Collection and transfer of advance passenger information for enhancing and facilitating external border controls
The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Jan-Christoph OETJEN (Renew, DE) on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
API data to be collected by air carriers
The amended text stated that air carriers should collect API data of passengers, consisting of the passenger data and the flight information, respectively, on the flights for the purpose of transferring that API data to the router. Where the flight is code-shared between one or more air carriers, the obligation to transfer the API data should be on the air carrier that operates the flight.
Means of collecting API data
The collection of API data should not include an obligation for air carriers to check the travel document at the moment of boarding the aircraft or an obligation for passengers to carry a travel document when travelling, without prejudice to acts of national law that are compatible with Union law. The collection of API data by automated means should not lead to the collection of any biometric data from the travel document.
Where air carriers provide an online check-in process, they should enable passengers to provide the API data during the online check-in process, using automated means.
Air carriers should ensure that API data is encrypted during the transmission of the data from the passenger to the air carriers.
Obligations on air carriers regarding transfers of API data
At the moment of check-in, air carriers should transfer the API data in accordance with this Regulation and relevant international standards. Air carriers should receive an acknowledgement of receipt of the transfer of the API data.
Processing of API data received
The competent border authorities should be prohibited from processing API data for the purposes of profiling under any circumstances.
Storage and deletion of API data
Members suggested that air carriers should store, for a time period of 24 hours (as opposed to the 48 hours proposed by the Commission) from the moment of departure of the flight, the API data relating to that passenger that they collected. They should immediately and permanently delete that API data after the expiry of that time period.
Air carriers or competent border authorities should immediately and permanently delete API data where they become aware that the API data collected was processed unlawfully or that the data transferred does not constitute API data.
Fundamental Rights
The collection and processing of personal data by air carriers and competent authorities should not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.
The router
Members clarified the functioning of the router. It should allow for the reception and transmission of encrypted API data and automatically extract and make available the statistics to the central repository for reporting and statistics.
eu-LISA should design and develop the router in a way that any API data transferred from the air carriers to the router and any API data transmitted from the router to the competent border authorities and to the central repository for reporting and statistics are encrypted.
Information to passengers
Air carriers should provide passengers with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise the data subject rights. This information should be communicated to passengers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the personal data at the moment of check-in.
Costs of eu-LISA, the European Data Protection Supervisor, the national supervisory authorities and of Member States
Member underlined that the financial appropriation to the functioning of the router will determine its success, therefore eu-LISA should be provided with the necessary resources. In addition, in view of the expected increase in tasks for the EDPS and national data protection authorities, the report includes provisions regarding the coverage of cost costs incurred by them as well.
Penalties
Member States should ensure that a systematic or persistent failure to comply with obligations set out in this Regulation is subject to financial penalties of up to 2% of an air carrier's global turnover of the preceding business year.
API Expert Group
The committee called for an API Expert Group to be set up to facilitate cooperation and the exchange of information on obligations stemming from and issues relating to this Regulation among Member States, EU institutions and stakeholders.
The Group should be composed of representatives of the European Commission, Member States’ relevant authorities, the European Parliament and eu-LISA.
Monitoring and evaluation
Members considered that this Regulation should be subject to regular evaluations to ensure the monitoring of its effective application. In particular, the collection of API data should not be to the detriment of the travel experience of legitimate passengers. The overall regulatory burden for the aviation sector should be kept under close review.
Moreover, the report should assess the extent to which the objectives of the Regulation have been met and to which extent it has impacted the competitiveness of the sector.