Considerations on COM(2022)729 - Collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)729 - Collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls. |
|---|---|
| document | COM(2022)729  |
| date | December 13, 2022 |
(2) The use of traveller data and flight information transferred ahead of the arrival of travellers, known as advance passenger information (‘API’) data, contributes to speeding up the process of carrying out the required checks during the border-crossing process. For the purposes of this Regulation that process concerns, more specifically, the crossing of borders between a third country or a Member State not participating in this Regulation, on the one hand, and a Member State participating in this Regulation, on the other hand. Such use strengthens checks at those external borders by providing sufficient time to enable detailed and comprehensive checks to be carried out on all travellers, without having a disproportionate negative effect on persons travelling in good faith. Therefore, in the interest of the effectiveness and efficiency of checks at external borders, an appropriate legal framework should be provided for to ensure that Member States’ competent border authorities at such external border crossing points have access to API data prior to the arrival of travellers.
(3) The existing legal framework on API data, which consists of Council Directive 2004/82/EC 33 and national law transposing that Directive, has proven important in improving border controls, notably by setting up a framework for Member States to introduce provisions for laying down obligations on air carriers to transfer API data on passengers transported into their territory. However, divergences remain at national level. In particular, API data is not systematically requested from air carriers and air carriers are faced with different requirements regarding the type of information to be collected and the conditions under which the API data needs to be transferred to competent border authorities. Those divergences lead not only to unnecessary costs and complications for the air carriers, but they are also prejudicial to ensuring effective and efficient pre-checks of persons arriving at external borders.
(4) The existing legal framework should therefore be updated and replaced to ensure that the rules regarding the collection and transfer of API data for the purpose of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and for combating illegal immigration are clear, harmonised and effective.
(5) In order to ensure a consistent approach at international level as much as possible and in view of the rules on the collection of API data applicable at that level, the updated legal framework established by this Regulation should take into account the relevant practices internationally agreed with the air industry and in the context of the World Customs Organisation, International Aviation Transport Association and International Civil Aviation Organisation Guidelines on Advance Passenger Information.
(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of personal data. In order to fully respect fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the API collected and transferred under this Regulation do not lead to any form of discrimination precluded by the Charter.
(7) In order to achieve its objectives, this Regulation should apply to all carriers conducting flights into the Union, as defined in this Regulation, covering both scheduled and non-scheduled flights, irrespective of the place of establishment of the air carriers conducting those flights.
(8) In the interest of effectiveness and legal certainty, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be listed clearly and exhaustively, covering both information relating to each traveller and information on the flight of that traveller. Such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned in all cases covered by this Regulation, but that information should be collected only where applicable under Regulation (EU) [API law enforcement], that is, not when the API data relate to intra-EU flights.
(9) In order to allow for flexibility and innovation, it should in principle be left to each air carrier to determine how it meets its obligations regarding the collection of API data set out in this Regulation. However, considering that suitable technological solutions exist that allow collecting certain API data automatically while guaranteeing that the API data concerned is accurate, complete and up-to-date, and having regard the advantages of the use of such technology in terms of effectiveness and efficiency, air carriers should be required to collect that API data using automated means, by reading information from the machine-readable data of the travel document.
(10) Automated means enable travellers to provide certain API data themselves during an online check-in process. Such means could, for example, include a secure app on a travellers’ smartphone, computer or webcam with the capability to read the machine-readable data of the travel document. Where the travellers did not check-in online, air carriers should in practice provide them with the possibility to provide the machine-readable API data concerned during check-in at the airport with the assistance of a self-service kiosk or of airline staff at the counter.
(11) The Commission should be empowered to adopt technical requirements and procedural rules that air carriers are to comply with in connection to the use of automated means for the collection of machine-readable API data under this Regulation, so as to increase clarity and legal certainty and contribute to ensuring data quality and the responsible use of the automated means.
(12) In view of the advantages offered by using automated means for the collection of machine-readable API data and the clarity resulting from the technical requirements in that regard to be adopted under this Regulation, it should be clarified that air carriers that decide to use automated means to collect the information that they are required to transmit under Directive 2004//82/EC have the possibility, but not the obligation, to apply those requirements, once adopted, in connection to such use of automated means, insofar as that Directive permits. Any such voluntary application of those specifications in application of Directive 2004/82/EC should not be understood as affecting in any way the obligations of the air carriers and the Member States under that Directive.
(13) In view of ensuring that the pre-checks carried out in advance by competent border authorities are effective and efficient, the API data transferred to those authorities should contain data of travellers that are effectively set to cross the external borders, that is, of travellers that are effectively on board of the aircraft. Therefore, the air carriers should transfer API data directly after flight closure. Moreover, API data helps the competent border authorities to distinguish legitimate travellers from travellers who may be of interest and therefore may require additional verifications, which would necessitate further coordination and preparation of follow-up measures to be taken upon arrival. That could occur, for example, in cases of unexpected number of travellers of interest whose physical checks at the borders could adversely affect the border checks and waiting times at the borders of other legitimate travellers. To provide the competent border authorities with an opportunity to prepare adequate and proportionate measures at the border, such as temporarily reinforcing or reaffecting staff, particularly for flights where the time between the flight closure and the arrival at the external borders is insufficient to allow the competent border authorities to prepare the most appropriate response, API data should also be transmitted prior to boarding, at the moment of check-in of each traveller.
(14) To provide clarity on the technical requirements that are applicable to air carriers and that are needed to ensure the API data that they collected under this Regulation are transferred to the router in a secure, effective and swift manner, the Commission should be empowered to lay down specifications on the common protocols and supported data formats to be used for those transfers.
(15) In order to avoid any risk of misuse and in line with the principle of purpose limitation, the competent border authorities should be expressly precluded from processing the API data that they receive under this Regulation for any other purpose than enhancing and facilitating the effectiveness and efficiency of border checks at external borders and combating illegal immigration.
(16) To ensure that competent border authorities have sufficient time to carry out pre-checks effectively on all travellers, including travellers on long-haul flights and those travelling on connecting flights, as well as sufficient time to ensure that the API data collected and transferred by the air carriers is complete, accurate and up-to-date, and where necessary to request additional clarifications, corrections or completions from the air carriers, the competent border authorities should store the API data that they received under this Regulation for a fixed time period that remains limited to what is strictly necessary for those purposes. Similarly, to be able to respond to such requests, air carriers should store the API data that they transferred under this Regulation for the same fixed and strictly necessary time period.
(17) In order to avoid that air carriers have to establish and maintain multiple connections with the competent border authorities of the Member States’ for the transfer of API data collected under this Regulation and the related inefficiencies and security risks, provision should be made for a single router, created and operated at Union level, that serves as a connection and distribution point for those transfers. In the interest of efficiency and cost effectiveness, the router should, to the extent technically possible and in full respect of the rules of this Regulation and Regulation (EU) [API law enforcement], rely on technical components from other relevant systems created under Union law.
(18) The router should transmit the API data, in an automated manner, to the relevant competent border authorities, which should be determined on the basis of the border crossing point of entry into the territory of the Member State included in the API data in question. In order to facilitate the distribution process, each Member State should indicate which border authorities are competent to receive the API data transmitted from the router. To ensure the proper functioning of this Regulation and in the interest of transparency, that information should be made public.
(19) The router should serve only to facilitate the transmission of API data from the air carriers to the competent border authorities in accordance with this Regulation and to PIUs in accordance with Regulation (EU) [API law enforcement], and should not be a repository of API data. Therefore, and in order to minimise any risk of unauthorised access or other misuse and in accordance with the principle of data minimisation, any storage of the API data on the router should remain limited to what is strictly necessary for technical purposes related to the transmission and the API data should be deleted from the router, immediately, permanently and in an automated manner, from the moment that the transmission has been completed or, where relevant under Regulation (EU) [API law enforcement], the API data is not to be transmitted at all.
(20) With a view to ensuring the proper functioning of the transmission of API data from router, the Commission should be empowered to lay down detailed technical and procedural rules on that transmission. Those rules should be such as to ensure that the transmission is secure, effective and swift and impacts passengers’ travel and air carriers no more than necessary.
(21) In order to allow air carriers to benefit as soon as possible from the advantages offered by the use of the router developed by eu-LISA in accordance with this Regulation and to gain experience in using it, air carriers should be provided with the possibility, but not the obligation, to use the router to transmit the information that they are required to transmit under Directive 2004//82/EC during an interim period. That interim period should commence at the moment at which the router starts operations and end when the obligations under that Directive cease to apply. With a view to ensuring that any such voluntary use of the router takes place in a responsible manner, the prior written agreement of the responsible authority that is to receive the information should be required, upon request of the air carrier and after that authority having conducted verifications and obtained assurances, as necessary. Similarly, in order to avoid a situation in which air carriers repeatedly start and stop using the router, once an air carrier starts such use on a voluntary basis, it should be required to continue it, unless there are objective reasons to discontinue the use for the transmission of the information to the responsible authority concerned, such as it having become apparent that the information is not transmitted in a lawful, secure, effective and swift manner. In the interest of the proper application of this possibility of voluntarily using the router, with due regard to the rights and interests of all affected parties, the necessary rules on consultations and the provision of information should be provided for. Any such voluntary use of the router in application of Directive 2004/82/EC as provided for in this Regulation should not be understood as affecting in any way the obligations of the air carriers and the Member States under that Directive.
(22) The router to be created and operated under this Regulation should reduce and simplify the technical connections needed to transfer API data, limiting them to a single connection per air carrier and per competent border authority. Therefore, this Regulation provides for the obligation for the competent border authorities and air carriers to each establish such a connection to, and achieve the required integration with, the router, so as to ensure that the system for transferring API data established by this Regulation can function properly. To give effect to those obligations and to ensure the proper functioning of the system set up by this Regulation, they should be supplemented by detailed rules.
(23) In view of the Union interests at stake, the costs incurred by eu-LISA for the performance of its tasks under this Regulation and Regulation (EU) [API law enforcement] in respect of the router should be borne by the Union budget. The same should go for appropriate costs incurred by the Member States in relation to their connections to, and integration with, the router, as required under this Regulation and in accordance with the applicable legislation, subject to certain exceptions. The costs covered by those exceptions should be borne by each Member State concerned itself.
(24) It cannot be excluded that, due to exceptional circumstances and despite all reasonable measures having been taken in accordance with this Regulation, the router or the systems or infrastructure connecting the competent border authorities and the air carriers thereto fail to function properly, thus leading to a technical impossibility to use the router to transmit API data. Given the unavailability of the router and that it will generally not be reasonably possible for air carriers to transfer the API data affected by the failure in a lawful, secure, effective and swift manner through alternative means, the obligation for air carriers to transfer that API data to the router should cease to apply for as long as the technical impossibility persist. In order to minimise the duration and negative consequences thereof, the parties concerned should in such a case immediately inform each other and immediately take all necessary measures to address the technical impossibility. Considering that API data relating to flights that already arrived is not useful for border checks, there is in such a case no justification for requring the air carriers to collect and store the API data. This arrangement should be without prejudice to the obligations under this Regulation of all parties concerned to ensure that the router and their respective systems and infrastructure function properly, as well as the fact that air carriers are subject to penalties when they fail to meet those obligations, including when they seek to rely on this arrangement where such reliance is not justified. In order to deter such abuse and to facilitate supervision and, where necessary, the imposition of penalties, air carriers that rely on this arrangement on account of the failure of their own system and infrastructure should report thereon to the competent supervisory authority.
(25) In the interest of ensuring compliance with the fundamental right to protection of personal data, this Regulation should identify the controller and processor and set out rules on audits. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be understood as complementing the generally applicable acts of Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council 34 and Regulation (EU) 2018/1725 of the European Parliament and the Council. 35 Those acts, which also apply to the processing of personal data under this Regulation in accordance with the provisions thereof, should not be affected by this Regulation.
(26) In particular, the purposes of the processing operations under this Regulation, namely the transmission of API data from air carriers via the router to the competent border authorities of the Member States, are to assist those authorities in the performance of their border management obligations and tasks related to combating illegal immigration. Therefore, the competent border authorities receiving the API data should be controllers for the transmission of API data constituting personal data via router and the storage of that data on the router insofar as such storage is needed for technical purposes, and for any of their processing subsequently using that data to enhance and facilitate border checks at external borders. The air carriers, in turn, should be separate controllers regarding the processing of API data constituting personal data that they are obliged to undertake under this Regulation. On this basis, both the air carriers and the competent border authorities should be separate data controllers with regard to their own respective processing of API data under this Regulation.
(27) In order to ensure that the rules of this Regulation are applied effectively by air carriers, provision should be made for the designation and empowerment of national authorities charged with the supervision of those rules. The rules of this Regulation on such supervision, including as regards the imposition of penalties where necessary, should leave the tasks and powers of the supervisory authorities established in accordance with Regulation (EU) 2016/679 unaffected, including in relation to the processing of personal data under this Regulation.
(28) Effective, proportionate and dissuasive penalties, including financial ones, should be provided for by Member States against those air carriers failing to meet their obligations regarding the collection and transfer of API data under this Regulation.
(29) As this Regulation provides for the establishment of new rules on the collection and transfer of API data by competent border authorities for the purpose of enhancing and facilitating the effectiveness and efficiency of border checks at external borders, Directive 2004/82/EC should be repealed.
(30) As the router should be designed, developed, hosted and technically managed by the eu-LISA, established by Regulation (EU) 2018/1726 of the European Parliament and of the Council 36 , it is necessary to amend that Regulation by adding that task to the tasks of eu-LISA. In order to store reports and statistics of the router on the Common Repository for Reporting and Statistics it is necessary to amend Regulation (EU) 2019/817 of the European Parliament and of the Council 37 .
(31) In order to adopt measures relating to the technical requirements and operational rules for the automated means for the collection of machine-readable API data, to the common protocols and formats to be used for the transfer of API data by air carriers, to the technical and procedural rules for the transmission of API data from the router to the competent border authorities and to the PIUs and to the PIU’s and air carriers’ connections to and integration with the router, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of Articles 5, 6, 11, 20 and 21 respectively. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 2016 38 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(32) In order to ensure uniform conditions for the implementation of this Regulation, namely as regards the start of operations of the router, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council 39 .
(33) All interested parties, and in particular the air carriers and the competent border authorities, should be afforded sufficient time to make the necessary preparations to be able to meet their respective obligations under this Regulation, taking into account that some of those preparations, such as those regarding the obligations on the connection to and integration with the router, can only be finalised when the design and development phases of the router have been completed and the router starts operations. Therefore, this Regulation should apply only from an appropriate date after the date at which the router starts operations, as specified by the Commission in accordance with this Regulation.
(34) However, the design and development phases of the router should be commenced and completed as soon as possible so that the router can start operations as soon as possible, which also requires the adoption of the relevant implementing and delegated acts provided for by this Regulation. The clarification provided by this Regulation regarding the application of specifications concerning the use of automated means in application of Directive 2004/82/EC should also be provided without delay. Therefore, the articles on those matters should apply from the date of the entry into force of this Regulation. In addition, in order to allow for the voluntary use of the router as soon as possible, the article on such use, as well as certain other articles needed to ensure that such use takes place in a responsible manner, should apply from the earliest possible moment, that is, from the moment at which the router starts operations.
(35) This Regulation should not affect the possibility for Member States to provide, under their national law, for a system of collecting API data from transportation providers other than those specified in this Regulation, provided that such national law complies with Union law.
(36) Since the objectives of this Regulation, namely enhancing and facilitating the effectiveness and efficiency of border checks at external borders and combating illegal immigration, relate to matters that are inherently of a cross-border nature, they cannot be sufficiently achieved by the Member States individually, but can rather be better achieved at Union level. The Union may therefore adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on the European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
(37) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.
(38) Ireland is taking part in this Regulation, in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and Article 6(2) of Council Decision 2002/192/EC. 40
(39) The participation of Ireland in this Regulation in accordance with Article 6(2) of Decision 2002/192/EC relates to the responsibilities of the Union for taking measures developing the provisions of the Schengen acquis against illegal immigration in which Ireland participates.
(40) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis 41 , which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC 42 .
(41) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis 43 , which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC 44 .
(42) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis 45 which fall within the area referred to in Article 1, point A, of Council Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU 46 .
(43) As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.
(44) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on [XX], 47