Explanatory Memorandum to COM(2022)729 - Collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)729 - Collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls. |
|---|---|
| source | COM(2022)729  |
| date | 13-12-2022 |
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
The last decades have witnessed an increase of people travelling by air as well as efficiency-driven innovations which result in bigger airplanes and lead to a need for more efficient passenger flows at airports. In 2019, the International Civil Aviation Organisation (ICAO) reported 4.5 billion passengers globally carried by air transport on scheduled services, 1 with over half a billion passengers that enter or leave the EU every year, 2 putting a strain on external air borders.
The processing of Advance Passenger Information (API), as provided for in the current API Directive 3 as well as this proposal, is a border management tool contributing to the effectiveness and efficiency of border checks, by facilitating and speeding up traveller clearance, as well as an instrument to counter illegal immigration. API data is a set of identity information regarding the passengers contained in their travel documents combined with flight information collected at check-in and transferred to the border authorities of the country of destination. As these authorities receive API data in advance of a flight’s arrival, they can screen ahead, in accordance with the applicable legislation, travellers against risk-profiles, watchlists and databases, thus expediting border checks for persons travelling in good faith and spend more resources and time to identify travellers who need further investigation upon arrival.
The establishment of systems for the collection and transfer of API data is an international standard under the Convention on International Civil Aviation (Chicago Convention 4 ) since 2017. In the EU, it is regulated by the API Directive. That Directive imposes an obligation on air carriers to transfer API data, upon request, to the border authorities of the country of destination prior to the flight’s take-off. It does not impose though an obligation on Member States to request API data from air carriers, thus creating gaps and inconsistencies in the way data is collected and used, with a few Member States collecting API data systematically while others do not. 5 On average, for all Member States combined, it is estimated that API data is collected on 65% of inbound flights. 6 This creates a situation where it is easy for individuals who want to avoid checks and to bypass routes where API data is consistently collected and instead travel to their destination via flight routes where API data is less often or not at all used.
The recent API Directive evaluation demonstrated that even where Member States request API data, their national authorities do not always use API data in a consistent way. Indeed, API data allows border guards to perform pre-checks on the identity of passengers and the validity of the travel document used against the databases provided for in the Schengen Borders Code. 7 However, not all Member States use the API data for pre-checks against the databases set out in the Schengen Borders Code. 8 Indeed, Ireland, which is not taking part in the Schengen Borders Code, applies similar domestic legislation. That will not change as a consequence of the proposed Regulation.
The API Directive sets only limited criteria for the collection, transmission and processing of API data as regards the flight coverage for the collection of data, the data elements to be collected, or the means to capture the data – which do not take into account the evolutions in international standards and guidelines concerning API data collection. 9 This leads to very diverging practices, which hampers not only the effectiveness and efficiency of the border checks but also represents an additional burden on air carriers that need to comply with a different set of requirements depending on the routes on which they transport passengers and the Member State requesting API data. Aligning the collection and transmission of API data with these international API data standards would ensure compliance of the API requirements by the air industry. An effective use of API data requires the data to be accurate, complete and up-to-date. If identity data is not reliable and verified, which sometimes is not the case today, cross-checks in databases will not yield reliable operational results. As online check-in has become a common practice in the past 20 years, API data from a travel document is increasingly manually transcribed or “self-declared” by passengers. Incomplete, incorrect or outdated API data transferred to national authorities can lead to loopholes in the types of checks that border authorities can perform and ultimately impact travellers who can be subject to incorrect and unnecessary checks. The need to ensure that API data collected is of sufficient quality is closely linked to the means used by airlines to ensure that the relevant API data collected corresponds to information displayed on travel documents. The current API framework does not prescribe the means for collecting API data from travellers. As opposed to manually transcribed information, automated collection of the data would lead to less quality issues and a more effective and efficient use of API data, also contributing to the reduction of the time invested by competent border authorities in their interaction with carriers.
Therefore, the revision of the current legal framework on the collection and transfer of API data offers an opportunity to enhance external border management and the combating of illegal immigration. It does so by helping to ensure that every person travelling by air from a third country or a Member State not participating in the proposed Regulation to the Union (more specifically, to the States participating in the Schengen area without controls at internal borders (the ‘Schengen area’) as well as Ireland), meaning third-country nationals, stateless persons and EU citizens, can be pre-checked with API data prior to their arrival and that Member States apply uniform criteria as regards such collection and transfer for the purposes of the controls at the external borders and of combating illegal immigration. By facilitating passenger flows at airports and speeding up border checks, this proposal contributes to ensuring that systematic checks can be efficiently performed on every air passenger, in accordance with applicable legislation. 10
• Consistency with existing policy provisions in the policy area
This proposal addresses the need for common rules on the collection and transfer of API data for border management purposes and for combating illegal immigration, which is linked to the existence of the Schengen area and the establishment of common rules governing the movement of persons across the external borders. This proposal is consistent with obligations set out in the Schengen Borders Code on checks on persons at the external borders. The proposed Regulation comes within the wider landscape of the large-scale EU information systems that has developed substantially since the adoption of the API Directive in 2004. Additionally, the strategic guidelines adopted by the European Council in June 2014 foresee extensions of the procedures undertaken by the border guards at the external borders to increase effectiveness of checks ahead of the border control post and to limit adverse effects at the borders. These include: the Schengen Information System (SIS), the Visa Information System (VIS) and the Eurodac system. 11 In addition, three new systems are currently in development phase: the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS) and the centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN system). 12 All these current and future systems are linked through the interoperability framework for the EU information systems 13 for security, border and migration management, adopted in 2019, and which is currently being put in place. The revisions included in this proposal take account of the interoperability framework.
In particular, the proposed router, avoids duplicating technical components by sharing components of the ETIAS carrier gateway. The ETIAS carrier gateway provides carriers with the technical means to query the ETIAS status of visa exempt third country nationals travelling to the Member States. The proposed Regulation ensures that the different data processes are differentiated and kept strictly separate and that the access rights laid down in the different EU instruments are respected. Moreover, the proposed Regulation links the work of the existing eu-LISA EES-ETIAS Advisory Group with the future work on API, building efficiency and economies of scale by avoiding duplications of working groups.
As explained above, the border checks that the rules of the proposed Regulation are intended to facilitate and enhance are to be conducted under the Schengen Borders Code where applicable or under national law.
In addition, generally applicable acts of EU law will apply in accordance with the conditions set out therein. Where the processing of personal data is concerned, that holds true, in particular, for the General Data Protection Regulation (GDPR) 14 and the EU Data Protection Regulation 15 . Those acts are left unaffected by the present proposal.
The applicability of the abovementioned acts of EU law mean to the processing of the API data received under this Regulation mean that the Member States are implementing EU law within the meaning of Article 51 i of the Charter, meaning that the rules of the Charter apply as well. In particular, the rules of those acts of EU law are to be interpreted in the light of the Charter.
The ICAO guidelines 16 on Machine Readable Travel Documents are transposed in Regulation 2019/1157 on strengthening the security of identity cards of Union citizens and Regulation 2252/2004 on standards for security features and biometrics in passports. These Regulations are the precursors to enable an automated extraction of complete and high-quality data from travel documents.
The proposed Regulation would continue to be part of to the Schengen acquis. The API data will continue to be received and further processed by the competent border authorities of the Member States, solely for the purposes of border management and combating illegal immigration for which the API data was collected under the proposed Regulation.
This proposal is closely linked to the proposal for a Regulation on the collection and transfer of API data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, insofar as both proposals contain similar provisions on the list of API data elements, the collection of API data by automated means and the transfer of the data to the router.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
For the present proposed Regulation on the collection and transfer of API data for border management purposes and for combating illegal immigration, in view of the aim and the measures provided for, the appropriate legal basis is Article 77(2)(b) and (d) and Article 79(2)(c) of the Treaty on the Functioning of the European Union (TFEU).
Under point (b) of paragraph 2 of Article 77 TFEU, the Union has the power to adopt measures relating to the checks to which persons crossing external borders are subject, and under point (d) the Union has the power to adopt any measure necessary for the gradual establishment of an integrated management for external borders. Under point (c) of paragraph 2 of Article 79 TFEU, the Union has the power to adopt measures relating to illegal immigration.
In this manner, consistency is ensured with the current API Directive, which is based on the same provisions.
• Subsidiarity
The TFEU explicitly empowering the Union to develop a common policy on the checks to which persons crossing external borders are subject, this is a clear objective to be pursued at EU level. At the same time, this is an area of shared competence between the EU and the Member States.
The need for common rules on the collection and transfer of API data for border management and combating illegal immigration is linked, in particular and without prejudice to Ireland’s specific position, to the creation of the Schengen area and the establishment of common rules governing the movement of persons across the external borders, in particular with the Schengen Borders Code. 17 In this context, the decisions of one Member State affect other Member States, therefore it is necessary to have common and clear rules and operational practices in this area. Efficient and effective external border controls require a coherent approach across the entire Schengen area, including on the possibility of pre-checks of travellers with API data.
The need for EU action on API data at this point in time also stems from recent legislative developments on Schengen external border management, notably:
–The 2019 Interoperability Regulation 18 will enable systematic checks of persons crossing the external borders against all available and relevant information in EU centralised information systems for security, border and migration management. Establishing a centralised transmission mechanism for API data at EU level is a logical continuation of this concept. Following the concepts included in the Interoperability Regulations, the centralised transmission of API data could in the future lead to using this data to query various databases (SIS, Europol data) via the European Search Portal.
–At the external borders, the use of API data would effectively complement the imminent implementation of the European Travel Information and Authorisation System (ETIAS) and of the Entry Exit System (EES). The use of API data would remain necessary for external border management as it informs border guards in advance whether a traveller has effectively boarded a plane and is about to enter the Schengen area, thus facilitating the border check that will take place once that traveller arrives at the external borders.
• Proportionality
According to the principle of proportionality laid down in Article 5 i TEU, there is a need to match the nature and intensity of a given measure to the identified problem. All problems addressed in this legislative initiative call, in one way or another, for EU-level legislative action enabling Member States to tackle these problems effectively without going beyond what is necessary to tackle those problems.
With this proposal, the legal framework for the collection and transfer of API data for the purposes of external border management and combating illegal immigration will be reinforced. It will strengthen the API data as an instrument enhancing the pre-checks of travellers at external borders, thus contributing not only to the effectiveness and efficiency of the checks themselves, but also to the aim of tackling illegal immigration, specifically in connection to cross-border air travel and the responsibilities of the air carriers in this regard. In alignment with international standards and recommended practices, this proposal will require air carriers to collect and transfer API data for all flights into the Union, as defined in the proposal. The obligations set out in this proposal are limited to what is necessary to achieve this objective. More specifically, this proposal establishes clear rules, among others, on what constitutes API data, on which flights air carriers should collect API data and the transfer thereof. By way of a Regulation, this proposal will establish a consistent approach to the use of API data for external border management and combating illegal immigration. Such standardisation of API requirements across Member States will contribute to increased legal certainty and foreseeability, and therefore also increased compliance by air carriers.
Proportionality is further ensured through several elements of the proposed Regulation, such as the limitation only to incoming flights, the targeting of the requirement to use automated means to only certain API data and safeguards as regards the manner and purpose of the processing of API data.
The proposed Regulation envisages the creation of a router that would serve as a single connecting point between Member States and air carriers, in line with international recommendations and it establishes an EU approach for the collection and transmission of API data. The transmission of API data through the router will reduce costs on the air industry and would ensure that border guards have access to fast and seamless access to API data they need to perform in the context of advanced border checks. This approach will drastically reduce the number of connections to establish and maintain from a Member States’ perspective. Conversely, this will reduce the complexity for air carriers to maintain connections with competent border authorities and introduce economies of scale. An EU Agency, namely eu-LISA, will be responsible for the design, development, hosting and technical management of the router. The transfer of the API data through the router will support the monitoring of flights and thus reduce the probability that a carrier did not comply with the obligation to communicate API data as prescribed in this proposal.
• Choice of the instrument
A Regulation is proposed. As assessed in the impact assessment accompanying this proposal and in view of the need for the proposed measures to be directly applicable and uniformly applied across Member States, a Regulation is the appropriate choice of legal instrument.
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex-post evaluations of existing legislation
The evaluation of the API Directive 19 found that the rationale for collecting API data and transferring it to the competent border authorities is still valid 15 years after the entry into force of the Directive. The current objectives of the Directive, notably improving border control management, which can in turn also help combating irregular migration, remain highly pertinent to the needs of the relevant stakeholders and the wider societies. In addition, collecting and transferring API data was also found relevant to facilitate legitimate travel.
The evaluation found that the lack of harmonisation in the implementation of the Directive is an obstacle to its effectiveness and coherence. As a result of the minimum requirements imposed by the Directive, the implementation of API systems, and also the actual usage of API data, show a fragmented picture. In addition, the option left to Member States in connection to the use of API data for law enforcement purposes, 20 without providing a clear definition of this purpose nor laying down a framework, led to a disjointed implementation at national level. The evaluation also found discrepancies with other EU instruments causing operational challenges in practice and uncertainty for affected parties, in particular data subjects. The personal data protection requirements contained in the API Directive are not fully in line with the most recent developments in the field. Furthermore, the API Directive is not fully coherent with the international regulatory framework on passenger information, especially as concerns data fields and transmission standards.
The evaluation highlighted a number of shortcomings related to the API Directive, i.e. the lack of (i) standardisation and harmonisation, (ii) certain data protection safeguards and (iii) clear alignment with the latest policy and legal developments at EU level. These elements affect the impact of the Directive, create burden on the stakeholders and generate a certain level of legal uncertainty, both for the air carriers collecting and transferring the API data, for the competent border authorities receiving and further processing them, and ultimately for the passengers.
The findings of the evaluation supported the preparation of the impact assessment and of this proposal.
• Stakeholder consultations
The preparation of this proposal involved a wide range of consultations of concerned stakeholders, including Member States’ authorities (competent border authorities, Passenger Information Units), transport industry representatives and individual air carriers. EU agencies – such as the European Border and Coast Guard Agency (Frontex), the EU Agency for Law Enforcement Cooperation (Europol), the EU Agency for the Operational Management of Large-Scale IT systems in the Area of Freedom, Security and Justice (eu-LISA) and the EU Agency for Fundamental Rights (FRA), also provided input in light of their mandate and expertise. This initiative also integrates the views and feedback received during the public consultation carried out end of 2019 within the framework of the evaluation of the API Directive. 21
Consultation activities in the context of the preparation of the impact assessment supporting this proposal gathered feedback from stakeholders using various methods. These activities included notably an inception impact assessment, an external supporting study and a series of technical workshops.
An inception impact assessment was published for feedback from 5 June 2020 to 14 August 2020, with a total of seven contributions received providing feedback on the extension of the scope of the future API Directive, data quality, sanctions, relation of API and PNR data, and protection of personal data. 22
The external supporting study was conducted based on desk research, interviews and surveys with subject matter experts which examined different possible measures for the processing of API data with clear rules that facilitate legitimate travel, are consistent with interoperability of EU information systems, EU personal data protection requirements, and other existing EU instruments and international standards.
The Commission services also organised a series of technical workshops with experts from Member States and Schengen Associated Countries. These workshops aimed at bringing together experts for an exchange of views on the possible options which were envisaged to strengthen the future API framework for the purposes of border management and combating illegal immigration, and also for fighting crime and terrorism.
The accompanying impact assessment sets out a more detailed description of the stakeholder consultation (Annex 2).
• Impact assessment
In line with the Better Regulation Guidelines, the Commission conducted an Impact Assessment, as presented in the accompanying Staff Working document. 23 The Regulatory Scrutiny Board reviewed the draft impact assessment at its meeting of 28 September 2022 and delivered its positive opinion on 30 September 2022.
In view of the problems identified in respect of the collection and transfer of API data, the Impact Assessment evaluated policy options on the scope of collection of API data for the abovementioned purposes, together with options on the means to improving the quality of API data. As regards the collection of API data for external border management and combating illegal immigration, the impact assessment considered the collection of API data on all extra-Schengen inbound flights on the one hand, and the collection of API data on all extra-Schengen inbound and outbound flights on the other hand. In addition, the Impact Assessment also considered options to improve the quality of API data – either to collect API data using automated and manual means, or to collect API data using automated means only.
As the full API data set is generated once the passengers are on board of a plane, the border guards would only receive the API data after the physical exit checks of the travellers and examination of their passports, and hence too late to support the work of the border guards, hence the option for the collection of API data on all relevant inbound and outbound flights was not selected as part of the preferred option.
Based on the findings of the Impact Assessment report, the preferred option for an API instrument for said purposes includes the collection of API data on all relevant inbound flights, with the collection by air carriers of certain API data by automated means only. A combination of these options would improve Member States’ capacity to use API data to effectively and efficiently pre-check air travellers ahead of their arrival at external borders. A standardisation of the requirements for the collection and transfer of API data would increase compliance of airline industry as it would be faced with the same requirements in all Member States. More reliable and verified API data, including the API data collected by automated means would allow for the identification of high-risk travellers and ensure a speedier facilitation of external border checks and clearance of passengers upon arrival. The proposal is consistent with the climate-neutrality objective set out in the European Climate Law 24 and the Union 2030 and 2040 targets.
The Impact Assessment also considered – and discarded – options such as the collection of API data from other means of transport, such as maritime, rail and bus transport operators. The Impact Assessment set out that there are already EU and international rules requiring maritime transport operators to transfer passenger information in advance to Member States’ border authorities on incoming and outgoing routes. An additional EU obligation on maritime transport operators to transfer API data would therefore be redundant. Compared to the air transport sector, the collection of passenger data is more challenging for land transport operators such as rail or bus (absence of check-in processes, no systematic issuance of nominative tickets) and would require heavy investments in the physical infrastructure of operators, with substantial consequences on their economic model and on passengers. The decision not to cover these aspects in the present proposed Regulation is without prejudice to practices of some Member States requesting passenger data on rail connections based on national law, provided they comply with EU law.
• Fundamental rights and protection of personal data
This initiative provides for the processing of personal data of travellers and therefore limits the exercise of the fundamental right to the protection of personal data as guaranteed by Article 8 of the Charter of Fundamental Rights of the EU (‘Charter’) and Article 16 of the TFEU. As underlined by the Court of Justice of the EU (CJEU), 25 the right to the protection of personal data is not an absolute right, but any limitation must be considered in relation to its function in society and comply with the criteria set out in Article 52 i of the Charter. 26 Personal data protection is also closely linked to respect for the right to privacy, as part of the right to private and family life protected by Article 7 of the Charter.
The obligation on air carriers to collect API data on all travellers crossing the external borders and subsequently transfer that API data, via the router, to the competent border authorities corresponds to the objective of helping to ensure that pre-checks at external borders are carried out effectively and efficiently on all travellers entering Member States, thus also contributing to the objective of combating illegal immigration. While no decisions will be taken by competent border authorities solely based on API data, this proposal will enable border authorities to organise their activities in advance and facilitate the entry of bona fide passengers and the detection of other passengers. The interference with the aforementioned fundamental rights is limited to what is strictly necessary to achieve the objectives mentioned, in particular by limiting the collection of identity data to information contained in the travellers’ travel document and by limiting the extent of the processing to the minimum necessary, including as regards the time period during which personal data is kept.
The mandatory use of automated means by air carriers to collect API data from travellers can lead to additional risks from the viewpoint of the protection of personal data. However, such have been limited and mitigated. Firstly, the requirement applies only in respect of certain API data, where automated means are to be used responsibly with regards to the machine-readable data on travellers’ documents. Secondly, the proposed Regulation contains requirements regarding the automated means to be used, which are to be elaborated further in a delegated act. Finally, several safeguards are provided for, such as logging, specific rules on the protection of personal data and effective supervision.
This proposal also includes additional and specific safeguards to ensure compliance with the Charter, including as regards the security of processing of personal data, deletion and purpose limitation and the travellers’ right of information.
Furthermore, whilst – apart from the provision ensuring compliance with the principle of purpose limitation – the proposed Regulation would not regulate the use that the competent border authorities make of the API data that they receive thereunder, since that is already covered by other legislation (Schengen Borders Code, personal data protection law, the Charter), in the interest of clarity it is recalled in the recitals that any such use may not lead to any discrimination precluded under Article 21 of the Charter.
4. BUDGETARY IMPLICATIONS
This legislative initiative on the collection and transfer of API data for facilitating external border controls would have an impact on the budget and staff needs of eu-LISA and Member States’ competent border authorities.
For eu-LISA, it is estimated that an additional budget of around EUR 45 million (33 million under current MFF) to set-up the router and EUR 9 million per year from 2029 onwards for the technical management thereof, and that around 27 additional posts would be needed for to ensure that eu-LISA has the necessary resources to perform the tasks attributed to it in this proposed Regulation and in the proposed Regulation for the collection and transfer of API data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
For Member States, it is estimated that EUR 27 million (EUR 8 million under the current Multiannual Financial Framework) dedicated to upgrading the necessary national systems and infrastructures for border management authorities, and progressively up to EUR 5 million per year from 2028 onwards for the maintenance thereof, could be entitled for reimbursement by Border Management and Visa Instrument fund 27 . Any such entitlement will ultimately have to be determined in accordance with the rules regulating those funds as well as the rules on costs contained in the proposed Regulation.
In view of the close connection between this proposed Regulation and the proposed Regulation for the collection and transfer of API data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, particularly as regards the transfer of API data to the router, the legislative financial statement, in annex of this proposed Regulation, is identical to both proposals.
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
The Commission would ensure that the necessary arrangements are in place to monitor the functioning of the measures proposed and evaluate them against the main policy objectives. Four years after the commencement of operations of the proposed Regulation, and every four years thereafter, the Commission would submit a report to the European Parliament and the Council assessing the implementation of the Regulation and its added value. The report would also report on any direct or indirect impact on relevant fundamental rights. It would examine results achieved against objectives and assess the continuing validity of the underlying rationale and any implications for future options.
The mandatory nature of the obligation to collect API data and the introduction of the router will allow for a clearer view on both the collection and transmission of API data by air carriers and the subsequent use of API data by Member States in accordance with applicable national and Union legislation. This will support the European Commission in its evaluation and enforcement tasks by providing the Commission with reliable statistics on the volume of data transmitted and on the flights for which API data would be requested.
• Variable geometry
This proposal builds upon and develops the Schengen acquis regarding external borders in that it concerns the crossing of external borders. Therefore, the following consequences in relation to Protocol (No 19) on the Schengen acquis integrated into the framework of the European Union annexed to the TEU and to the TFEU and Protocol (No 22) on the Position of Denmark annexed to the TEU and to the TFEU should be considered.
The proposal is covered by the measures of the Schengen acquis in which Ireland takes part in accordance with Article 6 i of Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis 28 . Specifically, the participation of Ireland in this proposal relates to the responsibilities of the Union for taking measures developing the provisions of the Schengen acquis against illegal immigration in which Ireland participates. Ireland participates, in particular, in view of the inclusion in Article 1 i of that Council Decision of a reference to Article 26 of the Convention implementing the Schengen Convention regarding air carriers’ responsibilities in respect of aliens who are refused entry and alien’s possession of the required travel documents. Ireland participates in the entire proposed Regulation.
In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the Treaty on European Union (TEU) and to the TFEU, Denmark will not take part in the adoption of this proposal and is not bound by it or subject to its application once adopted. Given that the proposed Regulation will build upon the Schengen acquis, Denmark is, in accordance with Article 4 of that Protocol, to decide within a period of six months after the Council has decided on this proposal whether it will implement it in its national law.
As regards Cyprus, Bulgaria and Romania and Croatia, the proposed Regulation will constitute an act building upon, or otherwise relating to, the Schengen acquis within, the meaning of, respectively, Article 3 i of the 2003 Act of Accession, Article 4 i of the 2005 Act of Accession and Article 4 i of the 2011 Act of Accession.
With regard to Iceland, Norway, Switzerland and Liechtenstein the proposed Regulation will constitute a development of provisions of the Schengen acquis within the meaning of their respective Association Agreements.
• Detailed explanation of the specific provisions of the proposal
Chapter 1 sets out the general provisions for this Regulation, starting with rules on its subject matter and scope. It also provides a list of definitions.
Chapter 2 sets out the provisions for the collection and transfer of API data, namely a clear set of rules for the collection of API data by air carriers, rules regarding the transfer of API data to the router, the processing of API data by competent border authorities, and the storage and deletion of API data by air carriers and those authorities.
Chapter 3 contains provisions for the transmission of API data through the router. More specifically, it includes provisions describing the main features of the router, rules on the use of the router, the procedure for the transmission of API data from the router to the competent border authorities, deletion of API data from the router, the keeping of logs, and the procedures in case of a partial or full technical impossibility to use the router.
Chapter 4 on contains a set of specific provisions on the protection of personal data. More specifically, it specifies who the data controllers and data processor are for the processing of API data constituting personal data pursuant to this Regulation. It also sets out measures required from eu-LISA to ensure the security of data processing, in line with the provisions of Regulation (EU) 2018/1725. It sets out measures required from air carriers and competent border authorities to ensure their self-monitoring of compliance with the relevant provisions set out in this Regulation and rules on audits.
Chapter 5 regulates certain specific issues relating to the router. It contains requirements on the connections to the router of competent border authorities and air carriers. It also sets out the tasks of eu-LISA relating to the design and development of, the hosting and technical management of, and other support tasks relating to, the router. The chapter additionally contains provisions concerning the costs incurred by eu-LISA and Member States under this Regulation, in particular as regards Member States’ connections to and integration with the router. It also sets out provisions regarding liability for damage cause to the router, the start of operations of the router and the possibility of voluntary use of the router by air carriers subject to certain conditions.
Chapter 6 contains provisions on supervision, possible penalties applicable to air carriers for non-compliance of their obligations set out in this Regulation, rules relating to statistical reporting by eu-LISA, and on the preparation of a practical handbook by the Commission.
Chapter 7 regulates the effects on other acts of EU law. More specifically, it contains the provisions concerning the repeal of Directive 2004/82/EC and the necessary amendments to other existing instruments, namely Regulation (EU) 2018/1726 29 and Regulation (EU) 2019/817. 30
Chapter 8 contains the final provisions of this Regulation, which concern the adoption of delegated and implementing acts, the monitoring and evaluation of this Regulation, and its entry into force and application.