Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

2022/0425(COD)

The European Parliament adopted by 438 votes to 35 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818.

The European Parliament’s position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:

Subject matter

For the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, this Regulation lays down the rules on: (a) the collection by air carriers of advance passenger information data on extra EU flights and intra EU flights; (b) the transfer by air carriers to the router of the API data and other PNR data; (c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data and other PNR data on extra-EU flights and selected intra-EU flights.

This Regulation applies to air carriers conducting: (a) extra-EU flights; (b) intra-EU flights that will depart from, arrive in or make a stop-over on the territory of at least one Member State that notified its decision to apply Directive (EU) 2016/681 to intra-EU flights.

Collection and transfer of API data

Air carriers should collect API data of each passenger and crew member on flights to the EU to be transferred to the router. The API data should consist only of the following data relating to each passenger and crew member on the flight: the surname, the date of birth, sex and nationality; the type and number of the travel document and the three-letter code of the issuing country of the travel document; the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator); seating and baggage information.

In addition, air carriers should collect certain flight information, such as the flight identification number, airport code, departure and arrival times and the air carrier's contact details.

Air carriers should collect the API data in such a manner that the API data that they transfer is accurate, complete and up-to-date. Compliance with this obligation does not require air carriers to check the travel document at the moment of boarding the aircraft, without prejudice to acts of national law that are compatible with Union law.

Where air carriers provide an online check-in process, they should enable passengers to provide API data by automated means during this online check-in process.

During a transitional period, air carriers should provide the possibility to passengers to provide API data manually as part of the online check-in.

Air carriers should transfer the API data: (a) for passengers: (i) per passenger at the moment of check-in, but not earlier than 48 hours prior to the scheduled departure time, and (ii) for all boarded passengers immediately after flight closure, that is, once the travellers have boarded the aircraft in preparation for departure and it is no longer possible for travellers to board or to leave the aircraft; (b) for all members of the crew immediately after flight closure, that is, once the crew is on board the aircraft in preparation for departure and it is no longer possible for them to leave the aircraft.

The storage period for API data is set at 48 hours. Where air carriers discover that the data they are storing has been unlawfully processed, or that the data does not constitute API data, they should delete it immediately and permanently.

The processing of API data collected and transferred under the Regulation must not lead to any form of discrimination prohibited by the Charter of Fundamental Rights of the European Union. Particular attention must be paid to children, the elderly, people with disabilities and vulnerable persons.

The router

The European Union Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) should design, develop, host and technically manage a router to facilitate the transfer of encrypted API data by air carriers to the competent border authorities.

The router should verify, in an automated manner and on the basis of real-time air traffic data, whether the air carrier has transferred the API data. Each Member State should ensure that its Passenger Information Units, when receiving API and other PNR data, confirm to the router, immediately and in an automated manner, the receipt of such data.

Selection of intra-EU flights

Member States that decide to apply this Regulation to intra-EU flights should select such intra-EU flights. Member States may only apply Directive (EU) 2016/681 and consequently this Regulation to all intra-EU flights arriving at or departing from their territory in situations of a genuine and present or foreseeable terrorist threat, on the basis of a decision that is based on a threat assessment, limited in time to what is strictly necessary and open to effective review either by a court or by an independent administrative body whose decision is binding. In addition, selection must be based on an objective, duly reasoned and non-discriminatory assessment.

Data protection

The air carriers should be controllers, within the meaning of the GDPR, for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router.

Air carriers should provide passengers, on flights covered by this Regulation, with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise the data subject rights.

Governance

No later than the date of entry into force of the Regulation, the Management Board of eu-LISA should establish a Programme Management Board consisting of ten members. Technical matters related to the usage and functioning of the router should be discussed in the API-PNR Contact Group where eu-LISA representatives should be also present.

Sanctions

Member States should ensure that a recurrent failure to transfer API data is subject to proportionate financial penalties of up to 2% of the air carrier's global turnover for the previous financial year. Failure to comply with the other obligations set out in the Regulation should be subject to proportionate penalties, including financial penalties.