Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

In “Promoting our European Way of Life”

PDF version

In December 2022. the Commission presented two legislative proposals aiming to revise the rules on the collection and transfer of advance passenger information (API). One of these proposals (COM (2022)731) aims to amend the API rules to improve the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

Advance passenger information (API) is data collected by air carriers at check-in and sent to border control authorities in the country of destination. In the EU, Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data ('API Directive') regulates the collection and transmission of API data. The Directive imposes an obligation on air carriers to transmit, upon request, passenger data to the Member State of destination prior to the flight’s take-off, for flights in-bound from a third country to improve border controls and combat illegal immigration. It also enables Member States to use the API data for law enforcement purposes, including fighting organised crime and terrorism.

The main proposed changes are:

  • establish uniform rules on API data collection. The new rules include a closed list of API data elements, the means to collect API data and a single point for the transfer of the data
  • provide for the mandatory API data collection for law enforcement purposes for all flights to and from the EU, as well as on selected flights within the EU. API data for such purposes will be collected in full respect of EU personal data protection rules
  • enhance the quality of API data, as air carriers will have to collect API data by automated means only
  • develop a technical solution enabling air carriers to transmit API data to national authorities. The technical system will be managed by the eu-LISA and will not store API data.

The proposal falls under the ordinary legislative proposal where the European Parlaiment and the Council act as co-legislators. In the European Parliament, the proposal was assigned to the Committee on Civil Liberties, Justice and Home Affairs (LIBE). The report, prepared by the rapporteur Assita Kanko (ECR, Belgium), introduced amendments aiming to: ensure that API data can also be collected manually when needed; limit the selection of intra-EU flights covered by the regulation (excluding the flights for which neither the Member State from where the flight is scheduled to depart, nor the Member State where the flight is scheduled to land, have notified their decision to apply the PNR Directive to intra-EU flights); lay down a common methodology for carrying out the threat assessment for selecting flights; provide for the mandatory use of a single router for the transfer of API data and PNR data; limit the collection of API data by automated means to the alphanumerical data contained in the travel document; ensure the availability for passengers of offline alternatives for the check-in; and impose more stringent data security requirements. The LIBE report was adopted in November 2023.

The Council adopted a negotiating mandate on the proposal in June 2023. In February 2024, the Parliament and the Council reached a provisional agreement on the proposal. The agreed text provides for the use of the router for the transfer of PNR data and limits of the scope of the regulation to extra-EU flights and intra-EU flights that will depart from, arrive in or make a stop-over on the territory of at least one Member State that notified its decision to apply the PNR Directive to intra-flights. The text specifies the elements for the assessment needed for selecting intra-EU flights. This selection shall be limited to what is strictly necessary. The router shall include a secure channel to receive real-time flight traffic information for monitoring the transmission of API data. In line with Council’s position, the air carriers shall store API data for a time period of 48 hours from the moment of receipt by the router of the API data. The text also lays out a governance structure consisting of the Programme Management Board, the API-PNR Advisory Group, the API-PNR Contact Group, and the API Expert Group.

Following the Councils’ confirmation of the provisional agreements (13 March 2024) and LIBE Committee's approval of the provisional agreement (19 March), the agreed text has been tabled for a vote in the April II Plenary session.

References

Author: Costica Dumbrava, Members' Research Service, legislative-train@europarl.europa.eu

As of 20/03/2024.