Legal provisions of COM(2022)731 - Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2022)731 - Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of ...
document COM(2022)731 EN
date December 13, 2022

Contents

CHAPTER 1 - GENERAL PROVISIONS

Article 1 - Subject matter

For the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, this Regulation lays down the rules on:

(a)the collection by air carriers of advance passenger information data (‘API data’) on extra EU flights and selected intra EU flights;

(b)the transfer by air carriers to the router of the API data;

(c)the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data on extra-EU flights and selected intra-EU flights.  

Article 2 - Scope

This Regulation applies to air carriers conducting scheduled or non-scheduled extra-EU flights or intra-EU flights.

Article 3 - Definitions

For the purposes of this Regulation, the following definitions apply:

(a)‘air carrier’ means an air transport undertaking as defined in Article 3, point (1), of Directive (EU) 2016/681;

(b)‘extra-EU flights’ means any flight as defined in Article 3, point (2), of Directive (EU) 2016/681;

(c)‘intra-EU flight’ means any flight as defined in Article 3, point (3), of Directive (EU) 2016/681;

(d)‘scheduled flight’ means a flight as defined in Article 3, point (e), of Regulation (EU) [API border management];

(e)‘non-scheduled flight’ means a flight as defined in Article 3, point (f), of Regulation (EU) [API border management];

(f)‘passenger’ means any person as defined in Article 3, point (4), of Directive (EU) 2016/681;

(g)‘crew’ means any person as defined in Article 3, point (h), of Regulation (EU) [API border management];

(h)‘traveller’ means any person as defined in Article 3, point (i), of Regulation (EU) [API border management];

(i)‘advance passenger information data’ or ‘API data’ means the data as defined in Article 3, point (j), of Regulation (EU) [API border management];

(j)‘passenger name record’ or PNR means a record of each passenger’s travel requirements as defined in Article 3, point (5), of Directive (EU) 2016/681;

(k)‘Passenger Information Unit’ or ‘PIU’ means the competent authority established by a Member State, as contained in the notifications and modifications published by the Commission pursuant to Article 4(1) and (5), respectively, of Directive (EU) 2016/681;

(l)‘terrorist offences’ means the offences as defined in Articles 3 to 12 of Directive (EU) 2017/541 of the European Parliament and the Council 35 ;

(m)‘serious crime’ means the offences as defined in Article 3, point (9), of Directive 2016/681;

(n)‘the router’ means the router as defined in Article 3, point (k) of Regulation (EU) [API border management];

(o)’personal data’ means any information as defined in Article 4, point (1), of Regulation (EU) 2016/679.

CHAPTER 2 - PROCESSING OF API DATA

Article 4 - Collection, transfer and deletion of API data by air carriers

1. Air carriers shall collect API data of travellers on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with paragraph 6. Where the flight is code-shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.

2. Air carriers shall collect the API data in such a manner that the API data that they transfer in accordance with paragraph 6 is accurate, complete and up-to-date.

3. Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine-readable data of the travel document of the traveller concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred paragraph 5, where such rules have been adopted and are applicable.

However, where such use of automated means is not possible due to the travel document not containing machine-readable data, air carriers shall collect that data manually, in such a manner as to ensure compliance with paragraph 2.

4. Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up-to-date.

5. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means in accordance with paragraphs 3 and 4 of this Article.

6. Air carriers shall transfer the API data collected pursuant to paragraph 1 to the router, by electronic means. They shall do so in accordance with the detailed rules referred to in paragraph 9, where such rules have been adopted and are applicable.

7. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the travellers have boarded the aircraft in preparation for departure and it is no longer possible for travellers to board or to leave the aircraft.

8. Without prejudice to the possibility for air carriers to retain and use the data where necessary for the normal course of their business in compliance with the applicable law, air carriers shall immediately either correct, complete or update, or permanently delete, the API data concerned in both of the following situations:

(a)where they become aware that the API data collected is inaccurate, incomplete or no longer up-to-date or was processed unlawfully, or that the data transferred does not constitute API data;

(b)where the transfer of the API data in accordance with paragraph 3 has been completed.

Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received the API data transmitted through the router.

9. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the common protocols and supported data formats to be used for the transfers of API data to the router referred to in paragraph 6.

Article 5 - Transmission of API data from the router to the PIUs

1. The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on the territory of which the flight will land or from the territory of which the flight will depart, or to both in the case of intra-EU-flights. Where a flight has one or more stop-overs at the territory of other Member States than the one from which it departed, the router shall transmit the API data to the PIUs of all the Member States concerned. 

For the purpose of such transmission, eu-LISA shall establish and keep up-to-date a table of correspondence between the different airports of origin and destination and the countries to which they belong

However, for intra-EU flights, the router shall only transmit the API data to that PIU in respect of the flights included in the list referred to in paragraph 2.

The router shall transmit the API data in accordance with the detailed rules referred to in paragraph 3, where such rules have been adopted and are applicable.2.Member States that decide to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2 of that Directive shall each establish a list of the intra-EU flights concerned and shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, provide eu-LISA with that list. Those Member States shall, in accordance with Article 2 of that Directive, regularly review and where necessary update those lists and shall immediately provide eu-LISA with any such updated lists. The information contained on those lists shall be treated confidentially. 

3. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed technical and procedural rules for the transmissions of API data from the router referred to in paragraph 1.

CHAPTER 3 - LOGGING, PERSONAL DATA PROTECTION AND SECURITY

Article 6 - Keeping of logs

1. Air carriers shall create logs of all processing operations under this Regulation undertaken using the automated means referred to in Article 4(3). Those logs shall cover the date, time, and place of transfer of the API data.

2. The logs referred to in paragraph 1 shall be used only for ensuring the security and integrity of the API data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation, including proceedings for penalties for infringements of those requirements in accordance with Articles 15 and 16.

3. Air carriers shall take appropriate measures to protect the logs that they created pursuant to paragraph 1 against unauthorised access and other security risks.

4. Air carriers shall keep the logs that they created pursuant to paragraph 1, for a time period of one year from the moment of the creation of those logs. They shall immediately and permanently delete those logs upon the expiry of that time period.

However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, air carriers may keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.

Article 7 - Personal data controllers

The PIUs shall be controllers, within the meaning of Article 3, point (8), of Directive (EU) 2016/680 in relation to the processing of API data constituting personal data under this Regulation through the router, including transmission and storage for technical reasons of that data on the router.

The air carriers shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router under this Regulation.

Article 8 - Security

PIUs and air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation.

PIUs and air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other and with eu-LISA to ensure such security.

Article 9 - Self-monitoring

Air carriers and the PIUs shall monitor their compliance with their respective obligations under this Regulation, in particular as regards their processing of API data constituting personal data, including through frequent verification of the logs in accordance with Article 7.

CHAPTER 4 - MATTERS RELATING TO THE ROUTER

Article 10 - PIUs’ connections to the router

1. Member States shall ensure that their PIUs are connected to the router. They shall ensure that their national systems and infrastructure for the reception and further processing of API data transferred pursuant to this Regulation are integrated with the router.

Member States shall ensure that the connection to that router and integration with it enables their PIUs to receive and further process the API data, as well as to exchange any communications relating thereto, in a lawful, secure, effective and swift manner.

2. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1.

Article 11 - Air carriers’ connections to the router

1. Air carriers shall ensure that they are connected to the router. They shall ensure that their systems and infrastructure for the transfer of API data to the router pursuant to this Regulation are integrated with the router.

Air carriers shall ensure that the connection to the router and the integration with it enables them to transfer the API data as well as to exchange any communications relating thereto, in a lawful, secure, effective and swift manner.

2. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1.

Article 12 - Member States’ costs

1. Costs incurred by the Member States in relation to their connections to and integration with the router referred to in Article 10 shall be borne by the general budget of the Union.

However, the following costs shall be excluded and be borne by the Member States:

(a)costs for project management, including costs for meetings, missions and offices;

(b)costs for the hosting of national information technology (IT) systems, including costs for space, implementation, electricity and cooling;

(c)costs for the operation of national IT systems, including operators and support contracts;

(d)costs for the design, development, implementation, operation and maintenance of national communication networks.

2. Member States shall also bear the costs arising from the administration, use and maintenance of their connections to and integration with the router.

Article 13 - Actions in case of technical impossibility to use the router

1. Where it is technically impossible to use the router to transmit API data because of a failure of the router, eu-LISA shall immediately notify the air carriers and PIUs of that technical impossibility in an automated manner. In that case, eu-LISA shall immediately take measures to address the technical impossibility to use the router and shall immediately notify those parties when it has been successfully addressed.

During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) shall not apply either to the API data in question during that time period.

2. Where it is technically impossible to use the router to transmit API data because of a failure of the systems or infrastructure referred to in Article 10 of a Member State, the PIU of that Member State shall immediately notify the air carriers, the other PIUs, eu-LISA and the Commission of that technical impossibility in an automated manner. In that case, that Member State shall immediately take measures to address the technical impossibility to use the router and shall immediately notify those parties when it has been successfully addressed.

During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) shall not apply either to the API data in question during that time period.

3. Where it is technically impossible to use the router to transmit API data because of a failure of the systems or infrastructure referred to in Article 11 of an air carrier, that air carrier shall immediately notify the PIUs, eu-LISA and the Commission of that technical impossibility in an automated manner. In that case, that air carrier shall immediately take measures to address the technical impossibility to use the router and shall immediately notify those parties when it has been successfully addressed.

During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) shall not apply either to the API data in question during that time period.

When the technical impossibility has been successfully addressed, the air carrier concerned shall, without delay, submit to the competent national supervisory authority referred to in Article 15 a report containing all necessary details on the technical impossibility, including the reasons for the technical impossibility, its extent and consequences as well as the measures taken to address it.

Article 14 - Liability regarding the router

If any failure of a Member State or an air carrier to comply with its obligations under this Regulation causes damage to the router, that Member State or air carrier shall be liable for such damage, unless and insofar as eu-LISA failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

CHAPTER 5 - SUPERVISION, PENALTIES AND HANDBOOK

Article 15 - National supervisory authority

1. Member States shall designate one or more national supervisory authorities responsible for monitoring the application within their territory by air carriers of the provisions of this Regulation and ensuring compliance with those provisions.

2. Member States shall ensure that the national supervisory authorities have all necessary means and all necessary investigative and enforcement powers to carry out their tasks under this Regulation, including by imposing the penalties referred to in Article 16 where appropriate. They shall lay down detailed rules on the performance of those tasks and the exercise of those powers, ensuring that the performance and exercise is effective, proportionate and dissuasive and is subject to safeguards in compliance with the fundamental rights guaranteed under Union law.

3. Member States shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, notify the Commission of the name and the contact details of the authorities that they designated under paragraph 1 and of the detailed  rules that they laid down pursuant to paragraph 2. They shall notify the Commission without delay of any subsequent changes or amendments thereto.

4. This Article is without prejudice to the powers of the supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680.

Article 16 - Penalties

Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure they are implemented. The penalties provided for shall be effective, proportionate and dissuasive penalties.

Member States shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, notify the Commission of those rules and of those measures and shall notify it without delay of any subsequent amendment affecting them.

Article 17 - Practical handbook

The Commission shall, in close cooperation with the PIUs, other relevant Member States’ authorities, the air carriers and relevant Union agencies, prepare and make publicly available a practical handbook, containing guidelines, recommendations and best practices for the implementation of this Regulation.

The practical handbook shall take into account the relevant existing handbooks.

The Commission shall adopt the practical handbook in the form of a recommendation.

CHAPTER 6 - RELATIONSHIP TO OTHER EXISTING INSTRUMENTS

Article 18 - Amendments to Regulation (EU) 2019/818 ___________

   In Article 39, paragraphs 1 and 2 are replaced by the following:


“1. A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of the SIS, Eurodac and ECRIS-TCN, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes. The CRRS shall also support the objectives of Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation].”


* Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”


“2. eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 74 of Regulation (EU) 2018/1862 and Article 32 of Regulation (EU) 2019/816 logically separated by EU information system. eu-LISA shall also collect the data and statistics from the router referred to in Article 13(1) of Regulation (EU) …/… * [this Regulation ]. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purpose of reporting and statistics, to the authorities referred to in Article 74 of Regulation (EU) 2018/1862, Article 32 of Regulation (EU) 2019/816 and Article 13(1) of Regulation (EU) …/… * [this Regulation ].”

CHAPTER 7 - FINAL PROVISIONS

Article 19 - Exercise of delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Article 4(5) and (9), Article 5(3), Article 10(2) and Article 11(2) shall be conferred on the Commission for a period of five years  from [date of adoption of the Regulation]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

3. The delegation of power referred to in Article 4(5) and (9), Article 5(3), Article 10(2) and Article 11(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

Article 20 - Monitoring and evaluation

1. By [four years after the date of entry into force of this Regulation], and every four years thereafter, the Commission shall produce a report containing an overall evaluation of this Regulation, including an assessment of:

(a)the application of this Regulation;

(b)the extent to which this Regulation achieved its objectives;

(c)the impact of this Regulation on the fundamental rights protected under Union law;

(d)The Commission shall submit the evaluation report to the European Parliament, the Council, the European Data Protection Supervisor and the European Agency for Fundamental Rights. If appropriate, in light of the evaluation conducted, the Commission shall make a legislative proposal to the European Parliament and to the Council with a view to amending this Regulation.

2. The Member States and air carriers shall, upon request, provide the Commission with the information necessary to draft the report referred to in paragraph 1. However, Member States may refrain from providing such information if, and to the extent, necessary not to disclose confidential working methods or jeopardise ongoing investigations of their PIUs or other law enforcement authorities. The Commission shall ensure that any confidential information provided is appropriately protected.

Article 21 - Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from two years from the date at which the router starts operations, specified by the Commission in accordance with Article 27 of Regulation (EU) [API border management].

However, Article 4(5) and (9), Article 5(3), Article 10(2), Article 11(2) and Article 19 shall apply from [Date of entry into force of this Regulation].

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.