Considerations on COM(2022)731 - Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)731 - Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of ... |
|---|---|
| document | COM(2022)731  |
| date | December 13, 2022 |
(2) While Council Directive 2004/82/EC 27 establishes a legal framework for the collection and transfer of API data by air carriers with the aims of improving border controls and combating illegal immigration, it also states that Member States may use API data for law enforcement purposes. However, only creating such a possibility leads to several gaps and shortcomings. In particular, it means that, despite its relevance for law enforcement purposes, API data is not in all cases collected and transferred by air carriers for those purposes. It also means that, where Member States acted upon the possibility, air carriers are faced with diverging requirements under national law as regards when and how to collect and transfer API data for this purpose. Those divergences lead not only to unnecessary costs and complications for the air carriers, but they are also prejudicial to the Union’s internal security and effective cooperation between the competent law enforcement authorities of the Member States. Moreover, in view of the different nature of the purposes of facilitating border controls and law enforcement, it is appropriate to establish a distinct legal framework for the collection and transfer of API data for each of those purposes.
(3) Directive (EU) 2016/681 of the European Parliament and of the Council 28 lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national Passenger Information Unit (‘PIU’) established under that Directive to the extent that they have already collected such data in the normal course of their business. Consequently, that Directive does not guarantee the collection and transfer of API data in all cases, as air carriers do not have any business purpose to collect a full set of such data. Ensuring that PIUs receive API data together with PNR data is important, since the joint processing of such data is needed for the competent law enforcement authorities of the Member States to be able to effectively prevent, detect, investigate and prosecute terrorist offences and serious crime. In particular, such joint processing allows for the accurate identification of those passengers that may need to be further examined, in accordance with the applicable law, by those authorities. In addition, that Directive does not specify in detail which information constitutes API data. For those reasons, complementary rules should be established requiring air carriers to collect and subsequently transfer a specifically defined set of API data, which requirements should apply to the extent that the air carriers are bound under that Directive to collect and transfer PNR data on the same flight.
(4) It is therefore necessary to establish at Union level clear, harmonised and effective rules on the collection and transfer of API data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
(5) Considering the close relationship between both acts, this Regulation should be understood as complementing the rules provided for in Directive (EU) 2016/681. Therefore, API data is to be collected and transferred in accordance with the specific requirements of this Regulation, including as regards the situations and the manner in which that is to be done. However, the rules of that Directive apply in respect of matters not specifically covered by this Regulation, especially the rules on the subsequent processing of the API data received by the PIUs, exchange of information between Member States, conditions of access by the European Union Agency for Law Enforcement Cooperation (Europol), transfers to third countries, retention and depersonalisation, as well as the protection of personal data. Insofar as those rules apply, the rules of that Directive on penalties and the national supervisory authorities apply as well. This Regulation should leave those rules unaffected.
(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of personal data. In order to fully respect fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the API collected and transferred under this Regulation do not lead to any form of discrimination precluded by the Charter.
(7) In view of the complementary nature of this Regulation in relation to Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under Directive (EU) 2016/681, namely flights, including both scheduled and non-scheduled flights, both between Member States and third countries (extra-EU flights), and between several Member States (intra-EU flights) insofar as those flights have been selected in accordance with Directive (EU) 2016/681, irrespective of the place of establishment of the air carriers conducting those flights.
(8) Accordingly, given that Directive (EU) 2016/681 does not cover domestic flights, that is, flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be covered by this Regulation either. This Regulation should not be understood as affecting the possibility for Member States to provide, under their national law and in compliance with Union law, for obligations on air carriers to collect and transfer API data on such domestic flights.
(9) In view of the close relationship between the acts of Union law concerned and in the interest of consistency and coherence, the definitions set out in this Regulation should as much possible be aligned with, and be interpreted and applied in the light of, the definitions set out in Directive (EU) 2016/681 and Regulation (EU) [API border management] 29 .
(10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that traveller. Under this Regulation, such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned only where applicable, that is, not when the API data relate to intra-EU flights.
(11) In order to ensure a consistent approach on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. That concerns, in particular, the rules on data quality, the air carriers’ use of automated means for such collection, the precise manner in which they are to transfer the collected API data to the router and the deletion of the API data.
(12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner.
(13) For extra-EU flights, the PIU of the Member State on the territory of which the flight will land and or from the territory of which the flight will depart should receive the API data from the router for all those flights, given that that PNR data is collected for all those flights in accordance with Directive (EU) 2016/681. The router should identify the flight and the corresponding PIUs using the information contained in the PNR record locator, a data element common to both the API and PNR data sets allowing for the joint processing of API data and PNR data by the PIUs.
(14) As regards intra-EU flights, in line with the case law of the Court of Justice of the European Union (CJEU), in order to avoid unduly interfering with the relevant fundamental rights protected under the Charter and to ensure compliance with the requirements of Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of Directive (EU) 2016/681. For those reasons, API data on those flights should only be transmitted from the router to the relevant PIUs, where the Member States have selected the flights concerned in application of Article 2 of Directive (EU) 2016/681. As recalled by the CJEU, the selection entails Member States targeting the obligations in question only at, inter alia, certain routes, travel patterns or airports, subject to the regular review of that selection.
(15) In order to enable the application of that selective approach under this Regulation in respect of intra-EU flights, the Member States should be required to draw up and submit to eu-LISA the lists of the flights they selected, so that eu-LISA can ensure that only for those flights API data is transmitted from the router to the relevant PIUs and that the API data on other intra-EU flights is immediately and permanently deleted.
(16) In order not to endanger the effectiveness of the system that relies on the collection and transfer of API data set up by this Regulation, and of PNR data under the system set up by Directive (EU) 2016/681, for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, in particular by creating the risk of circumvention, information on which intra-EU flights the Member States selected should be treated in a confidential manner. For that reason, such information should not be shared with the air carriers and they should therefore be required to collect API data on all flights covered by this Regulation, including all intra-EU flights, and then transfer it to the router, where the necessary selection should be enacted. Moreover, by collecting API data on all intra-EU flights, passengers are not made aware on which selected intra-EU flights API data, and hence also PNR data, is transmitted to PIUs in accordance with Member States’ assessment. That approach also ensures that any changes relating to that selection can be implemented swiftly and effectively, without imposing any undue economic and operational burdens on the air carriers.
(17) In the interest of ensuring compliance with the fundamental right to protection of personal data and in line with Regulation (EU) [API border management], this Regulation should identify the controllers. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be understood as complementing the generally applicable acts of Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council 30 , Directive (EU) 2016/680 of the European Parliament and the Council 31 and Regulation (EU) 2018/1725 of the European Parliament and the Council 32 . Those acts, which also apply to the processing of personal data under this Regulation in accordance with the provisions thereof, should not be affected by this Regulation.
(18) The router to be created and operated under Regulation (EU) [API border management] should reduce and simplify the technical connections needed to transfer API data, limiting them to a single connection per air carrier and per PIU. Therefore, this Regulation provides for the obligation for the PIUs and air carriers to each establish such a connection to, and achieve the required integration with, the router, so as to ensure that the system for transferring API data established by this Regulation can function properly.
(19) In view of the Union interests at stake, appropriate costs incurred by the Member States in relation to their connections to, and integration with, the router, as required under this Regulation, should be borne by the Union budget, in accordance with the applicable legislation and subject to certain exceptions. The costs covered by those exceptions should be borne by each Member State concerned itself.
(20) In accordance with Regulation (EU) 2018/1726, Member States may entrust eu-LISA with the task of facilitating connectivity with air carriers in order to assist Member States in the implementation of Directive (EU) 2016/681, particularly by collecting and transferring PNR data via the router.
(21) It cannot be excluded that, due to exceptional circumstances and despite all reasonable measures having been taken in accordance with this Regulation and, as regards the router, Regulation (EU) [API border management], the router or the systems or infrastructure connecting the PIUs and the air carriers thereto fail to function properly, thus leading to a technical impossibility to use the router to transmit API data. Given the unavailability of the router and that it will generally not be reasonably possible for air carriers to transfer the API data affected by the failure in a lawful, secure, effective and swift manner through alternative means, the obligation for air carriers to transfer that API data to the router should cease to apply for as long as the technical impossibility persist. In order to minimise the duration and negative consequences thereof, the parties concerned should in such a case immediately inform each other and immediately take all necessary measures to address the technical impossibility. This arrangement should be without prejudice to the obligations under this Regulation of all parties concerned to ensure that the router and their respective systems and infrastructure function properly, as well as the fact that air carriers are subject to penalties when they fail to meet those obligations, including when they seek to rely on this arrangement where such reliance is not justified. In order to deter such abuse and to facilitate supervision and, where necessary, the imposition of penalties, air carriers that rely on this arrangement on account of the failure of their own system and infrastructure should report thereon to the competent supervisory authority.
(22) In order to ensure that the rules of this Regulation are applied effectively by air carriers, provision should be made for the designation and empowerment of national authorities charged with the supervision of those rules. The rules of this Regulation on such supervision, including as regards the imposition of penalties where necessary, should leave the tasks and powers of the supervisory authorities established in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680 unaffected, including in relation to the processing of personal data under this Regulation.
(23) Effective, proportionate and dissuasive penalties, including financial ones, should be provided for by Member States against those air carriers failing to meet their obligations regarding the collection and transfer of API data under this Regulation.
(24) In order to adopt measures relating to the technical requirements and operational rules for the automated means for the collection of machine-readable API data, to the common protocols and formats to be used for the transfer of API data by air carriers, to the technical and procedural rules for the transmission of API data from the router and to the PIUs and to the PIU’s and air carriers’ connections to and integration with the router, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of Articles 4, 5, 10 and 11, respectively. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 2016 33 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(25) All interested parties, and in particular the air carriers and the PIUs, should be afforded sufficient time to make the necessary preparations to be able to meet their respective obligations under this Regulation, taking into account that some of those preparations, such as those regarding the obligations on the connection to and integration with the router, can only be finalised when the design and development phases of the router have been completed and the router starts operations. Therefore, this Regulation should apply only from an appropriate date after the date at which the router starts operations, as specified by the Commission in accordance with Regulation (EU) [API border management]. However, it should be possible for the Commission to adopt delegated acts under this Regulation already from an earlier date, so as to ensure that the system set up by this Regulation is operational as soon as possible.
(26) The objectives of this Regulation, namely contributing to the prevention, detection, investigation and prosecution of terrorist offences and serious crime, in view of the transnational dimension of the offences concerned and the need to cooperate on a cross-border basis to effectively address them, cannot be sufficiently achieved by the Member States individually, but can rather be better achieved at Union level. The Union may therefore adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on the European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
(27) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(28) [In accordance with Article 3 of the Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Ireland has notified its wish to take part in the adoption and application of this Regulation.] OR [In accordance with Articles 1 and 2 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.]
(29) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on [XX]. 34