Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Collection and transfer of advance passenger information for enhancing and facilitating external border controls

2022/0424(COD)

The European Parliament adopted by 492 votes to 33, with 10 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC.

The European Parliament’s position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:

Subject matter

To enhance and facilitate the effectiveness and efficiency of border checks at external borders and of combating illegal immigration, this Regulation lays down the rules on: (a) the collection by air carriers of advance passenger information; (b) the transfer by air carriers to the router of the API data; (c) the transmission from the router to the competent border authorities of the API data. The Regulation should also apply to air carriers conducting flights into the Union.

Collection and transfer of API data

Air carriers should collect API data of each passenger on flights to the EU to be transferred to the router. The API data should consist only of the following data relating to each passenger on the flight: the surname, the date of birth, sex and nationality; the type and number of the travel document and the three-letter code of the issuing country of the travel document; the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator); seating and baggage information.

In addition, air carriers should collect certain flight information, such as the flight identification number, airport code, departure and arrival times and the air carrier's contact details.

Where air carriers provide an online check-in process, they should enable passengers to provide API data by automated means during this online check-in process. For passengers that do not check-in online, air carriers should enable those passengers to provide those API data by automated means during check-in at the airport with the assistance of a self-service kiosk or of airline staff at the counter.

During a transitional period, air carriers should provide the possibility to passengers to provide API data manually as part of the online check-in. Air carriers should transfer the API data: (a) per passenger at the moment of check-in, but not earlier than 48 hours prior to the scheduled departure time, and: (b) for all boarded passengers immediately after flight closure.

Any processing of API data and, in particular, of API data constituting personal data must remain strictly limited to what is necessary and proportionate to achieve the objectives pursued by the Regulation. Furthermore, the processing of API data collected and transferred under the Regulation must not lead to any form of discrimination prohibited by the Charter of Fundamental Rights of the European Union. Particular attention must be paid to children, the elderly, people with disabilities and vulnerable persons.

Where an air carrier becomes aware that the data that it stores under this Regulation was processed unlawfully, or that the data does not constitute API data, it should immediately and permanently delete, that data.

The router

The European Union Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) should design, develop, host and technically manage a router to facilitate the transfer of encrypted API data by air carriers to the competent border authorities.

The router should verify, in an automated manner and on the basis of real-time air traffic data, whether the air carrier has transferred the API data. Where the router has verified that the data has not been transferred by the air carrier, it should immediately and in an automated manner inform the air carrier concerned and the competent border authorities of the Member States to which the data was to be transferred. In this case, the air carrier should transfer the API data immediately.

Data protection

The air carriers should be controllers, within the meaning of the GDPR, for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router under this Regulation. Each Member State should designate a competent authority as data controller and communicate those authorities to the Commission, eu-LISA and the other Member States.

Air carriers should provide passengers, on flights covered by this Regulation, with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise the data subject rights.

Governance

No later than the date of entry into force of the Regulation, the Management Board of eu-LISA should establish a Programme Management Board consisting of ten members. The Programme Management Board should ensure the proper execution of eu-LISA's tasks relating to the design and development of the router. At the request of the Programme Management Board, eu-LISA should provide detailed and up-to-date information on the design and development of the router, including the resources allocated by eu-LISA.

Technical matters related to the usage and functioning of the router should be discussed in the API-PNR Contact Group where eu-LISA representatives should be also present.

Sanctions

Member States should ensure that a recurrent failure to transfer API data is subject to proportionate financial penalties of up to 2% of the air carrier's global turnover for the previous financial year. Failure to comply with the other obligations set out in the Regulation should be subject to proportionate penalties, including financial penalties.