Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Collection and transfer of advance passenger information for enhancing and facilitating external border controls

2022/0424(COD)

PURPOSE: to strengthen and facilitate the effectiveness and efficiency of checks at external borders and combat illegal immigration.

LEGISLATIVE ACT: Regulation (EU) 2025/12 of the European Parliament and of the Council on the collection and transfer of advance passenger information for enhancing and facilitating external border checks, amending Regulations (EU) 2018/1726 and (EU) 2019/817, and repealing Council Directive 2004/82/EC.

CONTENT: to enhance and facilitate the effectiveness and efficiency of border checks at external borders and of combating illegal immigration, this regulation lays down the rules on: (a) the collection by air carriers of advance passenger information; (b) the transfer by air carriers to the router of the API data; (c) the transmission from the router to the competent border authorities of the API data. The Regulation should also apply to air carriers conducting flights into the Union.

Collection of data

The regulation sets out which API data air carriers must collect and transfer. API data consists of a closed list of traveller information, such as name, date of birth, nationality, travel document type, travel document number, seating information and baggage information. In addition, air carriers will be required to collect certain flight information, such as flight identification number, airport code and time of departure and arrival.

Air carriers will transfer API data:

- per passenger at the moment of check-in, but not earlier than 48 hours prior to the scheduled flight departure time; and

- for all boarded passengers immediately after flight closure, namely once the passengers have boarded the aircraft in preparation for departure and it is no longer possible for passengers to board or to leave the aircraft.

Automated data collection

Air carriers will collect API data using automated means that allow the collection of machine-readable data from the passenger's travel document. Where the use of automated means is not technically possible, carriers may collect API data manually, as an exception, either during online check-in or during airport check-in.

Manual data entry during online check-in will in any case remain possible for a transitional period of two years. Verification mechanisms will be put in place by air carriers to ensure the accuracy of the data.

Protection of fundamental rights

The competent border authorities will process the API data they receive in accordance with the regulation only for the purposes of strengthening and facilitating the effectiveness and efficiency of checks at the external borders and combating illegal immigration. Border checks must be carried out in a manner that fully respects human dignity and in full compliance with applicable Union law, including the Charter of Fundamental Rights of the European Union. The processing of any API data collected and transferred under the regulation must not result in any form of discrimination prohibited by the Charter.

Single router

A router, to be developed by eu-LISA, will receive the data collected by air carriers and will then transmit it to the relevant border management and law enforcement authorities. The router will check the data format and the data transfer. The measures to be taken in case of technical impossibility to use the router are specified.

Data protection responsibilities

Air carriers will be controllers for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router under this regulation. Each Member State will designate a competent authority as data controller and communicate those authorities to the Commission, eu-LISA and the other Member States.

Air carriers will provide passengers, on flights covered by this regulation, with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise their rights as data subjects.

Governance

By the date of entry into force of the Regulation, the eu-LISA Management Board will establish a Programme Management Board, composed of ten members. The Programme Management Board will ensure the effective fulfilment of eu-LISA's tasks related to the design and development of the router. Technical issues related to the use and operation of the router will be discussed in the API-PNR Contact Group, in which eu-LISA representatives should also be present.

Sanctions

Member States will provide for effective, proportionate and dissuasive sanctions, both financial and non-financial, against air carriers that fail to comply with their obligations under the regulation, including the collection of API data by automated means and the transfer of data in accordance with the required deadlines, formats and protocols.

ENTRY INTO FORCE: 28.1.2025. The regulation applies from the date the router is put into service.