Legal provisions of COM(2022)729 - Collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2022)729 - Collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls.
document COM(2022)729 EN
date December 13, 2022

Contents

CHAPTER 1 - GENERAL PROVISIONS

Article 1 - Subject matter

For the purposes of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and of combating illegal immigration, this Regulation lays down the rules on:

(a)the collection by air carriers of advance passenger information (‘API data’) on flights into the Union;

(b)the transfer by air carriers to the router of the API data;

(c)the transmission from the router to the competent border authorities of the API data. 

Article 2 - Scope

This Regulation applies to air carriers conducting scheduled or non-scheduled flights into the Union.

Article 3 - Definitions

For the purposes of this Regulation, the following definitions apply:

(a)‘air carrier’ means an air transport undertaking as defined in Article 3, point 1, of Directive (EU) 2016/681;

(b)‘border checks’ means the checks as defined in Article 2, point 11, of Regulation (EU) 2016/399;

(c)‘flights into the Union’ means flights flying from the territory either of a third country or of a Member State not participating in this Regulation, and planned to land on the territory of a Member State participating in this Regulation;

(d)‘border crossing point’ means the crossing point as defined in Article 2, point 8, of Regulation (EU) 2016/399;

(e)‘scheduled flight’ means a flight that operates according to a fixed timetable, for which tickets can be purchased by the general public;

(f)‘non-scheduled flight’ means a flight that does not operate according to a fixed timetable and that is not necessarily part of a regular or scheduled route;

(g)‘competent border authority’ means the authority charged by a Member State to carry out border checks and designated and notified by that Member State in accordance with Article 11(2);

(h)‘passenger’ means any person, excluding members of the crew, carried or to be carried in an aircraft with the consent of the air carrier, such consent being manifested by that person's registration in the passengers list; 

(i)‘crew’ means any person on board of an aircraft during the flight, other than a passenger, who works on and operates the aircraft, including flight crew and cabin crew;

(j)‘traveller’ means a passenger or crew member;

(k)‘Advance Passenger Information data’ or ‘API data’ means the traveller data and the flight information referred to in Article 4(2) and (3) respectively;

(l)‘Passenger Information Unit’ or ‘PIU’ means the competent authority referred to in Article 3, point i, of Regulation (EU) [API law enforcement];

(m)‘the router’ means the router referred to in Article 9;

(n)‘personal data’ means any information as defined in Article 4, point 1, of Regulation (EU) 2016/679.

CHAPTER 2 - COLLECTION AND TRANSFER OF API DATA

Article 4 - API data to be collected by air carriers

1. Air carriers shall collect API data of travellers, consisting of the traveller data and the flight information specified in paragraphs 2 and 3 of this Article, respectively, on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with Article 6.

2. The API data shall consist of the following traveller data relating to each traveller on the flight:

(a)the surname (family name), first name or names (given names);

(b)the date of birth, sex and nationality;

(c)the type and number of the travel document and the three-letter code of the issuing country of the travel document;

(d)the date of expiry of the validity of the travel document;

(e)whether the traveller is a passenger or a crew member (traveller’s status);

(f)the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator); 

(g)the seating information, such as the number of the seat in the aircraft assigned to a passenger, where the air carrier collects such information;

(h)baggage information, such as number of checked bags, where the air carrier collects such information.

3. The API data shall also consist of the following flight information relating to the flight of each traveller:

(a)the flight identification number or, if no such number exists, other clear and suitable means to identify the flight;

(b)when applicable, the border crossing point of entry into the territory of the Member State;

(c)the code of the airport of entry into the territory of the Member State;

(d)the initial point of embarkation;

(e)the local date and estimated time of departure;

(f)the local date and estimated time of arrival. 

Article 5 - Means of collecting API data

1. Air carriers shall collect the API data pursuant to Article 4 in such a manner that the API data that they transfer in accordance with Article 6 is accurate, complete and up-to-date.

2. Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), using automated means to collect the machine-readable data of the travel document of the traveller concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred to in paragraph 4, where such rules have been adopted and are applicable.

However, where such use of automated means is not possible due to the travel document not containing machine-readable data, air carriers shall collect that data manually, in such a manner as to ensure compliance with paragraph 1.

3. Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up-to-date.

4. The Commission is empowered to adopt delegated acts in accordance with Article 37 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in Article 4(2), points (a) to (d), using automated means in accordance with paragraph 2 and 3 of this Article.

5. Air carriers that use automated means to collect the information referred to in Article 3(1) of Directive 2004/82/EC shall be entitled to do so applying the technical requirements relating to such use referred to in paragraph 4, in accordance with that Directive.

Article 6 - Obligations on air carriers regarding transfers of API data

1. Air carriers shall transfer the API data to the router by electronic means. They shall do so in accordance with the detailed rules referred to in paragraph 3, where such rules have been adopted and are applicable. 

2. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the passengers have boarded the aircraft in preparation for departure and it is no longer possible for passengers to board or to leave the aircraft. 

3. The Commission is empowered to adopt delegated acts in accordance with Article 37 to supplement this Regulation by laying down the necessary detailed rules on the common protocols and supported data formats to be used for the transfers of API data to the router referred to in paragraph 1.

4. Where an air carrier becomes aware, after having transferred data to the router, that the API data is inaccurate, incomplete, no longer up-to-date or was processed unlawfully, or that the data does not constitute API data, it shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the competent border authority that received the API data transmitted through the router.

Article 7 - Processing of API data received

The competent border authorities shall process API data, transferred to them in accordance with this Regulation, solely for the purposes referred to in Article 1.

Article 8 - Storage and deletion of API data

1. Air carriers shall store, for a time period of 48 hours from the moment of departure of the flight, the API data relating to that passenger that they collected pursuant to Article 4. They shall immediately and permanently delete that API data after the expiry of that time period.  

2. The competent border authorities shall store, for a time period of 48 hours from the moment of departure of the flight, the API data relating to that passenger that they received through the router pursuant to Article 11. They shall immediately and permanently delete that API data after the expiry of that time period.

3. Where an air carrier or competent border authority becomes aware that the data that it has collected, transferred or received under to this Regulation is inaccurate, incomplete, no longer up-to-date or was processed unlawfully, or that the data does not constitute API data, it shall immediately either correct, complete or update, or permanently delete, that API data. This is without prejudice to the possibility for air carriers to retain and use the data where necessary for the normal course of their business in compliance with the applicable law.

CHAPTER 3 - PROVISIONS RELATING TO THE ROUTER

Article 9 - The router

1. eu-LISA shall design, develop, host and technically manage, in accordance with Articles 22 and 23, a router for the purpose of facilitating the transfer of API data by the air carriers to the competent border authorities and to the PIUs in accordance with this Regulation and Regulation (EU) [API law enforcement], respectively.

2. The router shall be composed of:

(a)a central infrastructure, including a set of technical components enabling the transmission of API data;

(b)a secure communication channel between the central infrastructure and the competent border authorities and the PIUs, and a secure communication channel between the central infrastructure and the air carriers, for the transfer of API data and for any communications relating thereto.

3. Without prejudice to Article 10 of this Regulation, the router shall, to the extent technically possible, share and re-use the technical components, including hardware and software components, of the web service referred to in Article 13 of Regulation (EU) 2017/2226 of the European Parliament and of the Council 48 , the carrier gateway referred to in Article 6(2), point (k), of Regulation (EU) 2018/1240, and the carrier gateway referred to in Article 2a, point (h), of Regulation (EC) 767/2008 of the European Parliament and of the Council 49 .

Article 10 - Exclusive use of the router

The router shall only be used by air carriers to transfer API data and by competent border authorities and PIUs to receive API data, in accordance with this Regulation and Regulation (EU) [API law enforcement], respectively. 

Article 11 - Transmission of API data from the router to the competent border authorities

1. The router shall, immediately and in an automated manner, transmit the API data, transferred to it pursuant to Article 6, to the competent border authorities of the Member State referred to in Article 4(3), point (c). It shall do so in accordance with the detailed rules referred to in paragraph 4 of this Article, where such rules have been adopted and are applicable.

For the purpose of such transmission, eu-LISA shall establish and keep up-to-date a table of correspondence between the different airports of origin and destination and the countries to which they belong.

2. The Member State shall designate the competent border authorities authorised to receive the API data transferred to them from the router in accordance with this Regulation. They shall notify, by the date of application of this Regulation referred to in Article 39, second subparagraph, eu-LISA and the Commission of the name and contact details of the competent border authorities and shall, where necessary, update the notified information.

The Commission shall, on the basis of those notifications and updates, compile and make publicly available a list of the notified competent border authorities, including their contact details.

3. The Member States shall ensure that only the duly authorised staff of the competent border authorities have access to the API data transmitted to them through the router. They shall lay down the necessary rules to that effect. Those rules shall include rules on the creation and regular update of a list of those staff and their profiles.

4. The Commission is empowered to adopt delegated acts in accordance with Article 37 to supplement this Regulation by laying down the necessary detailed technical and procedural rules for the transmissions of API data from the router referred to in paragraph 1.

Article 12 - Deletion of API data from the router

API data, transferred to the router pursuant to this Regulation and Regulation (EU) [API law enforcement], shall be stored on the router only insofar as necessary to complete the transmission to the relevant competent borders authorities or PIUs, as applicable, in accordance with those Regulations and shall be deleted from the router, immediately, permanently and in an automated manner, in both of the following situations:

(a)where the transmission of the API data to the relevant competent border authorities or PIUs, as applicable, has been completed;

(b)in respect of Regulation (EU) [API law enforcement], where the API data relates to other intra-EU flights than those included the lists referred to in Article 5(2) of that Regulation.

Article 13 - Keeping of logs

1. eu-LISA shall keep logs of all processing operations relating to the transfer of API data through the router under this Regulation and Regulation (EU) [API law enforcement]. Those logs shall cover the following:

(a)the air carrier that transferred the API data to the router;

(b)the competent border authorities and PIUs to which the API data was transmitted through the router;

(c)the date and time of the transfers referred to in points (a) and (b), and place of transfer; 

(d)any access by staff of eu-LISA necessary for the maintenance of the router, as refererred to in Article 23(3);

(e)any other information relating to those processing operations necessary to monitor the security and integrity of the API data and the lawfulness of those processing operations.

Those logs shall not include any personal data, other than the information necessary to identify the relevant member of the staff of eu-LISA, referred to in point (d) of the first subparagraph.

2. Air carriers shall create logs of all processing operations under this Regulation undertaken by using the automated means referred to in Article 5(2). Those logs shall cover the date, time and place of transfer of the API data.

3. The logs referred to in paragraphs 1 and 2 shall be used only for ensuring the security and integrity of the API data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation and Regulation (EU) [API Law Enforcement], including proceedings for penalties for infringements of those requirements in accordance with Articles 29 and 30 of this Regulation. 

4. eu-LISA and the air carriers shall take appropriate measures to protect the logs that they created pursuant to paragraphs 1 and 2, respectively, against unauthorised access and other security risks. 

5. eu-LISAand the air carriers shall keep the logs that they created pursuant to paragraphs 1 and 2, respectively, for a time period of one year from the moment of the creation of those logs. They shall immediately and permanently delete those logs upon the expiry of that time period.

However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and these procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, eu-LISA and the air carriers may keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.

Article 14 - Actions in case of technical impossibility to use the router

1. Where it is technically impossible to use the router to transmit API data because of a failure of the router, eu-LISA shall immediately notify the air carriers and competent border authorities of that technical impossibility in an automated manner. In that case, eu-LISA shall immediately take measures to address the technical impossibility to use the router and shall immediately notify those parties when it has been successfully addressed.

During the time period between those notifications, Article 6(1) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) and Article 8(1) shall not apply either to the API data in question during that time period.

2. Where it is technically impossible to use the router to transmit API data because of a failure of the systems or infrastructure referred to in Article 20 of a Member State, the competent border authorities of that Member State shall immediately notify the air carriers, the competent authorities of the other Member States, eu-LISA and the Commission of that technical impossibility in an automated manner. In that case, that Member State shall immediately take measures to address the technical impossibility to use the router and shall immediately notify those parties when it has been successfully addressed.

During the time period between those notifications, Article 6(1) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) and Article 8(1) shall not apply either to the API data in question during that time period.

3. Where it is technically impossible to use the router to transmit API data because of a failure of the systems or infrastructure referred to in Article 21 of an air carrier, that air carrier shall immediately notify the competent border authorities, eu-LISA and the Commission of that technical impossibility in an automated manner. In that case, that air carrier shall immediately take measures to address the technical impossibility to use the router and shall immediately notify those parties when it has been successfully addressed.

During the time period between those notifications, Article 6(1) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) and Article 8(1) shall not apply either to the API data in question during that time period.

When the technical impossibility has been successfully addressed, the air carrier concerned shall, without delay, submit to the competent national supervisory authority referred to in Article 29 a report containing all necessary details on the technical impossibility, including the reasons for the technical impossibility, its extent and consequences as well as the measures taken to address it.

CHAPTER 4 - SPECIFIC PROVISIONS ON THE PROTECTION OF PERSONAL DATA

Article 15 - Personal data controllers

The competent border authorities shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, in relation to the processing of API data constituting personal data through the router , including the transmission and the storage for technical reasons of that data in the router, as well as in relation to their processing of API data constituting personal data referred to in Article 7 of this Regulation.

The air carriers shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router under this Regulation.

Article 16 - Personal data processor

eu-LISA shall be the processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation and Regulation (EU) [API law enforcement].

Article 17 - Security

1. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation and Regulation (EU) [API law enforcement]. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu-LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.

2. In particular, eu-LISA shall take the necessary measures to ensure the security of the router and the API data, in particular API data constituting personal data, transmitted through the router, including by establishing, implementing and regularly updating a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a)physically protect the router, including by making contingency plans for the protection of critical components thereof;

(b)prevent any unauthorised processing of the API data, including any unauthorised access thereto and copying, modification or deletion thereof, both during the transfer of the API data to and from the router and during any storage of the API data on the router where necessary to complete the transmission, in particular by means of appropriate encryption techniques; 

(c)ensure that it is possible to verify and establish to which competent border authorities or PIUs the API data is transmitted through the router;

(d)properly report to its Management Board any faults in the functioning of the router;

(e)monitor the effectiveness of the security measures required under this Article and under Regulation (EU) 2018/1725, and assess and update those security measures where necessary in the light of technological or operational developments.

The measures referred to in the first subparagraph of this paragraph shall not affect Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679.

Article 18 - Self-monitoring

The air carriers and competent authorities shall monitor their compliance with their respective obligations under this Regulation, in particular as regards their processing of API data constituting personal data, including through frequent verification of the logs referred to in Article 13.

Article 19 - Personal data protection audits

1. The competent national data protection authorities referred to in Article 51 of Regulation (EU) 2016/679 shall ensure that an audit of processing operations of API data constituting personal data performed by the competent border autorities for the purposes of this Regulation is carried out, in accordance with relevant international auditing standards, at least once every four years.

2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu-LISA for the purposes of this Regulation and Regulation (EU) [API law enforcement] is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted.

3. In relation to the processing operations referred to in paragraph 2, upon request, eu-LISA shall supply information requested by the European Data Protection Supervisor, shall grant the European Data Protection Supervisor access to all the documents it requests and to the logs referred to in Article 13(1), and shall allow the European Data Protection Supervisor access to all eu-LISA’s premises at any time.

CHAPTER 5 - CONNECTIONS AND ADDITIONAL PROVISIONS REGARDING THE ROUTER

Article 20 - Competent border authorities’ connections to the router

1. Member States shall ensure that their competent border authorities are connected to the router. They shall ensure that the competent border authorities’ systems and infrastructure for the reception of API data transferred purpsuant to this Regulation are integrated with the router.

Member States shall ensure that the connection to the router and integration with it enables their competent border authorities to receive and further process the API data, as well as to exchange any communications relating thereto, in a lawful, secure, effective and swift manner.

2. The Commission is empowered to adopt delegated acts in accordance with Article 37 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1.

Article 21 - Air carriers’ connections to the router

1. Air carriers shall ensure that they are connected to the router. They shall ensure that their systems and infrastructure for the transfer of API data to the router pursuant to this Regulation are integrated with the router.

Air carriers shall ensure that the connection to that router and integration with it enables them to transfer the API data, as well as to exchange any communications relating thereto, in a lawful secure, effective and swift manner.

2. The Commission is empowered to adopt delegated acts in accordance with Article 37 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1.

Article 22 - eu-LISA’s tasks relating to the design and development of the router

1. eu-LISA shall be responsible for the design of the physical architecture of the router, including defining the technical specifications.

2. eu-LISA shall be responsible for the development of the router, including for any technical adaptations necessary for the operation of the router.

The development of the router shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination of the development phase.

3. eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation and Regulation (EU) [API law enforcement], and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in Article 5(4), Article 6(3), Article 11(4), Article 20(2) and Article 21(2).

4. Where eu-LISA considers that the development phase has been completed, it shall, without undue delay, conduct a comprehensive test of the router, in cooperation with the competent border authorities, PIUs and other relevant Member States’ authorities and air carriers and inform the Commission of the outcome of that test.

Article 23 - eu-LISA’s tasks relating to the hosting and technical management of the router

1. eu-LISA shall host the router in its technical sites.

2. eu-LISA shall be responsible for the technical management of the router, including its maintenance and technical developments, in such a manner as to ensure that the API data are securely, effectively and swiftly transmitted through the router, in compliance with this Regulation and Regulation (EU) [API law enforcement].

The technical management of the router shall consist of carrying out all the tasks and enacting all technical solutions necessary for the proper functioning of the router in accordance with this Regulation, Regulation (EU) [API law enforcement], in an uninterrupted manner, 24 hours a day, 7 days a week. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability, accuracy and reliability of the transmission of API data, in accordance with the technical specifications and, as much as possible, in line with the operational needs of the competent border authorities, PIUs and air carriers.

3. eu-LISA shall not have access to any of the API data that is transmited through the router. However, that prohibition shall not preclude eu-LISA from having such access insofar as strictly necessary for the maintenance of the router.

4. Without prejudice to paragraph 3 of this Article and to Article 17 of Council Regulation (EEC, Euratom, ECSC) No 259/68 50 , eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its staff required to work with API data transmitted through the router. This obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 24 - eu-LISA’s support tasks relating to the router

1. eu-LISA shall, upon their request, provide training to competent border authorities, PIUs and other relevant Member States’ authorities and air carriers on the technical use of the router.

2. eu-LISA shall provide support to the competent border authorities and PIUs regarding the reception of API data through the router pursuant to this Regulation and Regulation (EU) [API law enforcement], respectively, in particular as regards the application of Articles 11 and 20 of this Regulation and Articles 5 and 10 of Regulation (EU) [API law enforcement].

Article 25 - Costs of eu-LISA and of Member States

1. Costs incurred by eu-LISA in relation to the design, development, hosting and technical management of the router under this Regulation and Regulation (EU) [API law enforcement] shall be borne by the general budget of the Union.

2. Costs incurred by Member States in relation to their connections to and integration with the router referred to in Article 20 shall be borne by the general budget of the Union.

However, the following costs shall be excluded and shall be borne by the Member States:

(a)costs for the project management office, including meetings, missions, offices;

(b)costs for the hosting of national information technology (IT) systems, inclduing space, implementation, electricity and cooling;

(c)costs for the operation of national IT systems, including operators and support contracts;

(d)costs for the design, development, implementation, operation and maintenance of national communication networks.

3. The Member States shall also bear the costs arising from the administration, use and maintenance of their connections to and integration with the router.

Article 26 - Liability regarding the router

If any failure of a Member State or an air carrier to comply with its obligations under this Regulation causes damage to the router, that Member State or air carrier shall be liable for such damage, unless and insofar as eu-LISA failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

Article 27 - Start of operations of the router

The Commission shall determine, without undue delay, the date from which the router starts operations by means of an implementing act once eu-LISA has informed the Commission of the successful completion of the comprehensive test of the router referred to in Article 22(4). That implementing act shall be adopted in accordance with the examination procedure referred to in Article 36(2).

The Commission shall set the date referred to in the first subparagraph to be no later than 30 days from the date of the adoption of that implementing act.

Article 28 - Voluntary use of the router in application of Directive 2004/81/EC

1. Air carriers shall be entitled to use the router to transmit the information referred to in Article 3(1) of Directive 2004/82/EC to one or more of the responsible authorities referred to therein, in accordance with that Directive, provided that the responsible authority concerned has agreed with such use, from an appropriate date set by that authority. That authority shall only agree after having established that, in particular as regards both its own connection to the router and that of the air carrier concerned, the information can be transmitted in a lawful, secure, effective and swift manner.

2. Where an air carrier starts using the router in accordance with paragraph 1, it shall continue using the router to transmit such information to the responsible authority concerned until the date of application of this Regulation referred to in Article 39, second subparagraph. However, that use shall be discontinued, from an appropriate date set by that authority, where that authority considers that there are objective reasons that require such discontinuation and has informed the air carrier accordingly.

3. The responsible authority concerned shall:

(a)consult eu-LISA before agreeing with the voluntary use of the router in accordance with paragraph 1;

(b)except in situations of duly justified urgency, afford the air carrier concerned an opportunity to comment on its intention to discontinue such use in accordance with paragraph 2 and, where relevant, also consult eu-LISA thereon;

(c)immediately inform eu-LISA and the Commission of any such use to which it agreed and any discontinuation of such use, providing all necessary information, including the date of the start of the use, the date of the discontinuation and the reasons for the discontinuation, as applicable.

CHAPTER 6 - SUPERVISION, PENALTIES, STATISTICS AND HANDBOOK

Article 29 - National supervisory authority

1. Member States shall designate one or more national supervisory authorities responsible for monitoring the application within their territory by air carriers of the provisions of this Regulation and ensuring compliance with those provisions.

2. Member States shall ensure that the national supervisory authorities have all necessary means and all necessary investigative and enforcement powers to carry out their tasks under this Regulation, including by imposing the penalties referred to in Article 30 where appropriate. They shall lay down detailed rules on the performance of those tasks and the exercise of those powers, ensuring that the performance and exercise is effective, proportionate and dissuasive and is subject to safeguards in compliance with the fundamental rights guaranteed under Union law.

3. Member States shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, notify the Commission of the name and the contact details of the authorities that they designated under paragraph 1 and of the detailed rules that they laid down pursuant to paragraph 2. They shall notify the Commission without delay of any subsequent changes or amendments thereto.

4. This Article is without prejudice to the powers of the supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679. 

Article 30 - Penalties

Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.

Member States shall, by the date of application of this Regulation referred to in Article 39, second subparagraph, notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them.

Article 31 - Statistics

1. Every quarter, eu-LISA shall publish statistics on the functioning of the router, showing in particular the number, the nationality and the country of departure of the travellers, and specifically of the travellers who boarded the aircraft with inaccurate, incomplete or no longer up-to-date API data, with a non-recognised travel document, without a valid visa, without a valid travel authorization, or reported as overstay, the number and nationality of travellers. 

2. eu-LISA shall store the daily statistics in the central repository for reporting and statistics established in Article 39 of Regulation (EU) 2019/817.

3. At the end of each year, eu-LISA shall compile statistical data in an annual report for that year. It shall publish that annual report and transmit it to the European Parliament, the Council, the Commission, the European Data Protection Supervisor, the European Border and Coast Guard Agency and the national supervisory authorities referred to in Article 29.

4. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation and Regulation (EU) [API Law enforcement] as well as the statistics pursuant to paragraph 3.

5. eu-LISA shall have the right to access the following API data transmitted through to the router, solely for the purposes of the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, without however such access allowing for the identification of the travellers concerned:

(a)whether the traveller is passenger or a crew member;

(b)the nationality, sex and year of birth of the traveller;

(c)the date and initial point of embarkation, and the date and airport of entry into the territory of a Member State arrival;

(d)the type of the travel document and the three letter code of the issuing country and the date of expiry of the travel document;

(e)the number of travellers checked-in on the same flight;

(f)whether the flight is a scheduled or a non-scheduled flight;

(g)whether the personal data of the traveller is accurate, complete and up-to-date.

6. For the the purposes of the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, eu-LISA shall store the data referred to in paragraph 5 of this Article in the central repository for reporting and statistics established by Article 39 of Regulation (EU) 2019/817. The cross-system statistical data and analytical reporting referred to in Article 39(1) of that Regulation shall allow the competent border authorities and other relevant authorities of the Member States to obtain customisable reports and statistics, for the purposes referred to in Article 1 of this Regulation.

7. The procedures put in place by eu-LISA to monitor the development and the functioning of the router referred to in Article 39(1) of Regulation (EU) 2019/817 shall include the possibility to produce regular statistics to ensure that monitoring.

Article 32 - Practical handbook

The Commission shall, in close cooperation with the competent border authorities, other relevant Member States’ authorities, the air carriers and relevant Union agencies, prepare and make publicly available a practical handbook, containing guidelines, recommendations and best practices for the implementation of this Regulation.

The practical handbook shall take into account the relevant existing handbooks.

The Commission shall adopt the practical handbook in the form of a recommendation.

CHAPTER 7 - RELATIONSHIP TO OTHER EXISTING INSTRUMENTS

Article 33 - Repeal of Directive 2004/82/EC

Directive 2004/82/EC is repealed from the date of application of this Regulation, referred to in Article 39, second subparagraph.

Article 34 - Amendments to Regulation (EU) 2018/1726

Regulation (EU) 2018/1726 is amended as follows:

(1) the following Article 13b is inserted:

“Article 13b

Tasks related to the router 


In relation to Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation] and Regulation (EU) [API LE], the Agency shall perform the tasks related to the router conferred on it by those Regulations.

___________

* Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”


(1) in Article 17, paragraph 3 is replaced by the following:


“3. The seat of the Agency shall be Tallinn, Estonia.


The tasks relating to development and operational management referred to in Article 1(4) and (5) and Articles 3 to 9 and Articles 11, [13a] and 13b shall be carried out at the technical site in Strasbourg, France.


A backup site capable of ensuring the operation of a large-scale IT system in the event of failure of such a system shall be installed in Sankt Johann im Pongau, Austria.”

(2) in Article 19, paragraph 1, is amended as follows:

(a)the following point (eeb) is inserted:

“(eeb) adopt reports on the state of play of the development of the router pursuant to Article 38(2) of the Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation];”

___________

* Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”

(b)point (ff) is replaced by the following:

“(ff) adopt reports on the technical functioning of the following:

(1) SIS pursuant to Article 60(7) of Regulation (EU) 2018/1861 of the European Parliament and of the Council* and Article 74(8) of Regulation (EU) 2018/1862 of the European Parliament and of the Council**;

(2) VIS pursuant to Article 50(3) of Regulation (EC) No 767/2008 and Article 17(3) of Decision 2008/633/JHA;

(3) EES pursuant to Article 72(4) of Regulation (EU) 2017/2226;

(4) ETIAS pursuant to Article 92(4) of Regulation (EU) 2018/1240;

(5) ECRIS-TCN and of the ECRIS reference implementation pursuant to Article 36(8) of Regulation (EU) 2019/816;

(6) the interoperability components pursuant to Article 78(3) of Regulation (EU) 2019/817, Article 74(3) of Regulation (EU) 2019/818 and of the router pursuant to Article 79(5) of Regulation (EU) …/… of the European Parliament and of the Council* [Prüm II Regulation] and Article 38(5) of Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation];

(3) the e-CODEX system pursuant to Article 16(1) of Regulation (EU) 2022/850” 

___________

*Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14).


**Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU ( OJ L 312, 7.12.2018, p. 56 ).


(c) point (hh) is replaced by the following:

(hh) adopt formal comments on the European Data Protection Supervisor's reports on its audits pursuant to Article 56(2) of Regulation (EU) 2018/1861, Article 42(2) of Regulation (EC) No 767/2008, Article 31(2) of Regulation (EU) No 603/2013, Article 56(2) of Regulation (EU) 2017/2226, Article 67 of Regulation (EU) 2018/1240, Article 29(2) of Regulation (EU) 2019/816, Article 52 of Regulations (EU) 2019/817 and (EU) 2019/818, Article 60(1) of the Regulation (EU) …/… of the European Parliament and of the Council* [Prüm II] and Article 19(3) of the Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation] and ensure appropriate follow-up of those audits;

___________

(4) * Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”

Article 35 - Amendments to Regulation (EU) 2019/817 ___________

(1) In Article 39, paragraphs 1 and 2 are replaced by the following:


“1. A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of the EES, VIS, ETIAS and SIS, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes. The CRRS shall also support the objectives of Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation].”


* Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”


 2. eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 63 of Regulation (EU) 2017/2226, Article 17 of Regulation (EC) No 767/2008, Article 84 of Regulation (EU) 2018/1240, Article 60 of Regulation (EU) 2018/1861 and Article 16 of Regulation (EU) 2018/1860, logically separated by EU information system. eu-LISA shall also collect the data and statistics from the router referred to in Article 31(1) of Regulation (EU) …/… * [this Regulation]. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purpose of reporting and statistics, to the authorities referred to in Article 63 of Regulation (EU) 2017/2226, Article 17 of Regulation (EC) No 767/2008, Article 84 of Regulation (EU) 2018/1240, Article 60 of Regulation (EU) 2018/1861 and Article 38(2) of Regulation (EU) …/… [this Regulation ].”

CHAPTER 8 - FINAL PROVISIONS

Article 36 - Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), the third subparagraph, of Regulation (EU) No 182/2011 shall apply.

Article 37 - Exercise of delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Article 5(4), Article 6(3), Article 11(4), Article 20(2) and Article 21(2) shall be conferred on the Commission for a period of five years  from [date of adoption of the Regulation]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

3. The delegation of power referred to in Article 5(4), Article 6(3), Article 11(4), Article 20(2) and Article 21(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

Article 38 - Monitoring and evaluation

1. eu-LISA shall ensure that procedures are in place to monitor the development of the router in light of objectives relating to planning and costs and to monitor the functioning of the router in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2. By [one year after the date of entry into force of this Regulation] and every year thereafter during the development phase of the router, eu-LISA shall produce a report, and submit it to the European Parliament and to the Council on the state of play of the development of the router. That report shall contain detailed information about the costs incurred and about any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 25.

3. Once the router starts operations, eu-LISA shall produce a report and submit it to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.

4. By [four years after the date of entry into force of this Regulation ] and every four years thereafter, the Commission shall produce a report containing an overall evaluation of this Regulation, including an assessment of:

(a)the application of this Regulation;

(b)the extent to which this Regulation achieved its objectives; 

(c)the impact of this Regulation on relevant fundamental rights protected under Union law;

5. The Commission shall submit the evaluation report to the European Parliament, the Council, the European Data Protection Supervisor and the European Agency for Fundamental Rights. If appropriate, in light of the evaluation conducted, the Commission shall make a legislative proposal to the European Parliament and to the Council with a view to amending this Regulation.

6. The Member States and air carriers shall, upon request, provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 2, 3 and 4, including information not constituting personal data related to the results of the pre-checks of Union information systems and national databases at the external borders with API data. However, Member States may refrain from providing such information if, and to the extent necessary not to disclose confidential working methods or jeopardise ongoing investigations of the competent border authorities. The Commission shall ensure that any confidential information provided is appropriately protected.

Article 39 - Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from two years from the date at which the router starts operations, specified by the Commission in accordance with Article 27.

However:

(a)Article 5(4) and (5), Article 6(3), Article 11(4), Article 20(2), Article 21(2), Article 22, Article 25(1), Article 27, Article 36 and Article 37 shall apply from [Date of entry into force of this Regulation];

(b)Article 10, Article 13(1), (3) and (4), Article 15, Article 16, Article 17, Article 23, Article 24, Article 26 and Article 28 shall apply from the date at which the router starts operations, specified by the Commission in accordance with Article 27.


This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.