 – paragraph 7 a (new) 7a. The router shall verify whether the API data transferred to it in accordance with paragraph 6 complies with the detailed rules on the supported data formats. Where the router has verified that the data is not compliant with the detailed rules, the router shall, immediately and in an automated manner, notify the air carrier concerned.
Amendment 154 #
Proposal for a regulation Article 4 – paragraph 7 a (new) 7a. Air carriers shall store, for a time period of 24 hours from the moment of departure of the flight, the API data relating to the passengers that they collected pursuant to paragraph 1. They shall immediately and permanently delete that API data after the expiry of that time period.
Amendment 155 #
Proposal for a regulation Article 4 – paragraph 8 – subparagraph 1 – introductory part Amendment 156 #
Proposal for a regulation Article 4 – paragraph 8 – subparagraph 1 – introductory part Amendment 157 #
Proposal for a regulation Article 4 – paragraph 8 – subparagraph 1 – point a (a) where they become aware that the API data collected is inaccurate, incomplete or no longer up-to-date
Amendment 158 #
Proposal for a regulation Article 4 – paragraph 8 – subparagraph 1 a (new) Air carriers shall immediately and permanently delete API data where they become aware that the API data collected was processed unlawfully or that the data transferred does not constitute API data.
Amendment 159 #
Proposal for a regulation Article 4 – paragraph 8 – subparagraph 2 Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received the API data transmitted through the router. eu-LISA shall ensure that the data is encrypted during transfer to the router and transmission from the router to the PIUs.
Amendment 160 #
Proposal for a regulation Article 4 – paragraph 8 – subparagraph 2 Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph or in the second subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA).
Amendment 161 #
Proposal for a regulation Article 4 – paragraph 8 – subparagraph 2 Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received
Amendment 162 #
Proposal for a regulation Article 4 – paragraph 9 9. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the common protocols and supported data formats to be used for the transfers of
Amendment 163 #
Proposal for a regulation Article 4 – paragraph 9 9. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the common protocols and supported data formats to be used for the transfers of API data to the router referred to in paragraph 6 including the use of interactive API for the transfer of API data at the moment of check-in.
Amendment 164 #
Proposal for a regulation Article 4 – paragraph 9 a (new) 9a. In accordance with Directive 2016/681, air carriers shall also transfer PNR data to the router, insofar as these data are collected in the normal course of their business, for the transmission of these data from the router to the respective PIUs in accordance with Article 5(4). This shall be the only necessary and available means for air carriers to transfer PNR data in accordance with Article 8(1) of Directive 2016/681.
Amendment 165 #
Proposal for a regulation Article 4 a (new) Amendment 166 #
Proposal for a regulation Article 4 b (new) Article4b Exclusive use of the router The router shall only be used: (a) by air carriers to transfer API data or other PNR data in accordance with this Regulation; (b) by PIUs to receive API data or other PNR data in accordance with this Regulation.
Amendment 167 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 1 The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on
Amendment 168 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 1 The router shall, immediately and in an automated manner, transmit the API data,
Amendment 169 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 1 The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on the territory of which the flight will land or from the territory of which the flight will depart
Amendment 170 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 1 The router shall, immediately and in an automated manner, transmit the API data,
Amendment 171 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 2 For the purpose of such transmissions, eu- LISA shall establish and keep up-to-date a table of correspondence between the different airports of origin and destination and the countries to which they belong.
Amendment 172 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 3 Amendment 173 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 3 Amendment 174 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 3 Amendment 175 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 3 However, for intra-EU flights, the router shall
Amendment 176 #
Proposal for a regulation Article 5 – paragraph 1 – subparagraph 4 The router shall transmit the API data in accordance with the detailed rules referred to in paragraph 3,
Amendment 177 #
Proposal for a regulation Article 5 – paragraph 1 a (new) 1a. Each Member State may establish a single entry point that receives the API data transmitted to it from the router and that immediately and in an automated manner forwards the API data to the PIU of the Member State concerned. The Commission shall, on the basis of those notifications and updates, compile and make publicly available a list of the notified competent border authorities, including their contact details.
Amendment 178 #
Proposal for a regulation Article 5 – paragraph 2 Amendment 179 #
Proposal for a regulation Article 5 – paragraph 2 Amendment 180 #
Proposal for a regulation Article 5 – paragraph 2 Amendment 181 #
Proposal for a regulation Article 5 – paragraph 2 2. Member States that decide to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2 of that Directive shall each establish a list of the intra-EU flights concerned and shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, provide eu-LISA with that list. Those Member States shall, in accordance with Article 2 of that Directive, regularly review and where necessary update those lists and shall immediately provide eu-LISA with any such updated lists. The information contained on those
Amendment 182 #
Proposal for a regulation Article 5 – paragraph 2 a (new) 2a. The router shall only transmit API data to a PIU for flights for which that PIU also receives passenger name record data through the router in accordance with Regulation (EU) [API border management] and Directive (EU) 2016/681.
Amendment 183 #
Proposal for a regulation Article 5 – paragraph 3 3. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed technical and procedural rules for the transmissions of API data from the router referred to in paragraph 1, including on requirements for data security.
Amendment 184 #
Proposal for a regulation Article 5 – paragraph 3 a (new) 3a. This provision shall apply mutatis mutandis to the transmission of PNR data from the router to the PIUs of the Member States in accordance with Article 8(1) of Directive 2016/681. This shall be the only means for PIUs to receive PNR data from air carriers.
Amendment 185 #
Proposal for a regulation Article 5 a (new) Amendment 186 #
Proposal for a regulation Article 5 a (new) Article5a Methodology for the selection of intra-EU flights 1. For the purpose of establishing the list referred to in paragraph 2 of Article 5, Member States shall carry out a thorough threat assessment. 2. Such threat assessment shall be carried out in an objective, duly reasoned and non-discriminatory manner. In particular such assessment shall not be purely based on the nationality, sex, age, race, colour, ethnic origin, language, religion or belief, or membership of a national minority of the travellers. 3. The outcome of that threat assessment shall be subject to regular review. Its validity shall be limited in time to what is strictly necessary and shall in any case not exceed 3 months unless it is extended, based on objective necessity. The frequency of the review shall reflect the nature of information referred to in 5b(new)(2)(b). 4. Member States shall keep all relevant documentation justifying the outcome of the threat assessment and its possible prolongation. In order to allow for effective supervision, Member States shall make that documentation available to the competent national data protection authorities referred to in article 41 of Directive 2016/680.
Amendment 187 #
Proposal for a regulation Article 5 a (new) Article5a Optional use of the router for PNR data transfers When adopting measures in accordance with Article 8 of Directive (EU) 2016/681, Member States may require air carriers to transfer other PNR data collected, pursuant to Article 8(1) of that Directive, to the database of the PIU of the Member States concerned, through the router.
Amendment 188 #
Proposal for a regulation Article 5 b (new) Article5b Substantive criteria for the selection of intra-EU flights 1. Member States shall base their threat assessment, referred to in Article 5a(new) on information and considerations regarding: a. the proportionality of interferening with the fundamental rights laid down in Articles 7 and 8 of the Charter in relation to the importance of the objective of general interest;b. the duration of the selection and thus interference with fundamental rights;c. the general level of threat identified at national and Union level, solely in relation to terrorist and serious criminal offences within the scope of this Regulation; and d. the specific level of threat identified on a particular intra-EU flight, in the context of one or several terrorist and serious criminal offences within the scope of this Regulation, relating, inter alia, to a certain route, travel pattern or airport. 2. When assessing the specific level of threat identified on a particular flight, Member States shall use: a. Statistical information on the previous results of the automated processing of PNR data of passengers on that particular flight or route; b. Objective, duly reasoned, non- discriminatory and documented information received by their authorities competent for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, such as information on new criminal trends and changes in the modus operandi. Such assessment shall not be purely based on the nationality sex, age, race, colour, ethnic origin, language, religion or belief, or membership of a national minority of the travellers.
Amendment 189 #
Proposal for a regulation Article 5 b (new) Article5b Storage period and deletion of API data Air carriers shall store API data for a time period of 72 hours from the moment of receipt by the router of the API data transferred to it in accordance with Article 4. API data transmitted to PIUs in accordance with this Regulation, shall subsequently be processed by the PIUs in accordance with Directive (EU) 2016/681, and as interpreted by the Court of Justice of the European Union, in particular as regards the rules on the period of data retention and depersonalisation.
Amendment 190 #
Proposal for a regulation Article 5 c (new) Article5c Transfer of API data by PIUs to third countries In accordance with Directive 2016/681, PIUs shall be enabled to transfer API data received under this Regulation with third countries for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
Amendment 192 #
Proposal for a regulation Article -6 (new) Amendment 193 #
Proposal for a regulation Article -6 a (new) Article-6a Exclusive use of the router Notwithstanding the use of the router in Article 10 of Regulation (EU) [API border management], the router shall only be used by air carriers to transfer API and PNR data, and by PIUs to receive API and PNR data for extra-EU flights and selected intra-EU flights, in accordance with this Regulation.
Amendment 194 #
Proposal for a regulation Article -6 b (new) Amendment 195 #
Proposal for a regulation Article 6 – paragraph -1 (new) Amendment 196 #
Proposal for a regulation Article 6 – paragraph 1 1. Air carriers shall create logs of all processing operations under this Regulation undertaken using the automated means referred to in Article
Amendment 197 #
Proposal for a regulation Article 6 – paragraph 4 – subparagraph 2 However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, air carriers may keep those logs for as long as necessary for those procedures after informing and justifying it to the Commission. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.
Amendment 198 #
Proposal for a regulation Article 6 – paragraph 4 – subparagraph 2 However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, air carriers
Amendment 199 #
Proposal for a regulation Article 6 – paragraph 4 a (new) 4a. The national supervisory authority referred to in Article 15 and PIUs shall have access to the relevant logs referred to in paragraph 1 of Article 13 of Regulation [API border management] where necessary for the purposes referred to in paragraph 2.
Amendment 200 #
Proposal for a regulation Article 6 a (new) Article6a Processing of API data received 1. The PIUs shall process API data, transferred to them in accordance with this Regulation, only for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime within the meaning of Article 6(2) of Directive (EU) 2016/681. 2. The PIUs or other competent authorities shall under no circumstances process API data for the purposes of profiling.
Amendment 201 #
Proposal for a regulation Article 7 – paragraph 2 a (new) Amendment 202 #
Proposal for a regulation Article 7 a (new) Article7a Personal data protection audits 1. The competent national data protection authorities referred to in Article 51 of Regulation (EU) 2016/679 shall ensure that an audit of processing operations of API data constituting personal data performed by the PIU’s for the purposes of this Regulation is carried out, in accordance with relevant international auditing standards, at least once every four years. 2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu-LISA for the purposes of this Regulation and Regulation (EU) [API border management] is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted. 3. In relation to the processing operations referred to in paragraph 2, upon request, eu-LISA shall supply information requested by the European Data Protection Supervisor, shall grant the European Data Protection Supervisor access to all the documents it requests and to the logs referred to in Article 13(1), and shall allow the European Data Protection Supervisor access to all eu-LISA’s premises at any time.
Amendment 203 #
Proposal for a regulation Article 7 a (new) Article7a Personal data processor eu-LISA shall be the processor within the meaning of Article 3, point (9), of Directive 2016/680 (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation.
Amendment 204 #
Proposal for a regulation Article 7 b (new) Article7b Fundamental Rights 1. Collection and processing of personal data in accordance with this Regulation and Regulation (EU) [API border management] by air carriers and competent authorities shall not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. 2. This Regulation shall fully respect human dignity and the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life, to the protection of personal data and to freedom of movement. 3. Particular attention shall be paid to children, the elderly, persons with a disability and vulnerable persons. The best interests of the child shall be a primary consideration when implementing this Regulation.
Amendment 205 #
Proposal for a regulation Article 7 b (new) Amendment 206 #
Proposal for a regulation Article 7 c (new) Article7c Fundamental Rights 1. Collection and processing of personal data in accordance with this Regulation and Regulation (EU) [API border management] by air carriers and competent authorities shall not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. 2. This Regulation shall fully respect human dignity and the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life, to the protection of personal data and to freedom of movement. 3. Particular attention shall be paid to children, the elderly, persons with a disability and vulnerable persons. The best interests of the child shall be a primary consideration when implementing this Regulation.
Amendment 207 #
Proposal for a regulation Article 8 – paragraph 1 1. PIUs and air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation.
Amendment 208 #
Proposal for a regulation Article 8 – paragraph 1 PIUs and air carriers shall ensure the security
Amendment 209 #
2. PIUs and air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other and with eu- LISA to ensure such security.
Amendment 210 #
Proposal for a regulation Article 8 – paragraph 2 a (new) 2a. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu- LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.
Amendment 211 #
Proposal for a regulation Article 8 – paragraph 2 b (new) 2b. In particular, eu-LISA shall take the necessary measures to ensure the security of the router and the API data, in particular API data constituting personal data, transmitted through the router, including by establishing, implementing and regularly updating a security plan, a business continuity plan and a disaster recovery plan, in order to: (a) physically protect the router, including by making contingency plans for the protection of critical components thereof; (b) prevent any unauthorised processing of the API data, including any unauthorised access thereto and copying, modification or deletion thereof, both during the transfer of the API data to and from the router and during any storage of the API data on the router where necessary to complete the transmission, in particular by means of appropriate encryption techniques; (c) ensure that it is possible to verify and establish to which competent border authorities or PIUs the API data is transmitted through the router; (d) properly report to its Management Board any faults in the functioning of the router; (e) monitor the effectiveness of the security measures required under this Article and under Regulation (EU) 2018/1725, and assess and update those security measures where necessary in the light of technological or operational developments. The measures referred to in the first subparagraph of this paragraph shall not affect Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679.
Amendment 212 #
Proposal for a regulation Article 9 – paragraph 1 Air carriers and the PIUs shall monitor their compliance with their respective obligations under this Regulation, in particular as regards their processing of API
Amendment 213 #
Proposal for a regulation Article 9 a (new) Article9a Personal data protection audits 1. The competent national data protection authorities referred to in Article 41 of Directive 2016/680 shall ensure that an audit of processing operations of API data constituting personal data performed by the PIUs for the purposes of this Regulation is carried out, in accordance with relevant international auditing standards, at least once every two years. 2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu-LISA for the purposes of this Regulation is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted. 3. In relation to the processing operations referred to in paragraph 2, upon request, eu-LISA shall supply information requested by the European Data Protection Supervisor, shall grant the European Data Protection Supervisor access to all the documents it requests and to the logs referred to in Article 6, and shall allow the European Data Protection Supervisor access to all eu-LISA’s premises at any time.
Amendment 214 #
Proposal for a regulation Article 9 a (new) Article9a Personal data protection audits The supervisory authorities referred to in Article 41 of Directive (EU) 2016/680 shall carry out an audit of processing operations of API data constituting personal data performed by the PIUs for the purposes of this Regulation at least once every four years. Member States shall ensure that their supervisory authorities have sufficient resources and expertise to fulfil the tasks entrusted to them under this Regulation.
Amendment 215 #
2. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1, including on data security requirements.
Amendment 216 #
Proposal for a regulation Article 11 – paragraph 2 2. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1, including on data security requirements.
Amendment 217 #
Proposal for a regulation Article 11 a (new) Article11a eu-LISA’s tasks relating to the design and development of the router 1. eu-LISA shall be responsible for the design of the physical architecture of the router, including defining the technical specifications. 2. eu-LISA shall be responsible for the development of the router, including for any technical adaptations necessary for the operation of the router. The development of the router shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination of the development phase. 3. eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation, and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in 4(5) and (9), Article 5(3), Article 10(2), Article 11(2). 4. Where eu-LISA considers that the development phase has been completed, it shall, without undue delay, conduct a comprehensive test of the router, in cooperation with the competent border authorities, PIUs and other relevant Member States’ authorities and air carriers and inform the Commission of the outcome of that test.
Amendment 218 #
Proposal for a regulation Article 11 a (new) Article11a eu-LISA's support tasks relating to the router eu-LISA shall, upon their request, provide support to competent border authorities, PIUs and other relevant Member States’ authorities and air carriers on the connection and integration to the router.
Amendment 219 #
Proposal for a regulation Article 11 b (new) Amendment 220 #
Proposal for a regulation Article 11 c (new) Article11c eu-LISA’s support tasks relating to the router 1. eu-LISA shall, upon their request, provide training to competent border authorities, PIUs and other relevant Member States’ authorities and air carriers on the technical use of the router. 2. eu-LISA shall provide support to the competent border authorities and PIUs regarding the reception of API data through the router pursuant to this Regulation, in particular as regards the application of Articles 5 and 10 of this Regulation
Amendment 221 #
Proposal for a regulation Article 12 – title Costs of eu-LISA and of Member States
Amendment 222 #
Proposal for a regulation Article 12 – paragraph 1 – subparagraph 1 Costs incurred by eu-LISA and the Member States in relation to their connections to and integration with the router referred to in Article 10 shall be borne by the general budget of the Union.
Amendment 223 #
Proposal for a regulation Article 13 – paragraph 1 – subparagraph 2 During the time period between those
Amendment 224 #
Proposal for a regulation Article 13 – paragraph 2 – subparagraph 2 During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router.
Amendment 225 #
Proposal for a regulation Article 13 – paragraph 3 – subparagraph 2 During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router.
Amendment 226 #
Proposal for a regulation Article 14 a (new) Article14a Start of operations of the router The Commission shall determine, without undue delay, the date from which the router starts operations by means of an implementing act once eu-LISA has informed the Commission of the successful completion of the comprehensive test of the router referred to in Article 11a(new)(4). That implementing act shall be adopted in accordance with the examination procedure referred to in Article 18a(new)(2). The Commission shall set the date referred to in the first subparagraph to be no later than 30 days from the date of the adoption of that implementing act.
Amendment 227 #
Proposal for a regulation Article 14 b (new) Amendment 228 #
Proposal for a regulation Article 14 c (new) Article14c Use of the router for PNR data The provisions of Chapters 3 and 4 shall apply mutatis mutandis to the mandatory transfer and transmission of PNR data through the router.
Amendment 229 #
Proposal for a regulation Article 16 Amendment 230 #
Proposal for a regulation Article 16 – paragraph 2 a (new) Member States shall ensure that the national API supervisory authorities, when deciding whether to impose a penalty and when determining the type and level of penalty, take into account relevant circumstances, which may include: (a) the nature, gravity and duration of the infringement; (b) the degree of the air carrier's fault; (c) previous infringements by the air carrier; (d) the overall level of cooperation of the air carrier with the competent authorities; (e) the size of the air carrier, such as the annual number of passengers carried; (f) whether previous penalties have already been applied by other national API supervisory authorities to the same carrier for the same infringement.
Amendment 231 #
Proposal for a regulation Article 16 – paragraph 2 a (new) Member States shall ensure that a systematic or persistent failure to comply with the obligations set in this Regulation is subject to financial penalties of up to EUR 10 million, notwithstanding the Member States’ right to impose non- financial penalties in addition.
Amendment 232 #
Proposal for a regulation Article 16 a (new) Amendment 233 #
Proposal for a regulation Article 16 a (new) Amendment 234 #
Proposal for a regulation Article 17 – paragraph 1 The Commission shall, in close cooperation with the PIUs, other relevant Member States’ authorities, the air carriers and relevant Union agencies, in particular the European Data Protection Supervisor and the Fundamental Rights Agency, prepare and
Amendment 235 #
Proposal for a regulation Article 18 Regulation (EU) 2019/818 Article 39 A
Amendment 236 #
Proposal for a regulation Article 18 Regulation (EU) 2019/818 Article 39 – paragraphs 1 and 2 Amendment 237 #
Proposal for a regulation Article 18 a (new) Article18a Committee procedure 1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), the third subparagraph, of Regulation (EU) No 182/2011 shall apply.
Amendment 238 #
Proposal for a regulation Article 19 – paragraph 2 2. The power to adopt delegated acts referred to in Article 4
Amendment 239 #
Proposal for a regulation Article 19 – paragraph 3 3. The delegation of power referred to in Article 4
Amendment 240 #
Proposal for a regulation Article 20 – paragraph -1 (new) -1. eu-LISA shall ensure that procedures are in place to monitor the development of the router in light of objectives relating to planning and costs, and to monitor the functioning of the router in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.
Amendment 241 #
Proposal for a regulation Article 20 – paragraph -1 a (new) -1a. By [one year after the date of entry into force of this Regulation] and every year thereafter during the development phase of the router, eu-LISA shall produce a report, and submit it to the European Parliament and to the Council on the state of play of the development of the router. That report shall contain detailed information about the costs incurred and about any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 12.
Amendment 242 #
Proposal for a regulation Article 20 – paragraph -1 b (new) -1b. Once the router starts operations, eu-LISA shall produce a report and submit it to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.
Amendment 243 #
Proposal for a regulation Article 20 – paragraph 1 – introductory part 1. By [four years after the date of entry into force of this Regulation], and every four years thereafter, the Commission shall produce a report containing an overall evaluation of this Regulation, , demonstrating the necessity and added value of the collection of API data, including an assessment of:
Amendment 244 #
Proposal for a regulation Article 20 – paragraph 1 – point c a (new) (ca) the impact of this Regulation on the travel experience of legitimate travellers;
Amendment 245 #
Proposal for a regulation Article 20 – paragraph 1 – point c b (new) (cb) the impact of this Regulation on the competitiveness of the aviation sector and the burden incurred by businesses. The Commission’s report shall also address this Regulation’s interaction with other relevant EU legislative acts, notably Regulation (EU) 2017/2226, Regulation (EU) 2018/1240 and Regulation (EC) 767/2008, with a view to assess the overall impact of related reporting obligations on air carriers, identify provisions that may be updated and simplified, where appropriate, to mitigate the burden on air carriers, and consider actions and measures that could be taken to reduce the total cost pressure on air carriers.
Amendment 246 #
Proposal for a regulation Article 20 – paragraph 2 2. The Member States and air carriers shall, upon request, provide the Commission with the information necessary to draft the report referred to in paragraph 1. In particular, Member States shall provide quantitative and qualitative information on the necessity and added value of the collection of API data from an operational perspective. However, Member States may refrain from providing such information if, and to the extent, necessary not to disclose confidential working methods or jeopardise ongoing investigations of their PIUs or other law enforcement authorities. The Commission shall ensure that any confidential information provided is appropriately protected.
Amendment 247 #
Proposal for a regulation Article 21 – paragraph 2 It shall apply from two years from the date at which the router starts operations, specified by the Commission in accordance with Article
Amendment 248 #
However, Article 4(5) and (9), Article 5(3), Article 10(2), Article 11(2), Article 18a(new) and Article 19 shall apply from [Date of entry into force of this Regulation].
Amendment 249 #
Proposal for a regulation Article 21 – paragraph 3 However, Article 4
Amendment 26 #
Proposal for a regulation Recital 1 (1) The transnational dimension of serious and organised crime
Amendment 27 #
Proposal for a regulation Recital 1 (1)
Amendment 28 #
Proposal for a regulation Recital 1 (1) The transnational dimension of serious and organised crime and the continuous threat of terrorist attacks on European soil call for action at Union level to adopt appropriate measures to ensure security within an area of freedom, security and justice without internal borders. Information on air travellers, such as Passenger Name Records (PNR) and in particular Advance Passenger Information (API),
Amendment 29 #
Proposal for a regulation Recital 2 (2) While Council Directive 2004/82/EC27 establishes a legal framework for the collection and transfer of API data by air carriers with the aims of
Amendment 30 #
Proposal for a regulation Recital 2 (2) While Council Directive 2004/82/EC27
Amendment 31 #
Proposal for a regulation Recital 3 (3) Directive (EU) 2016/681 of the European Parliament and of the Council28 lays down rules on the use of PNR data for the prevention, detection, investigation and
Amendment 32 #
Proposal for a regulation Recital 3 (3) Directive (EU) 2016/681 of the European Parliament and of the Council28 (‘PNR Directive') lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national Passenger Information Unit (‘PIU’) established under
Amendment 33 #
Proposal for a regulation Recital 3 (3) Directive (EU) 2016/681 of the European Parliament and of the Council28 lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national Passenger Information Unit (‘PIU’) established under that Directive to the extent that they have already collected such data in the normal course of their business. Consequently, that Directive does not guarantee the collection and transfer of API data in all cases, as air carriers do not have any business purpose to collect a full set of such data. Ensuring that PIUs receive API data together with PNR data is important, since the joint processing of such data is needed for the competent law enforcement authorities of the Member States to be able to effectively prevent, detect, investigate and prosecute terrorist offences and serious crime . In particular, such joint processing
Amendment 34 #
Proposal for a regulation Recital 4 (4) It is therefore necessary to establish
Amendment 35 #
Proposal for a regulation Recital 4 (4) It is therefore necessary to establish clearer rules at Union level
Amendment 36 #
Proposal for a regulation Recital 5 (5) Considering the close relationship between both acts, this Regulation should be understood as complementing the rules provided for in the PNR Directive
Amendment 37 #
Proposal for a regulation Recital 6 (6) The collection and transfer of API data affects the privacy of individuals and entails the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that
Amendment 38 #
Proposal for a regulation Recital 6 (6) The collection and transfer of API data affects the privacy of individuals and entails the processing of personal data. In order to fully respect fundamental rights, in particular the right of respect for private life and the right to the protection of
Amendment 39 #
Proposal for a regulation Recital 6 a (new) (6a) This Regulation should be subject to regular evaluations to ensure the monitoring of its effective application. In particular, the collection of API data should not be to the detriment of the travel experience of legitimate travellers. Therefore, the Commission should include in its regular evaluation reports on the application of this Regulation an assessment of the impact of this Regulation on the travel experience of legitimate travellers.
Amendment 40 #
Proposal for a regulation Recital 6 b (new) (6b) Given that this Regulation requires additional adjustment and administrative costs by the air carriers, the overall regulatory burden for the aviation sector should be kept under close review. Against this backdrop, the report evaluating the functioning of this Regulation should assess the extent to which the objectives of the Regulation have been met and to which extent it has impacted the competitiveness of the sector. Therefore, the Commission’s report should also conduct a holistic assessment and refer to the interaction of this Regulation with other relevant EU legislative acts, notably Regulation (EU) 2017/2226, Regulation (EU) 2018/1240 and Regulation (EC) 767/2008. The report should assess the overall impact of related reporting obligations on air carriers, identifying provisions that may be updated and simplified, where appropriate, to mitigate the burden on air carriers, as well as actions and measures that have been or could be taken to reduce the total cost pressure on the aviation sector.
Amendment 41 #
Proposal for a regulation Recital 7 (7) In view of the complementary nature of this Regulation in relation to Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of
Amendment 42 #
Proposal for a regulation Recital 7 (7) In view of the complementary nature of this Regulation in relation to Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under Directive (EU) 2016/681, namely flights, including both scheduled and non-scheduled flights, both between Member States and third countries (extra-EU flights)
Amendment 43 #
Proposal for a regulation Recital 7 (7) In view of the complementary nature of this Regulation in relation to Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under Directive (EU) 2016/681, namely flights, including both scheduled and non-scheduled flights, both between Member States and third countries (extra-EU flights),
Amendment 44 #
Proposal for a regulation Recital 7 (7) In view of the complementary nature of this Regulation in relation to the PNR Directive
Amendment 45 #
Proposal for a regulation Recital 7 a (new) (7a) This Regulation, however, does not cover the flights as defined in Article 3, point (3), of Directive (EU) 2016/681, namely any scheduled or non-scheduled flight by an air carrier flying from the territory of a Member State and planned to land on the territory of one or more of the other Member States, without any stop-overs in the territory of a third country (intra-EU flights), considering the potentially disproportionate effects that an automatic and indiscriminate collection of data through the router might have on several fundamental rights, including the right to freedom of movement and to data protection.
Amendment 46 #
Proposal for a regulation Recital 8 (8) Accordingly, given that Directive (EU) 2016/681 does not cover domestic flights, that is, flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be covered by this Regulation either. This Regulation should
Amendment 47 #
Proposal for a regulation Recital 8 (8) Accordingly, given that the PNR Directive
Amendment 48 #
Proposal for a regulation Recital 8 (8) Accordingly, given that Directive (EU) 2016/681 does not cover domestic flights, that is, flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be covered by this Regulation either.
Amendment 49 #
Proposal for a regulation Recital 9 (9) In view of the close relationship between the acts of Union law concerned and in the interest of consistency and coherence, the definitions set out in this Regulation should
Amendment 50 #
Proposal for a regulation Recital 10 (10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that
Amendment 51 #
Proposal for a regulation Recital 10 (10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that traveller. Under this Regulation, such flight information should
Amendment 52 #
Proposal for a regulation Recital 10 (10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be the same as those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that traveller. Under this Regulation, such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned only where applicable, that is, not when the API data relate to intra-EU flights.
Amendment 53 #
Proposal for a regulation Recital 10 (10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be
Amendment 54 #
Proposal for a regulation Recital 11 (11) In order to ensure a consistent approach on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. That concerns, in particular, the rules on data quality, the air carriers’ use of automated means for such collection, the precise manner in which they are to transfer the collected API data to the router
Amendment 55 #
Proposal for a regulation Recital 11 (11) In order to ensure a consistent approach on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. That concerns, in particular, the rules on data quality, the air carriers’ use of automated means for such collection, the precise manner in which they are to transfer the collected API data to the router and the deletion of the API data. The requirements set out by this Regulation and by the corresponding delegated and implementing acts should lead to a uniform implementation by the airlines, thereby minimizing the cost of the interconnection of their respective systems. To facilitate a harmonized implementation of these requirements by the airlines, notably as regards the data structure, format and transmission protocol, the Commission, based on its cooperation with the PIUs, other Member States authorities, air carriers, and relevant Union agencies, should ensure that the practical handbook provides all the necessary guidance and clarifications.
Amendment 56 #
Proposal for a regulation Recital 11 (11) In order to ensure as consistent approach as possible on the collection and transfer of API data by air carriers
Amendment 57 #
Proposal for a regulation Recital 11 (11) In order to ensure a consistent approach on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation
Amendment 58 #
Proposal for a regulation Recital 11 a (new) (11a) The automatic data collection systems and other processes established under this Regulation should not negatively impact the employees in the aviation industry, who should benefit from upskilling and reskilling opportunities that would increase the efficiency and reliability of data collection and transfer as well as the working conditions in the sector.
Amendment 59 #
Proposal for a regulation Recital 11 b (new) (11b) In order to enhance data quality, the router should verify whether the API data transferred to it by the air carriers complies with the supported data formats. Where the router has verified that the data is not compliant with the supported data formats, the router should, immediately and in an automated manner, notify the air carrier concerned.
Amendment 60 #
Proposal for a regulation Recital 12 (12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner. Member States may establish a single data entry point that receives the API data from the router and that immediately and in an automated manner forwards it to the PIU of the Member State concerned. To ensure the proper functioning of this Regulation and in the interest of transparency, that information should be made public. Member States may designate the same single data entry point for the purposes of this Regulation and of Regulation [API law enforcement].
Amendment 61 #
Proposal for a regulation Recital 12 (12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In this regard, it is important to ensure that the application of the system is limited to terrorist offences and serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large- Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the
Amendment 62 #
Proposal for a regulation Recital 12 (12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union, and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the sole competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner.
Amendment 63 #
Proposal for a regulation Recital 12 (12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API
Amendment 64 #
Proposal for a regulation Recital 12 a (new) (12a) To ensure the joint processing of API data and PNR data in a way that allows for effectively fighting terrorism and serious crime, that guarantees a high level of data protection including through the minimisation of false positives, and that creates clear rules and synergies for air carriers, the PIUs should only receive API data from the router for flights for which they also receive PNR data through the router under Regulation (EU) [API border management] and Directive (EU) 2016/681.
Amendment 65 #
Proposal for a regulation Recital 12 a (new) (12a) With a view to guaranteeing the fulfilment of the rights provided for under the Charter of Fundamental Rights and to ensuring accessible and inclusive travel options, especially for vulnerable groups and persons with disabilities, air carriers, supported by the Member States, shall ensure that an offline alternative for the check-in and for the provision of the necessary data by the passengers is possible at all times.
Amendment 66 #
Proposal for a regulation Recital 12 a (new) (12a) Where air carriers are required to transfer the same API data both under this Regulation and under Regulation [API border management], air carriers might send this API data to the router only once. In this case, by fulfilling the obligations for the transfer of such API data under this Regulation, air carriers also fulfil the obligations for the transfer of that API data under Regulation [API border management].
Amendment 67 #
Proposal for a regulation Recital 13 (13) For the extra-EU flights, the PIU of the Member State on
Amendment 68 #
Proposal for a regulation Recital 13 a (new) (13a) In order to allow for the effective supervision of the compliance of the Member States with the requirements of the Court of Justice of the European Union (‘CJEU’) by the national data protection authorities, this Regulation lays down a common methodology for carrying out the threat assessment based on which the Member States should operate a selection of intra-EU flights. In order to avoid divergent practices among Member States, this Regulation also sets out a list of criteria, regarding both quantitative and qualitative evidence, to be used by Member States when carrying out such assessment. Given that API can be processed for the purpose of this Regulation only insofar as PNR data is processed, the outcome of the threat assessment should be valid for the transfer and processing of both API and PNR data.
Amendment 69 #
Proposal for a regulation Recital 14 Amendment 70 #
Proposal for a regulation Recital 14 Amendment 71 #
Proposal for a regulation Recital 14 Amendment 72 #
Proposal for a regulation Recital 14 (14) As regards intra-EU flights, in line with the case law of the Court of Justice of the European Union (CJEU), in order to avoid unduly interfering with the relevant fundamental rights protected under the Charter and to ensure compliance with the requirements of Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of Directive (EU) 2016/681. For those reasons, API data on those flights should only be transmitted from the router to the relevant PIUs, where the Member States have selected the flights concerned in application of Article 2 of Directive (EU) 2016/681. As recalled by the CJEU, the selection entails Member States targeting the obligations in question only at, inter alia, certain routes, travel patterns or airports, subject to the regular review of that selection. As recalled by the CJEU, a Member State may select all intra-EU flights under this approach when duly justified.
Amendment 73 #
Proposal for a regulation Recital 14 (14) As regards to the intra-EU flights, in line with the case law of the C
Amendment 74 #
Proposal for a regulation Recital 14 a (new) (14a) When performing their national threat assessment under this Regulation and Directive (EU) 2016/681, the Member States should evaluate, in an objective and reasoned manner, the level of the risk that they are confronted with in relation to serious crime and terrorism. The objective of such a reasoned threat assessment should be to limit the joint processing of intra-EU API data and PNR data to those flight or group of flights for which the joint processing is strictly necessary to ensure the internal security of the Union or, at least, that of that Member States and, thus, protect the life and safety of persons. The Member States should perform such threat assessment following a methodology that allows effective ex post review by the national supervisory authority. To that end, Member States should provide, upon request, their national supervisory authority with all relevant documentation that allows for the ex post verification of the reasons for the selection of an intra-EU flight.
Amendment 75 #
Proposal for a regulation Recital 15 Amendment 76 #
Proposal for a regulation Recital 15 Amendment 77 #
Proposal for a regulation Recital 15 Amendment 78 #
Proposal for a regulation Recital 15 (15) In order to enable the application of that selective approach under this Regulation in respect of intra-EU flights, the Member States should be required to draw up and submit to the eu-LISA the lists of the flights they selected, so that eu- LISA
Amendment 79 #
Proposal for a regulation Recital 16 Amendment 80 #
Proposal for a regulation Recital 16 Amendment 81 #
Proposal for a regulation Recital 16 (16)
Amendment 82 #
Proposal for a regulation Recital 16 (16) In order not to endanger the effectiveness of the system that relies on the collection and transfer of API data set up by this Regulation, and of PNR data under the system set up by
Amendment 83 #
(16a) This Regulation precludes the collection and transfer of API data on intra-EU flights for the purpose of combating illegal immigration, in accordance with Union law and case law of the Court of Justice of the European Union.
Amendment 84 #
Proposal for a regulation Recital 17 (17) In the interest of ensuring compliance with the fundamental right
Amendment 85 #
(17a) In the interest of ensuring compliance with the fundamental right to protection of personal data, this Regulation should also set out rules on audits. The audits that Member States are responsible for should be carried out by the supervisory authorities referred to in Article 41 of Directive (EU) 2016/680 or by an auditing body entrusted with this task by the supervisory authority.
Amendment 86 #
Proposal for a regulation Recital 17 a (new) (17a) Taking into account the right of passengers to be informed of the processing of their personal data, Member States should ensure that passengers are provided with accurate information that is easily accessible and easy to understand about the collection of API data, their transfer to the PIU and their rights as data subjects.
Amendment 87 #
Proposal for a regulation Recital 18 Amendment 88 #
Proposal for a regulation Recital 19 (19) In view of the Union interests at stake, appropriate costs incurred by the Member States in relation to their connections to, and integration with, the router, as required under this Regulation,
Amendment 89 #
Proposal for a regulation Recital 19 (19)
Amendment 90 #
Proposal for a regulation Recital 20 (20) In
Amendment 91 #
Proposal for a regulation Recital 20 (20) In accordance with Regulation (EU) 2018/1726, Member States
Amendment 92 #
Proposal for a regulation Recital 21 (21) It cannot be excluded that, due to exceptional circumstances and despite all
Amendment 93 #
Proposal for a regulation Recital 22 (22) In order to ensure that the rules of this Regulation are applied effectively by air carriers, provision should be made for the designation and empowerment of national authorities charged with the supervision of those rules. The rules of this Regulation on such supervision, including as regards to the imposition of penalties where necessary, should leave the tasks and powers of the supervisory authorities established in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680 unaffected, including in relation to the processing of personal data under this Regulation.
Amendment 94 #
Proposal for a regulation Recital 23 Amendment 95 #
Proposal for a regulation Recital 23 (23) Effective, proportionate and dissuasive penalties, including financial ones, should be provided for by Member States against those air carriers failing to meet their obligations regarding the collection and transfer of API and PNR data under this Regulation.
Amendment 96 #
Proposal for a regulation Recital 23 a (new) Amendment 97 #
Proposal for a regulation Recital 23 a (new) (23a) When providing for the penalties applicable to air carriers under this Regulation, Member States shall take into account the technical, operational and economic feasibility of ensuring complete data accuracy. Additionally, when fines are imposed, their application and value shall be established taking into consideration the actions undertaken by the air carrier to mitigate the issue as well as its repeated failure to cooperate with national authorities.
Amendment 98 #
Proposal for a regulation Recital 24 (24) In order to adopt measures relating
Amendment 99 #
Proposal for a regulation Recital 24 a (new) (24a) Furthermore, in order to avoid placing a disproportionate burden on air carriers, a single carrier gateway should allow air carriers to communicate requested information under this Regulation, Regulation (EU) 2017/2226 of the European Parliament and of the Council, Regulation (EU) 2018/1240 of the European Parliament and of the Council, Regulation (EC) 767/2008 of the European Parliament and of the Council and Directive (EU) 2016/681 of the European Parliament and of the Council.
source: 752.818
|
History
(these mark the time of scraping, not the official date of the change)
2024-04-26Show (1) Changes | Timetravel
| forecasts |
|
2024-04-25Show (2) Changes | Timetravel
| forecasts/0 |
|
| forecasts/0 |
|
2024-04-24Show (2) Changes | Timetravel
| forecasts/0 |
|
| forecasts/0 |
|
2024-04-23Show (2) Changes | Timetravel
| forecasts/0 |
|
| forecasts/0 |
|
2024-04-22Show (2) Changes | Timetravel
| forecasts/0 |
|
| forecasts/0 |
|
2024-04-21Show (2) Changes | Timetravel
| forecasts/0 |
|
| forecasts/0 |
|
2024-04-20Show (2) Changes | Timetravel
| forecasts/0 |
|
| forecasts/0 |
|
2024-04-17Show (1) Changes | Timetravel
| links |
|
2024-04-16Show (1) Changes | Timetravel
| links |
|
2024-03-27Show (2) Changes | Timetravel
| docs/6 |
|
| events/7 |
|
2024-03-26Show (2) Changes | Timetravel
| docs/6 |
|
| events/7 |
|
2024-03-25Show (2) Changes | Timetravel
| docs/6 |
|
| events/7 |
|
2024-03-24Show (2) Changes | Timetravel
| docs/6 |
|
| events/7 |
|
2024-03-23Show (2) Changes | Timetravel
| docs/6 |
|
| events/7 |
|
2024-03-22Show (2) Changes | Timetravel
| docs/6 |
|
| events/7 |
|
2024-03-21Show (2) Changes | Timetravel
| docs/6 |
|
| events/7 |
|
2024-03-20Show (1) Changes | Timetravel
| docs/6 |
|
2024-03-19Show (1) Changes | Timetravel
| docs/6 |
|
2024-03-05Show (1) Changes | Timetravel
| forecasts |
|
2024-01-04Show (2) Changes | Timetravel
| docs/6 |
|
| events/4/summary |
|
2023-12-13Show (1) Changes | Timetravel
| events/6 |
|
2023-12-13Show (1) Changes | Timetravel
| events/5 |
|
2023-12-09Show (2) Changes | Timetravel
| docs/6/docs/0/url |
https://www.europarl.europa.eu/doceo/document/A-9-2023-0411_EN.html
|
| events/4/docs/0/url |
https://www.europarl.europa.eu/doceo/document/A-9-2023-0411_EN.html
|
2023-12-08Show (6) Changes | Timetravel
| docs/6 |
|
| events/2 |
|
| events/3 |
|
| events/4 |
|
| procedure/Other legal basis |
Rules of Procedure EP 159
|
| procedure/stage_reached |
Old
Awaiting committee decisionNew
Awaiting Parliament's position in 1st reading |
2023-11-08Show (4) Changes | Timetravel
| docs/1/docs/0/url |
Old
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2023:084:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2023:084:TOC |
| docs/6/date |
Old
2023-09-14T00:00:00New
2023-09-15T00:00:00 |
| docs/7/date |
Old
2023-03-22T00:00:00New
2023-03-23T00:00:00 |
| docs/8/date |
Old
2023-04-25T00:00:00New
2023-04-26T00:00:00 |
2023-09-30Show (1) Changes | Timetravel
| docs/6 |
|
2023-09-07Show (1) Changes | Timetravel
| docs/5 |
|
2023-07-22Show (1) Changes | Timetravel
| docs/4 |
|
2023-07-06Show (1) Changes | Timetravel
| docs/3 |
|
2023-06-09Show (1) Changes | Timetravel
| docs/2 |
|
2023-06-04Show (1) Changes | Timetravel
| commission |
|
2023-06-01Show (1) Changes | Timetravel
| committees/0/shadows/4 |
|
2023-05-08Show (3) Changes | Timetravel
| committees/0/shadows/4 |
|
| committees/1 |
Old
New
|
| committees/2 |
Old
New
|
2023-04-28Show (4) Changes | Timetravel
| committees/0/shadows |
|
| committees/1 |
Old
New
|
| committees/2 |
Old
New
|
| docs/3 |
|
2023-04-04Show (1) Changes | Timetravel
| committees/0/rapporteur |
|
2023-03-27Show (1) Changes | Timetravel
| docs/2 |
|
2023-03-07Show (1) Changes | Timetravel
| docs/1 |
|
2023-02-23Show (1) Changes | Timetravel
| committees/2/rapporteur |
|
2023-02-21Show (3) Changes | Timetravel
| procedure/Legislative priorities/0 |
|
| procedure/Legislative priorities/0/title |
Old
Joint Declaration on EU legislative priorities for 2023 and 2024New
Joint Declaration 2023-24 |
| procedure/Legislative priorities/1 |
|
2023-02-18Show (1) Changes | Timetravel
| procedure/Legislative priorities |
|
2023-02-14Show (3) Changes | Timetravel
| events/1 |
|
| procedure/dossier_of_the_committee |
|
| procedure/stage_reached |
Old
Preparatory phase in ParliamentNew
Awaiting committee decision |
2023-02-08Show (1) Changes | Timetravel
| committees/1/opinion |
False
|
2023-01-05Show (2) Changes | Timetravel
| docs/0 |
|
| events/0/summary |
|
2022-12-21Show (1) Changes | Timetravel
| events |
|
2022-12-18Show (1) Changes
| docs/0/docs/1 |
|