Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Assita KANKO (ECR, BE) on the proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
API data to be collected by air carriers
The amended text stated that air carriers should collect API data of passengers, consisting of the passenger data and the flight information, respectively, on the flights for the purpose of transferring that API data to the router.
API data should include only the following passenger data for each passenger on the flight: (a) surname, given name(s); (b) date of birth, sex and nationality; (c) type and number of travel document and the three-letter code of the country that issued it; (d) expiry date of the validity of the travel document; (e) the Passenger Name Record number used by an air carrier to locate a passenger in its information system (PNR record locator); (f) the aircraft seat number allocated to a passenger; (g) the number and weight of checked baggage.
API data should include only the following flight information: the flight identification number(s); where applicable, the border crossing point of entry into the territory of the Member State; the airport code of entry into the territory of the Member State; the initial point of embarkation; the local date and estimated time of departure and arrival.
Collection of API data
Air carriers should collect the API data, using automated means to collect the machine-readable data of the travel document of the passenger concerned.
Where the use of automated means is not possible, air carriers should collect that data manually, either as part of the online check-in or as part of the check-in at the airport.
The collection of API data by automated means should be strictly limited to the alphanumerical data contained in the travel document and should not lead to the collection of any biometric data from it.
Storage and deletion of API data
Members suggested that air carriers should store, for a time period of 24 hours from the moment of departure of the flight, the API data relating to that passenger that they collected. They should immediately and permanently delete that API data after the expiry of that time period.
Air carriers or competent border authorities should immediately and permanently delete API data where they become aware that the API data collected was processed unlawfully or that the data transferred does not constitute API data.
Fundamental rights
The processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary and proportionate to achieve the objectives pursued by the Regulation. Furthermore, the processing of API data collected and transferred under the Regulation should not lead to any form of discrimination excluded by the Charter of Fundamental Rights of the European Union.
The Router
The report stated that in order to avoid that air carriers have to establish and maintain multiple connections with Passenger Information Units (PIUs) for the transfer of API data and PNR data, and to avoid the related inefficiencies and security risks, provision should be made for a single router, created and operated at the Union level, that should serve as a connection, filter and distribution point for those transfers.
In this regard, eu-LISA should design, develop, host and technically manage, a router for the purpose of facilitating the transfer of encrypted API and PNR data by the air carriers to the PIUs.
Methodology and criteria for the selection of intra-EU flights
Member States that decide to apply Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘PNR Directive’) and consequently this Regulation to intra-EU flights should for the selection of those flights:
- carry out an objective, duly reasoned and non-discriminatory threat assessment;
- take into account only criteria which are relevant for the prevention, detection, investigation and prosecution of terrorist offences and serious crime having an objective link.
In situations of a genuine and present or foreseeable terrorist threat, Member States may apply Directive (EU) 2016/681 to all intra-EU flights arriving at or departing from its territory, in a decision that is limited in time to what is strictly necessary and that is open to effective review.
Logs
Members suggested that u-LISA should keep logs of all processing operations relating to the transfer of API data through the router under this Regulation.
Actions in the case of technical impossibility to use the router
eu-LISA should immediately notify air carriers and Passenger Information Units in an automated manner of the technical impossibility of using the router and take steps to remedy this technical impossibility.
Information to passengers
Air carriers should provide passengers with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise the data subject rights. This information should be communicated to passengers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the personal data at the moment of check-in.
Penalties
Member States should ensure that a systematic or persistent failure to comply with obligations set out in this Regulation is subject to financial penalties of up to 2% of an air carrier's global turnover of the preceding business year.