Migration and home affairs

← Migration and home affairs

Obligation of carriers to communicate passenger data (Advance Passenger Information Directive)

Summary
Evaluation
Commission Proposal
Legal Act
Implementation

Overall state of play:

Evaluation – Finalised: SWD (2020) 174 of 08.09.2020
Commission Proposal: Adopted
- COM(2022)/0729, 13.12.2022, Proposal for a regulation on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC
- COM(2022)/0731, 13.12.2022, Proposal for a regulation on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818

State of play, main conclusions, outlook

The concluded evaluation of the Advance Passenger Information (API) Directive identified a number of shortcomings, i.e. the lack of (i) standardisation and harmonisation, (ii) detailed data protection safeguards and (iii) no clear alignment with the latest policy and legal developments at EU level. These elements affect the impact of the directive, create burden on the stakeholders and generate a certain level of legal uncertainty, both for the entities collecting and transmitting the data, for the authorities processing them, and ultimately for the data subjects.

Based on the results of the evaluation and impact assessment, the Commission proposed two new Regulations replacing the current API Directive. The first proposal aims at enhancing Schengen external border management, by ensuring pre-checks of API data prior to crossing the external borders, and by facilitating the flow of bona fide travellers at external air borders. The second proposal aims at enhancing the EU’s internal security by ensuring that Member States’ law enforcement authorities (namely Passenger Information Units) have an effective access to air passenger data within the EU that is necessary to prevent and fight terrorism and serious crime, in compliance with the fundamental right to the protection of personal data and the fundamental right to freedom of movement.

State of Play:

Finalised: SWD (2020) 174 of 08.09.2020

Scope:

Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data ('API Directive')

Evaluation findings:

Regarding the relevance of the directive, the Evaluation found that the rationale for collecting API data is still valid 15 years after the entry into force of the directive. The objectives (i.e. border control management, combating against irregular migration, law enforcement including fighting terrorism) remain highly pertinent to the needs of the relevant stakeholders and the wider societies. In addition, collecting API data is also relevant to facilitate legitimate travel, which is currently not per se an objective of the directive. The professionalisation and internationalisation of terrorist and criminal groups and their crossborder activities, together with international calls for an increased use of API data, suggest that in the future this instrument will be even more relevant to support implementing countries in facing new challenges also in the light of UN requirements¹.

However, the lack of harmonisation in the implementation of the directive is an obstacle to its effectiveness and coherence. As a result of the “minimum requirements” imposed by the directive, the implementation of API systems and the actual usage of API data show a fragmented picture. In addition, the option left to implementing countries to collect and use API data for law enforcement purposes, without providing a clear definition of this purpose nor laying down a framework for processing data, led to a disjointed implementation at national level. There are also several discrepancies with other EU instruments causing operational challenges in practice and uncertainty for data subjects, and the data protection requirements are not in line with the most recent developments in the field. Furthermore, the API Directive is not fully coherent with the international regulatory framework on passenger information, especially as concerns data fields and transmission standards.

As concerns the efficiency, the perception by national authorities that the overall costs incurred from the implementation of API systems are proportionate and justified is only partially shared by air carriers, given the minimal benefits for them.

As regards the EU added value, the evaluation shows that it is unlikely that without EU intervention the benefits derived from the implementation of API systems would have been achieved on an EU-wide scale. The issues addressed by the directive would continue to require action at EU level.

Estimated savings and benefits

The overall costs involved in the implementation of API systems (direct costs for implementing countries authorities in terms of setting up and running API systems, and compliance costs for carriers) varied substantially across the different implementing countries. This can be attributed to different needs and preferences exhibited by Member States, which in turn contributed to differing approaches to implementation and, hence costs.

National authorities perceived that the overall costs incurred from the implementation of API systems have been proportionate and are justified, considering the extent of resources used and the nature and level of benefits / impacts achieved to date. The implementation of API systems helped drive positive operational outcomes, notably in the area of border control and management. API systems constitute an effective border management tool for national authorities and it is recognized that they have contributed to improved border control activities, notably by increasing the relevant authorities’ preparedness and readiness, in terms of identifying high-risk individuals ahead of their arrival and by expediting the process of passenger checks upon arrival.

Carriers, notably air carriers, considered that the costs incurred from the implementation of API systems are only partially or not at all justified, given that (direct) benefits have been minimal for them.

Despite the fact that overall the costs incurred in the implementation of the API systems were considered proportionate, the differences in the implementation of the directive at national level created a number of inconsistencies leading to inefficiencies. Especially from the side of air carriers, having to deal with different requirements in different countries (for example regarding the data fields, formats, timing of transmission, type of flights etc.) was perceived as a burden. In addition, in some cases, carriers had to face quite substantial sanctions.

The evaluation also shows that the lack of harmonisation of the API Directive with more recent instruments regarding data protection, but also governing border management and passenger data, created a very complex and unclear situation for all stakeholders.

¹ UN Security Council Resolutions 2178(2014), 2309(2016), 2396(2017) and 2482 (2019)

State of Play

Adopted: COM(2022)/0729, COM(2022)/0731, 13.12.2022, Proposals for Council and European Parliament Regulations on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, and for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

Which objectives does the Commission pursue?

The proposals aim at increasing the benefits of the already existing EU regulatory framework related to passenger information:

• for the border authorities in charge of the management of Schengen external borders: improve Member States’ capacity to use API data to effectively and efficiently pre-check air travellers ahead of their arrival at Schengen external borders, identify high-risk travellers, and ensure a speedier facilitation of external border checks and clearance of passengers upon arrival,

• for the national law enforcement authorities (Passenger Information Units): by regulating API data collection on all flights into and outside the EU, as well as on selected intra-EU for which Passenger Name Records (PNR) data is collected, and by providing higher quality and verified API data to competent national authorities (Passenger Information Units) reinforce the joint processing of API data and PNR and the robustness of the PNR Directive in the fight against serious crime and terrorism.

• for the air carriers: By introducing a harmonized definition of API data and uniform procedures for its collection, the proposals aim as well at simplifying the EU regulatory framework for the air carriers. Both proposals look at reducing the complexity and the regulatory costs for the air carriers related to the transfer of API information to border and law enforcement authorities by establishing a unique connection to a central router rather than multiple connections to different authorities across Member States.

Finally, the proposals seek to maintain the full compliance of API data collection and transfer to Member States’ authorities with fundamental rights, by setting up the appropriate safeguards; specifically, the collection of API data on intra-EU and domestic flights for law enforcement purposes will not be systematic and limited to the flights for which PNR data is collected.

Estimated savings and benefits

Air travellers will benefit from faster border checks. Member States should also substantially benefit from:

- more efficient use of resources by border authorities, due to an increased preparedness and readiness in terms of identifying high-risk individuals ahead of their arrival and by expediting the process of passenger checks upon arrival,

- less travellers attempting to cross the border without valid travel documents,

- more efficient detection of known suspects and confirmation of the travel history of suspects by law enforcement authorities,

- more effective tools for fighting crime and terrorism.

In quantitative terms, the impact assessment estimated that the airline companies would globally incur a one-off investment of EUR 125 million for complying with the new instruments, especially for the implementation of the automated collection and for the transfer of API data to the router. As the new instruments regulate the collection of data on a larger number of flights, the airline companies would be subject to higher recurring administrative transmission costs, estimated globally to EUR 25,40 million per year. However, those costs would be outweighed in the long run by recurring benefits and savings which would amount to EUR 87,60 million per year for the airline industry stemming from:

- up to EUR 80 million per year coming from the reduction of the amount of penalties for carrying passengers without valid travel documents to the Schengen borders, thanks to the higher quality of API data.

- EUR 7,60 million per year, related to the efficiency of transmitting API data to the router.