Strasbourg, 13 December 2022
Today, the Commission is proposing new rules to strengthen the use of Advance Passenger Information (API) data. This proposal is one of the key actions identified in the EU Security Union Strategy. The EU continues its progress in strengthening its overall security architecture, which aims to enhance EU citizens’ protection, as shown also in the Fifth Security Union Progress Report. The report highlights three years of solid progress in implementing the Security Union Strategy. It shows that significant steps have been made in strengthening the protection of critical infrastructures from physical, cyber and hybrid attacks, in fighting terrorism and radicalisation, as well as in the fight against organised crime.
Information on travellers has helped to improve border controls, reduce irregular migration, and identify persons posing security risks. Every year, over a billion passengers enter, leave or travel within the EU. The new rules will improve the use of API data to perform checks on passengers prior to their arrival at the external borders. The new rules will also enhance the fight against serious crime and terrorism within the EU. This will close an important gap in the current legal framework, while upholding EU standards for data protection and transmission.
The Commission is also today reporting on three years of solid progress in implementing the Security Union Strategy and proposing a new Action Plan on Trafficking in Cultural Goods, which remains one of the most lucrative forms of business for organised crime groups.
The new rules on API will introduce:
- Uniform rules on API data collection. The new rules include a closed list of API data elements, the means to collect API data, and a single point for the transfer of the data.
- Mandatory API data collection for the purposes of border management and combating irregular immigration on all flights entering the Schengen area. This will facilitate the travel of people travelling to the Schengen area, with reduced times at disembarkation and at the physical border checks. Mandatory API data collection for law enforcement purposes for all flights to and from the EU, as well as on selected flights within the EU. API data for such purposes is collected in full respect of EU personal data protection rules.
- Better quality API data, as air carriers will have to collect API data by automated means only.
- Streamlined transmission of API data by air carriers to national authorities through a new router, which will be managed by an EU Agency, eu-LISA. This technical solution is compliant with personal data protection safeguards as it will only transmit and not store any API data.
It is now for the European Parliament and the Council to examine the proposal. Once adopted, the rules will be directly applicable across the EU. These proposals complete other EU systems and initiatives in the area of border management and security, and that are being rolled out in the course of 2023 (such as the Entry Exit System and the European Travel Information Authorisation System). The new rules on the collection and transfer of API data are expected to be applied in full as of 2028. Once the router is developed, which is expected to be the case by 2026, public authorities and air carriers will have two years to adjust to the new requirements and test the router, before it becomes mandatory.
The processing of API data provides an effective tool for advance checks of air travellers, allowing to expedite procedures upon arrival and allocating more resources and time to identify travellers who need further attention.
In the EU, the API Directive imposes obligations on air carriers to transmit, upon request, API data to the EU Member State of destination prior to the flight’s take-off. This concerns inbound flights from a third country and aims to improve border control and fight irregular migration. The revision of the Directive was announced in the Commission Work Programme 2022 and the June 2021 Schengen Communication. The two new Regulations will replace the 2004 Advance Passenger Information Directive.
Results of the 2020 evaluation of the API Directive showed that the current rules on the collection of API data in the EU are no longer fit for purpose. Today’s proposals address the need to harmonise and clarify the way API data is collected throughout the EU. It also highlights the usefulness to combine API and PNR data in order to strengthen the reliability and effectiveness of PNR data as a law enforcement tool.
In addition to API data that is collected by air carriers at the moment of check-in and boarding of the plane, air carriers also collect passenger name records (PNR) data at the moment of reservation or booking of a flight ticket. These are a separate set of information, collected by airlines in the normal course of their business. The transmission of PNR data to national authorities and the subsequent use of this data is regulated in the EU by a separate legal framework, the PNR Directive adopted in 2016.
- Q&A: Revised rules on Advance Passenger Information
- Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for facilitating external border controls
- Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
- Webpage on Advanced Passenger Information
- Action Plan on Trafficking in Cultural Goods
- 5th Security Union Progress Report
- EU Security Union Strategy
From improving cybersecurity, to tackling radicalisation to fighting organised crime, three years into the mandate, the European Union continues to deliver on building an effective and genuine Security Union. Today we are presenting new rules on advance passenger data that will further strengthen external border management and help national law enforcement authorities prevent, detect, investigate and prosecute terrorist offences and serious crime. We are also presenting a new Action Plan on trafficking in cultural goods to crack down on this lucrative crime and protect cultural heritage.
Today we are making a further step to making our borders smarter, and fighting criminals. Through the new API system border guards will know who is on the plane coming into the European Union and police officers will be able to close the gap between the purchase of the ticket and the actual flight, preventing criminals from exploiting grey areas. A new transparent system, grounded on protecting the Union and the personal data of our citizens
Ylva Johansson, Commissioner for Home Affairs, said: – 13/12/2022
Questions and Answers – Revised rules on Advance Passenger Information
API data is biographic information on passengers, as contained in travel documents, collected by air carriers during check-in and complemented with travel route information. API data usually contains information which allows to confirm of the identity of passengers.
How is API data collected?
API data is collected by air carriers at the moment of check-in (online or at the airport). This data is stored in the air carriers systems and generally sent to competent border authorities as a complete ‘passenger list manifest’ containing all passengers on board at departure of the plane.
How will API data be transferred to national authorities?
API data will be transmitted by air carriers to a router. This device will receive and immediately transmit the information to the relevant competent national authorities (border authorities and passenger information units) of Member States. This will replace the current system comprised of multiple connections between air carriers and national authorities, improving the data flow and facilitating the transfer of information.
Why is the Commission proposing a revision of the EU rules on advance passenger information?
Every year, over a billion passengers enter or leave, or travel within the EU. This puts a strain on the external air borders of the EU as all travellers, meaning non-EU nationals, and EU citizens crossing the external borders, should be effectively and systematically checked against the relevant databases. To ensure that checks can be performed efficiently on every air passenger, there is a need to speed up border controls at airports and ensure the facilitation of passenger flows while at the same time maintaining a high level of security.
The recent evaluation assessing the implementation of the API Directive showed that the lack of legal precision resulted in a multitude of national interpretations, creating gaps in the collection and use of API data and therefore undermining the overall effectiveness of the Directive.
The evaluation also indicated that the use of API data for law enforcement fulfils a distinct purpose, with specific operational needs, therefore requiring a dedicated legal instrument. Effective rules will step up the fight against serious crime and terrorism.
The new rules will cover all flights within, into and from the EU.
What are the key elements of the proposal to revise the Advance Passenger Information Directive?
The proposal provides an updated framework of rules that will improve the flow of Advance Passenger Information.
The revision aims to:
- harmonise the requirements for the collection of API data, by setting a clear and mandatory list of API data elements to be collected by air carriers from travellers;
- cover all air travellers on all flights (including those travelling on business aviation and charter flights);
- improve the accuracy and completeness of data collected, as air carriers will have to collect data by automated means only. This will increase the efficiency and reliability of the analysis of the data by national authorities;
- establish a central router, that will act as the single point of reception and onward distribution of data, replacing the current system comprised of multiple connections between air carriers and national authorities.
What will be the benefits for air carriers?
The new rules will allow air carriers to transfer API data on passengers only to one single point of reception, namely the router that will distribute the data to national authorities. The router will ensure that each relevant authority in Member States receives the data.
The proposal will clarify the API data elements to be collected and transferred, also on which flights and on which travellers, so that carriers will no longer face different requirements from each Member State. The proposal also provides clarity on the two specific moments to transfer API data, as opposed to the current API Directive which provides that API data needs to be transmitted “by the end of the check-in”, which is used by some Member States to request API transmission several times (up to four transmissions per flight).
What will be the obligations for air carriers?
The obligation to collect and provide passenger information already exists since the 1990s, with EU rules in place since 2004.
Air carriers will now need to collect and transfer more API data, as the scope of the proposals includes inbound flights, outbound flights and intra-EU flights. Most carriers already collect API data on inbound and outbound flights, as API systems are now implemented in nearly all countries in the world. The proposals will have the biggest impact for air carriers operating flights within the EU, as there’s currently no obligation to collect API data on these flights. Additional collection and transfers of data imply additional costs; however, these will be mitigated with the set-up of the API router. To comply with the obligation to collect API data in an automated manner, some air carriers will need to invest in additional equipment at airports, also resulting in slight changes in the online check-in applications and processes.
The use of automated means (or using optical character recognition to ‘read’ the machine-readable data of travel documents) is already a wide-spread practice in the air industry. The collection of automated means to collect API data from travellers is used on international flights and this obligation will therefore have most impact for air carriers operating flights within the EU. The proposals leave sufficient flexibility for air carriers to comply with this obligation: a delegated act will explain which formats and specifications should be followed by air carriers without obliging them to implement a unique solution.
Will there be obligations for other carriers?
The proposals do not extend the obligation to collect API data from other transport modes than air transport. This is due to the fact that there are already existing rules on the collection and transmission of passenger data for maritime transport operators.
EU and international obligations already exist on maritime transport operators to collect and transmit in passenger information in advance to border authorities of Member States on incoming and outgoing routes. In this context, any additional requirement to transmit ‘API’ data in a separate instrument, would be redundant and create considerable burden on maritime operators.
There are no international nor EU rules for the collection of passenger data from land transport operators such as rail or bus. Rail transport has specific characteristics in terms of infrastructure, passenger journey and density of networks. Such observations can also be extended to the bus transport sector, composed of a variety of small to medium sized companies. Compared to the air transport sector, the collection of passenger data is more challenging as the issuing of nominative tickets is not a standard practice. To introduce a systematic collection of API data for rail and/or bus transport would require heavy investments in the physical infrastructure of operators, with substantial consequences on their economic model and on passengers. However, this means that Member States can adopt national legislation to collect passenger data from other modes of transport (some Member States already do).
When will the new rules be fully applicable?
It is now for the European Parliament and the Council to examine the proposal. Once adopted, the rules will be directly applicable across the EU. The proposals complete other EU systems and initiatives in the area of border management and security, some of which are being rolled out in the course of 2023 (such as the Entry Exit System and the European Travel Information Authorisation System). The new rules on the collection and transfer of API data are expected to be applied in full as of 2028. Once the router is developed, which is expected to be by 2026, public authorities and air carriers will have two years to adjust to the new requirements, and test the router, before it becomes mandatory.
Is financial support available to Member States to implement these changes?
Financial support will be available to Member States through the Internal Security Fund (ISF) and the Border Management and Visa Instrument (BMVI). However, knowing that Member States already have the systems in place to process API data, the financial part would be necessary to support only certain upgrades, namely, to receive additional data.
The setup of the router and its management by eu-LISA will be entirely financed by the EU budget.
How will data protection and privacy be guaranteed?
The proposals update the data protection framework related to the collection of API data by air carriers. They contain all necessary restrictions and safeguards to ensure compliance with the Charter of Fundamental Rights, including as regards the security of processing of personal data, deletion and purpose limitation and the travellers’ right of information. Any processing of API data remains limited to what is necessary for and proportionate to achieving the objectives of border management and the fight against serious crime and terroism. The necessary safeguards include rules on independent supervision, logs on any processing of the data, and data protection rules such as purpuse limitation and strict retention periods. It is also ensured that the API collected and transferred under do not lead to any form of discrimination precluded by the Charter.
For More Information
Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for facilitating external border controls
Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Webpage on Advanced Passenger Information