Advance Passenger Information: EU Commission proposes new rules

Today, the Commission is proposing new rules to strengthen the use of Advance Passenger Information (API) data. This proposal is one of the key actions identified in the EU Security Union Strategy. The EU continues its progress in strengthening its overall security architecture, which aims to enhance EU citizens’ protection, as shown also in the Fifth Security Union Progress Report. The report highlights three years of solid progress in implementing the Security Union Strategy. It shows that significant steps have been made in strengthening the protection of critical infrastructures from physical, cyber and hybrid attacks, in fighting terrorism and radicalisation, as well as in the fight against organised crime.

Information on travellers has helped to improve border controls, reduce irregular migration, and identify persons posing security risks. Every year, over a billion passengers enter, leave or travel within the EU. The new rules will improve the use of API data to perform checks on passengers prior to their arrival at the external borders. The new rules will also enhance the fight against serious crime and terrorism within the EU. This will close an important gap in the current legal framework, while upholding EU standards for data protection and transmission.

The Commission is also today reporting on three years of solid progress in implementing the Security Union Strategy and proposing a new Action Plan on Trafficking in Cultural Goods, which remains one of the most lucrative forms of business for organised crime groups.

The new rules on API will introduce:

Uniform rules on API data collection. The new rules include a closed list of API data elements, the means to collect API data, and a single point for the transfer of the data.
Mandatory API data collection for the purposes of border management and combating irregular immigration on all flights entering the Schengen area. This will facilitate the travel of people travelling to the Schengen area, with reduced times at disembarkation and at the physical border checks. Mandatory API data collection for law enforcement purposes for all flights to and from the EU, as well as on selected flights within the EU. API data for such purposes is collected in full respect of EU personal data protection rules.

Better quality API data, as air carriers will have to collect API data by automated means only.
Streamlined transmission of API data by air carriers to national authorities through a new router, which will be managed by an EU Agency, eu-LISA. This technical solution is compliant with personal data protection safeguards as it will only transmit and not store any API data.

Next steps

It is now for the European Parliament and the Council to examine the proposal. Once adopted, the rules will be directly applicable across the EU. These proposals complete other EU systems and initiatives in the area of border management and security, and that are being rolled out in the course of 2023 (such as the Entry Exit System and the European Travel Information Authorisation System). The new rules on the collection and transfer of API data are expected to be applied in full as of 2028. Once the router is developed, which is expected to be the case by 2026, public authorities and air carriers will have two years to adjust to the new requirements and test the router, before it becomes mandatory.

Background

The processing of API data provides an effective tool for advance checks of air travellers, allowing to expedite procedures upon arrival and allocating more resources and time to identify travellers who need further attention.

In the EU, the API Directive imposes obligations on air carriers to transmit, upon request, API data to the EU Member State of destination prior to the flight’s take-off. This concerns inbound flights from a third country and aims to improve border control and fight irregular migration. The revision of the Directive was announced in the Commission Work Programme 2022 and the June 2021 Schengen Communication. The two new Regulations will replace the 2004 Advance Passenger Information Directive.

Results of the 2020 evaluation of the API Directive showed that the current rules on the collection of API data in the EU are no longer fit for purpose. Today’s proposals address the need to harmonise and clarify the way API data is collected throughout the EU. It also highlights the usefulness to combine API and PNR data in order to strengthen the reliability and effectiveness of PNR data as a law enforcement tool.

In addition to API data that is collected by air carriers at the moment of check-in and boarding of the plane, air carriers also collect passenger name records (PNR) data at the moment of reservation or booking of a flight ticket. These are a separate set of information, collected by airlines in the normal course of their business. The transmission of PNR data to national authorities and the subsequent use of this data is regulated in the EU by a separate legal framework, the PNR Directive adopted in 2016.

More Information

Q&A: Revised rules on Advance Passenger Information
Factsheet
Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for facilitating external border controls
Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Webpage on Advanced Passenger Information
Action Plan on Trafficking in Cultural Goods
5th Security Union Progress Report
EU Security Union Strategy

Quote(s)

From improving cybersecurity, to tackling radicalisation to fighting organised crime, three years into the mandate, the European Union continues to deliver on building an effective and genuine Security Union. Today we are presenting new rules on advance passenger data that will further strengthen external border management and help national law enforcement authorities prevent, detect, investigate and prosecute terrorist offences and serious crime. We are also presenting a new Action Plan on trafficking in cultural goods to crack down on this lucrative crime and protect cultural heritage.

Margaritis Schinas, Vice-President for Promoting our European Way of Life – 13/12/2022

—

Today we are making a further step to making our borders smarter, and fighting criminals. Through the new API system border guards will know who is on the plane coming into the European Union and police officers will be able to close the gap between the purchase of the ticket and the actual flight, preventing criminals from exploiting grey areas. A new transparent system, grounded on protecting the Union and the personal data of our citizens

Ylva Johansson, Commissioner for Home Affairs, said: – 13/12/2022

What is Advance Passenger Information (API)?

API data is biographic information on passengers, as contained in travel documents, collected by air carriers during check-in and complemented with travel route information. API data usually contains information which allows to confirm of the identity of passengers.

How is API data collected?

API data is collected by air carriers at the moment of check-in (online or at the airport). This data is stored in the air carriers systems and generally sent to competent border authorities as a complete ‘passenger list manifest’ containing all passengers on board at departure of the plane.

How will API data be transferred to national authorities?

API data will be transmitted by air carriers to a router. This device will receive and immediately transmit the information to the relevant competent national authorities (border authorities and passenger information units) of Member States. This will replace the current system comprised of multiple connections between air carriers and national authorities, improving the data flow and facilitating the transfer of information.

Why is the Commission proposing a revision of the EU rules on advance passenger information?

Every year, over a billion passengers enter or leave, or travel within the EU. This puts a strain on the external air borders of the EU as all travellers, meaning non-EU nationals, and EU citizens crossing the external borders, should be effectively and systematically checked against the relevant databases. To ensure that checks can be performed efficiently on every air passenger, there is a need to speed up border controls at airports and ensure the facilitation of passenger flows while at the same time maintaining a high level of security.

The recent evaluation assessing the implementation of the API Directive showed that the lack of legal precision resulted in a multitude of national interpretations, creating gaps in the collection and use of API data and therefore undermining the overall effectiveness of the Directive.

The evaluation also indicated that the use of API data for law enforcement fulfils a distinct purpose, with specific operational needs, therefore requiring a dedicated legal instrument. Effective rules will step up the fight against serious crime and terrorism.

Which type of flights will be covered by the new rules?

The new rules will cover all flights within, into and from the EU.

What are the key elements of the proposal to revise the Advance Passenger Information Directive?

The proposal provides an updated framework of rules that will improve the flow of Advance Passenger Information.

The revision aims to:

harmonise the requirements for the collection of API data, by setting a clear and mandatory list of API data elements to be collected by air carriers from travellers;
cover all air travellers on all flights (including those travelling on business aviation and charter flights);
improve the accuracy and completeness of data collected, as air carriers will have to collect data by automated means only. This will increase the efficiency and reliability of the analysis of the data by national authorities;
establish a central router, that will act as the single point of reception and onward distribution of data, replacing the current system comprised of multiple connections between air carriers and national authorities.

What will be the benefits for air carriers?

The new rules will allow air carriers to transfer API data on passengers only to one single point of reception, namely the router that will distribute the data to national authorities. The router will ensure that each relevant authority in Member States receives the data.

The proposal will clarify the API data elements to be collected and transferred, also on which flights and on which travellers, so that carriers will no longer face different requirements from each Member State. The proposal also provides clarity on the two specific moments to transfer API data, as opposed to the current API Directive which provides that API data needs to be transmitted “by the end of the check-in”, which is used by some Member States to request API transmission several times (up to four transmissions per flight).

What will be the obligations for air carriers?

The obligation to collect and provide passenger information already exists since the 1990s, with EU rules in place since 2004.

Air carriers will now need to collect and transfer more API data, as the scope of the proposals includes inbound flights, outbound flights and intra-EU flights. Most carriers already collect API data on inbound and outbound flights, as API systems are now implemented in nearly all countries in the world. The proposals will have the biggest impact for air carriers operating flights within the EU, as there’s currently no obligation to collect API data on these flights. Additional collection and transfers of data imply additional costs; however, these will be mitigated with the set-up of the API router. To comply with the obligation to collect API data in an automated manner, some air carriers will need to invest in additional equipment at airports, also resulting in slight changes in the online check-in applications and processes.

The use of automated means (or using optical character recognition to ‘read’ the machine-readable data of travel documents) is already a wide-spread practice in the air industry. The collection of automated means to collect API data from travellers is used on international flights and this obligation will therefore have most impact for air carriers operating flights within the EU. The proposals leave sufficient flexibility for air carriers to comply with this obligation: a delegated act will explain which formats and specifications should be followed by air carriers without obliging them to implement a unique solution.

Will there be obligations for other carriers?

The proposals do not extend the obligation to collect API data from other transport modes than air transport. This is due to the fact that there are already existing rules on the collection and transmission of passenger data for maritime transport operators.

EU and international obligations already exist on maritime transport operators to collect and transmit in passenger information in advance to border authorities of Member States on incoming and outgoing routes. In this context, any additional requirement to transmit ‘API’ data in a separate instrument, would be redundant and create considerable burden on maritime operators.

There are no international nor EU rules for the collection of passenger data from land transport operators such as rail or bus. Rail transport has specific characteristics in terms of infrastructure, passenger journey and density of networks. Such observations can also be extended to the bus transport sector, composed of a variety of small to medium sized companies. Compared to the air transport sector, the collection of passenger data is more challenging as the issuing of nominative tickets is not a standard practice. To introduce a systematic collection of API data for rail and/or bus transport would require heavy investments in the physical infrastructure of operators, with substantial consequences on their economic model and on passengers. However, this means that Member States can adopt national legislation to collect passenger data from other modes of transport (some Member States already do).

When will the new rules be fully applicable?

It is now for the European Parliament and the Council to examine the proposal. Once adopted, the rules will be directly applicable across the EU. The proposals complete other EU systems and initiatives in the area of border management and security, some of which are being rolled out in the course of 2023 (such as the Entry Exit System and the European Travel Information Authorisation System). The new rules on the collection and transfer of API data are expected to be applied in full as of 2028. Once the router is developed, which is expected to be by 2026, public authorities and air carriers will have two years to adjust to the new requirements, and test the router, before it becomes mandatory.

Is financial support available to Member States to implement these changes?

Financial support will be available to Member States through the Internal Security Fund (ISF) and the Border Management and Visa Instrument (BMVI). However, knowing that Member States already have the systems in place to process API data, the financial part would be necessary to support only certain upgrades, namely, to receive additional data.

The setup of the router and its management by eu-LISA will be entirely financed by the EU budget.

How will data protection and privacy be guaranteed?

The proposals update the data protection framework related to the collection of API data by air carriers. They contain all necessary restrictions and safeguards to ensure compliance with the Charter of Fundamental Rights, including as regards the security of processing of personal data, deletion and purpose limitation and the travellers’ right of information. Any processing of API data remains limited to what is necessary for and proportionate to achieving the objectives of border management and the fight against serious crime and terroism. The necessary safeguards include rules on independent supervision, logs on any processing of the data, and data protection rules such as purpuse limitation and strict retention periods. It is also ensured that the API collected and transferred under do not lead to any form of discrimination precluded by the Charter.

For More Information

Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for facilitating external border controls

Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

Webpage on Advanced Passenger Information

Press Release

Factsheet

Cookie	Duration	Description
__stripe_mid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
_abck		This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_wpfuuid		This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
ASP.NET_SessionId		Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
AWSALBCORS		This cookie is managed by Amazon Web Services and is used for load balancing.
bm_sz		This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor		This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4L7PKQPHHV		This cookie is installed by Google Analytics.
_ga_T50H0MNN9J		This cookie is installed by Google Analytics.
_gat_gtag_UA_12289088_5		Set by Google to distinguish users.
_gcl_au		Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_mcid		No description available.
_swa_u		This cookie is set by the provider Sitewit.com. This cookie is used for statistical report and analysis.
ak_bmsc		No description available.
AWSALB		AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
ec_store_chameleon_font		No description available.
FCCDCF		No description available.
issuem_lp		No description available.
lp_us_his		No description
m		No description available.