Legal provisions of COM(2022)731 - Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2022)731 - Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of ... |
---|---|
document | COM(2022)731 |
date | December 13, 2022 |
Contents
- CHAPTER 1 - GENERAL PROVISIONS
- Article 1 - Subject matter
- Article 2 - Scope
- Article 3 - Definitions
- CHAPTER 2 - PROCESSING OF API DATA
- Article 4 - Collection, transfer and deletion of API data by air carriers
- Article 5 - Transmission of API data from the router to the PIUs
- CHAPTER 3 - LOGGING, PERSONAL DATA PROTECTION AND SECURITY
- Article 6 - Keeping of logs
- Article 7 - Personal data controllers
- Article 8 - Security
- Article 9 - Self-monitoring
- CHAPTER 4 - MATTERS RELATING TO THE ROUTER
- Article 10 - PIUs’ connections to the router
- Article 11 - Air carriers’ connections to the router
- Article 12 - Member States’ costs
- Article 13 - Actions in case of technical impossibility to use the router
- Article 14 - Liability regarding the router
- CHAPTER 5 - SUPERVISION, PENALTIES AND HANDBOOK
- Article 15 - National supervisory authority
- Article 16 - Penalties
- Article 17 - Practical handbook
- CHAPTER 6 - RELATIONSHIP TO OTHER EXISTING INSTRUMENTS
- Article 18 - Amendments to Regulation (EU) 2019/818 ___________
- CHAPTER 7 - FINAL PROVISIONS
- Article 19 - Exercise of delegation
- Article 20 - Monitoring and evaluation
- Article 21 - Entry into force and application
CHAPTER 1 - GENERAL PROVISIONS
Article 1 - Subject matter
(a)the collection by air carriers of advance passenger information data (‘API data’) on extra EU flights and selected intra EU flights;
(b)the transfer by air carriers to the router of the API data;
(c)the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data on extra-EU flights and selected intra-EU flights.
Article 2 - Scope
Article 3 - Definitions
(a)‘air carrier’ means an air transport undertaking as defined in Article 3, point (1), of Directive (EU) 2016/681;
(b)‘extra-EU flights’ means any flight as defined in Article 3, point (2), of Directive (EU) 2016/681;
(c)‘intra-EU flight’ means any flight as defined in Article 3, point (3), of Directive (EU) 2016/681;
(d)‘scheduled flight’ means a flight as defined in Article 3, point (e), of Regulation (EU) [API border management];
(e)‘non-scheduled flight’ means a flight as defined in Article 3, point (f), of Regulation (EU) [API border management];
(f)‘passenger’ means any person as defined in Article 3, point (4), of Directive (EU) 2016/681;
(g)‘crew’ means any person as defined in Article 3, point (h), of Regulation (EU) [API border management];
(h)‘traveller’ means any person as defined in Article 3, point (i), of Regulation (EU) [API border management];
(i)‘advance passenger information data’ or ‘API data’ means the data as defined in Article 3, point (j), of Regulation (EU) [API border management];
(j)‘passenger name record’ or PNR means a record of each passenger’s travel requirements as defined in Article 3, point (5), of Directive (EU) 2016/681;
(k)‘Passenger Information Unit’ or ‘PIU’ means the competent authority established by a Member State, as contained in the notifications and modifications published by the Commission pursuant to Article 4(1) and (5), respectively, of Directive (EU) 2016/681;
(l)‘terrorist offences’ means the offences as defined in Articles 3 to 12 of Directive (EU) 2017/541 of the European Parliament and the Council 35 ;
(m)‘serious crime’ means the offences as defined in Article 3, point (9), of Directive 2016/681;
(n)‘the router’ means the router as defined in Article 3, point (k) of Regulation (EU) [API border management];
(o)’personal data’ means any information as defined in Article 4, point (1), of Regulation (EU) 2016/679.
CHAPTER 2 - PROCESSING OF API DATA
Article 4 - Collection, transfer and deletion of API data by air carriers
2. Air carriers shall collect the API data in such a manner that the API data that they transfer in accordance with paragraph 6 is accurate, complete and up-to-date.
3. Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine-readable data of the travel document of the traveller concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred paragraph 5, where such rules have been adopted and are applicable.
However, where such use of automated means is not possible due to the travel document not containing machine-readable data, air carriers shall collect that data manually, in such a manner as to ensure compliance with paragraph 2.
4. Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up-to-date.
5. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means in accordance with paragraphs 3 and 4 of this Article.
6. Air carriers shall transfer the API data collected pursuant to paragraph 1 to the router, by electronic means. They shall do so in accordance with the detailed rules referred to in paragraph 9, where such rules have been adopted and are applicable.
7. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the travellers have boarded the aircraft in preparation for departure and it is no longer possible for travellers to board or to leave the aircraft.
8. Without prejudice to the possibility for air carriers to retain and use the data where necessary for the normal course of their business in compliance with the applicable law, air carriers shall immediately either correct, complete or update, or permanently delete, the API data concerned in both of the following situations:
(a)where they become aware that the API data collected is inaccurate, incomplete or no longer up-to-date or was processed unlawfully, or that the data transferred does not constitute API data;
(b)where the transfer of the API data in accordance with paragraph 3 has been completed.
Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received the API data transmitted through the router.
9. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the common protocols and supported data formats to be used for the transfers of API data to the router referred to in paragraph 6.
Article 5 - Transmission of API data from the router to the PIUs
For the purpose of such transmission, eu-LISA shall establish and keep up-to-date a table of correspondence between the different airports of origin and destination and the countries to which they belong
However, for intra-EU flights, the router shall only transmit the API data to that PIU in respect of the flights included in the list referred to in paragraph 2.
The router shall transmit the API data in accordance with the detailed rules referred to in paragraph 3, where such rules have been adopted and are applicable.2.Member States that decide to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2 of that Directive shall each establish a list of the intra-EU flights concerned and shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, provide eu-LISA with that list. Those Member States shall, in accordance with Article 2 of that Directive, regularly review and where necessary update those lists and shall immediately provide eu-LISA with any such updated lists. The information contained on those lists shall be treated confidentially.
3. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed technical and procedural rules for the transmissions of API data from the router referred to in paragraph 1.
CHAPTER 3 - LOGGING, PERSONAL DATA PROTECTION AND SECURITY
Article 6 - Keeping of logs
2. The logs referred to in paragraph 1 shall be used only for ensuring the security and integrity of the API data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation, including proceedings for penalties for infringements of those requirements in accordance with Articles 15 and 16.
3. Air carriers shall take appropriate measures to protect the logs that they created pursuant to paragraph 1 against unauthorised access and other security risks.
4. Air carriers shall keep the logs that they created pursuant to paragraph 1, for a time period of one year from the moment of the creation of those logs. They shall immediately and permanently delete those logs upon the expiry of that time period.
However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, air carriers may keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.
Article 7 - Personal data controllers
The air carriers shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router under this Regulation.
Article 8 - Security
PIUs and air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other and with eu-LISA to ensure such security.
Article 9 - Self-monitoring
CHAPTER 4 - MATTERS RELATING TO THE ROUTER
Article 10 - PIUs’ connections to the router
Member States shall ensure that the connection to that router and integration with it enables their PIUs to receive and further process the API data, as well as to exchange any communications relating thereto, in a lawful, secure, effective and swift manner.
2. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1.
Article 11 - Air carriers’ connections to the router
Air carriers shall ensure that the connection to the router and the integration with it enables them to transfer the API data as well as to exchange any communications relating thereto, in a lawful, secure, effective and swift manner.
2. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1.
Article 12 - Member States’ costs
However, the following costs shall be excluded and be borne by the Member States:
(a)costs for project management, including costs for meetings, missions and offices;
(b)costs for the hosting of national information technology (IT) systems, including costs for space, implementation, electricity and cooling;
(c)costs for the operation of national IT systems, including operators and support contracts;
(d)costs for the design, development, implementation, operation and maintenance of national communication networks.
2. Member States shall also bear the costs arising from the administration, use and maintenance of their connections to and integration with the router.
Article 13 - Actions in case of technical impossibility to use the router
During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) shall not apply either to the API data in question during that time period.
2. Where it is technically impossible to use the router to transmit API data because of a failure of the systems or infrastructure referred to in Article 10 of a Member State, the PIU of that Member State shall immediately notify the air carriers, the other PIUs, eu-LISA and the Commission of that technical impossibility in an automated manner. In that case, that Member State shall immediately take measures to address the technical impossibility to use the router and shall immediately notify those parties when it has been successfully addressed.
During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) shall not apply either to the API data in question during that time period.
3. Where it is technically impossible to use the router to transmit API data because of a failure of the systems or infrastructure referred to in Article 11 of an air carrier, that air carrier shall immediately notify the PIUs, eu-LISA and the Commission of that technical impossibility in an automated manner. In that case, that air carrier shall immediately take measures to address the technical impossibility to use the router and shall immediately notify those parties when it has been successfully addressed.
During the time period between those notifications, Article 4(6) shall not apply, insofar as the technical impossibility prevents the transfer of API data to the router. Insofar as that is the case, Article 4(1) shall not apply either to the API data in question during that time period.
When the technical impossibility has been successfully addressed, the air carrier concerned shall, without delay, submit to the competent national supervisory authority referred to in Article 15 a report containing all necessary details on the technical impossibility, including the reasons for the technical impossibility, its extent and consequences as well as the measures taken to address it.
Article 14 - Liability regarding the router
CHAPTER 5 - SUPERVISION, PENALTIES AND HANDBOOK
Article 15 - National supervisory authority
2. Member States shall ensure that the national supervisory authorities have all necessary means and all necessary investigative and enforcement powers to carry out their tasks under this Regulation, including by imposing the penalties referred to in Article 16 where appropriate. They shall lay down detailed rules on the performance of those tasks and the exercise of those powers, ensuring that the performance and exercise is effective, proportionate and dissuasive and is subject to safeguards in compliance with the fundamental rights guaranteed under Union law.
3. Member States shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, notify the Commission of the name and the contact details of the authorities that they designated under paragraph 1 and of the detailed rules that they laid down pursuant to paragraph 2. They shall notify the Commission without delay of any subsequent changes or amendments thereto.
4. This Article is without prejudice to the powers of the supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680.
Article 16 - Penalties
Member States shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, notify the Commission of those rules and of those measures and shall notify it without delay of any subsequent amendment affecting them.
Article 17 - Practical handbook
The practical handbook shall take into account the relevant existing handbooks.
The Commission shall adopt the practical handbook in the form of a recommendation.
CHAPTER 6 - RELATIONSHIP TO OTHER EXISTING INSTRUMENTS
Article 18 - Amendments to Regulation (EU) 2019/818 ___________
“1. A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of the SIS, Eurodac and ECRIS-TCN, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes. The CRRS shall also support the objectives of Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation].”
* Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”
“2. eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 74 of Regulation (EU) 2018/1862 and Article 32 of Regulation (EU) 2019/816 logically separated by EU information system. eu-LISA shall also collect the data and statistics from the router referred to in Article 13(1) of Regulation (EU) …/… * [this Regulation ]. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purpose of reporting and statistics, to the authorities referred to in Article 74 of Regulation (EU) 2018/1862, Article 32 of Regulation (EU) 2019/816 and Article 13(1) of Regulation (EU) …/… * [this Regulation ].”
CHAPTER 7 - FINAL PROVISIONS
Article 19 - Exercise of delegation
2. The power to adopt delegated acts referred to in Article 4(5) and (9), Article 5(3), Article 10(2) and Article 11(2) shall be conferred on the Commission for a period of five years from [date of adoption of the Regulation]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
3. The delegation of power referred to in Article 4(5) and (9), Article 5(3), Article 10(2) and Article 11(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
Article 20 - Monitoring and evaluation
(a)the application of this Regulation;
(b)the extent to which this Regulation achieved its objectives;
(c)the impact of this Regulation on the fundamental rights protected under Union law;
(d)The Commission shall submit the evaluation report to the European Parliament, the Council, the European Data Protection Supervisor and the European Agency for Fundamental Rights. If appropriate, in light of the evaluation conducted, the Commission shall make a legislative proposal to the European Parliament and to the Council with a view to amending this Regulation.
2. The Member States and air carriers shall, upon request, provide the Commission with the information necessary to draft the report referred to in paragraph 1. However, Member States may refrain from providing such information if, and to the extent, necessary not to disclose confidential working methods or jeopardise ongoing investigations of their PIUs or other law enforcement authorities. The Commission shall ensure that any confidential information provided is appropriately protected.
Article 21 - Entry into force and application
It shall apply from two years from the date at which the router starts operations, specified by the Commission in accordance with Article 27 of Regulation (EU) [API border management].
However, Article 4(5) and (9), Article 5(3), Article 10(2), Article 11(2) and Article 19 shall apply from [Date of entry into force of this Regulation].
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.