Chapter News

Security Union: EU Commission proposes new rules on Advance Passenger Information to facilitate external border management and increase internal security

Today, the Commission is proposing new rules to strengthen the use of Advance Passenger Information (API) data. This proposal is one of the key actions identified in the EU Security Union Strategy. The EU continues its progress in strengthening its overall security architecture, which aims to enhance EU citizens’ protection, as shown also in the Fifth Security Union Progress Report. The report highlights three years of solid progress in implementing the Security Union Strategy. It shows that significant steps have been made in strengthening the protection of critical infrastructures from physical, cyber and hybrid attacks, in fighting terrorism and radicalisation, as well as in the fight against organised crime.

Information on travellers has helped to improve border controls, reduce irregular migration, and identify persons posing security risks. Every year, over a billion passengers enter, leave or travel within the EU. The new rules will improve the use of API data to perform checks on passengers prior to their arrival at the external borders. The new rules will also enhance the fight against serious crime and terrorism within the EU. This will close an important gap in the current legal framework, while upholding EU standards for data protection and transmission.

The Commission is also today reporting on three years of solid progress in implementing the Security Union Strategy and proposing a new Action Plan on Trafficking in Cultural Goods, which remains one of the most lucrative forms of business for organised crime groups.

The new rules on API will introduce:

  • Uniform rules on API data collection. The new rules include a closed list of API data elements, the means to collect API data, and a single point for the transfer of the data.
  • Mandatory API data collection for the purposes of border management and combating irregular immigration on all flights entering the Schengen area. This will facilitate the travel of people travelling to the Schengen area, with reduced times at disembarkation and at the physical border checks. Mandatory API data collection for law enforcement purposes for all flights to and from the EU, as well as on selected flights within the EU. API data for such purposes is collected in full respect of EU personal data protection rules.
  • Better quality API data, as air carriers will have to collect API data by automated means only.
  • Streamlined transmission of API data by air carriers to national authorities through a new router, which will be managed by an EU Agency, eu-LISA. This technical solution is compliant with personal data protection safeguards as it will only transmit and not store any API data.

Next steps

It is now for the European Parliament and the Council to examine the proposal. Once adopted, the rules will be directly applicable across the EU. These proposals complete other EU systems and initiatives in the area of border management and security, and that are being rolled out in the course of 2023 (such as the Entry Exit System and the European Travel Information Authorisation System). The new rules on the collection and transfer of API data are expected to be applied in full as of 2028. Once the router is developed, which is expected to be the case by 2026, public authorities and air carriers will have two years to adjust to the new requirements and test the router, before it becomes mandatory.

Background

The processing of API data provides an effective tool for advance checks of air travellers, allowing to expedite procedures upon arrival and allocating more resources and time to identify travellers who need further attention.

In the EU, the API Directive imposes obligations on air carriers to transmit, upon request, API data to the EU Member State of destination prior to the flight’s take-off. This concerns inbound flights from a third country and aims to improve border control and fight irregular migration. The revision of the Directive was announced in the Commission Work Programme 2022 and the June 2021 Schengen Communication. The two new Regulations will replace the 2004 Advance Passenger Information Directive.

Results of the 2020 evaluation of the API Directive showed that the current rules on the collection of API data in the EU are no longer fit for purpose. Today’s proposals address the need to harmonise and clarify the way API data is collected throughout the EU. It also highlights the usefulness to combine API and PNR data in order to strengthen the reliability and effectiveness of PNR data as a law enforcement tool.

In addition to API data that is collected by air carriers at the moment of check-in and boarding of the plane, air carriers also collect passenger name records (PNR) data at the moment of reservation or booking of a flight ticket. These are a separate set of information, collected by airlines in the normal course of their business. The transmission of PNR data to national authorities and the subsequent use of this data is regulated in the EU by a separate legal framework, the PNR Directive adopted in 2016.

Compliments of the European Commission.