Considerations on COM(2022)729 - Collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)729 - Collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls. |
|---|---|
| document | COM(2022)729  |
| date | December 19, 2024 |
(2) The use of passenger data and flight information transferred ahead of the arrival of passengers, known as advance passenger information or API data, contributes to speeding up the required border checks during the border-crossing process. For the purposes of this Regulation that process concerns, more specifically, the crossing of borders between a third country or a Member State to which this Regulation does not apply and a Member State to which this Regulation applies. The use of API data strengthens border checks at those external borders by providing sufficient time to enable detailed and comprehensive border checks to be carried out on all passengers, without having a disproportionate negative effect on those travelling in good faith. Therefore, in the interest of the effectiveness and efficiency of border checks at external borders, an appropriate legal framework should be provided for to ensure that Member States’ competent border authorities at such external border crossing points have access to API data prior to the arrival of passengers.
(3) The existing legal framework on API data, which consists of Council Directive 2004/82/EC (4) and national law transposing that Directive, has proven important in improving border checks, in particular by setting up a framework for Member States to introduce provisions for laying down obligations on air carriers to transfer API data on passengers transported into their territory. However, divergent practices remain at national level. In particular, API data are not systematically requested from air carriers and air carriers are faced with different requirements regarding the type of information to be collected and the conditions under which the API data need to be transferred to competent border authorities. Those divergences not only lead to unnecessary costs and complications for air carriers, but they are also prejudicial to ensuring effective and efficient pre-checks on persons arriving at external borders.
(1) OJ C 228, 29.6.2023, p. 97.
(2) Position of the European Parliament of 25 April 2024 (not yet published in the Official Journal) and decision of the Council of 12 December 2024.
(3) Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ L 77, 23.3.2016, p. 1).
(4) Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ L 261, 6.8.2004, p. 24).
(4) The existing legal framework needs to be updated and replaced to ensure that the rules regarding the collection and transfer of API data for the purpose of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and for combating illegal immigration are clear, harmonised and effective, in accordance with the rules set out in Regulation (EU) 2016/399 for Member States to which it applies, and with national law where it does not apply.
(5) In order to ensure a consistent approach at both Union and international level as much as possible and in view of the rules on the collection of API data applicable at international level, the updated legal framework established by this Regulation should take into account the relevant practices internationally agreed with the air industry, such as in the context of the World Customs Organisation, International Aviation Transport Association and International Civil Aviation Organisation (ICAO) Guidelines on Advance Passenger Information.
(6) The collection and transfer of API data affect the privacy of individuals and entail the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter, adequate limits and safeguards should be provided for. For example, any processing of API data and, in particular, API data constituting personal data should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the processing of any API data collected and transferred under this Regulation does not lead to any form of discrimination precluded by the Charter.
(7) In order to achieve its objectives, this Regulation should apply to all air carriers conducting flights into the Union, as defined in this Regulation, irrespective of the place of establishment of the air carriers conducting those flights, and operating both scheduled and non-scheduled flights. The collection of data from any other civil aircraft operations, such as flight schools, medical flights, emergency flights, as well as from military flights, is not within the scope of this Regulation. This Regulation is without prejudice to the collection of data from such flights as provided for in national law that is compatible with Union law. The Commission should assess the feasibility of a Union scheme obliging operators of private flights to collect and transfer air passenger data.
(8) The obligations on air carriers to collect and transfer API data under this Regulation should include all passengers on flights into the Union, transit passengers whose final destination is outside of the Union and any off-duty crew member positioned on a flight by an air carrier in connection with their duties.
(9) In the interest of effectiveness and legal certainty, the items of information that together constitute the API data to be collected and subsequently transferred under this Regulation should be listed clearly and exhaustively, covering both information relating to each passenger and information on the flight taken by that passenger. Under this Regulation, and in accordance with international standards, such flight information should cover seating and baggage information, where such information is available, and information on the border crossing point of entry into the territory of the Member State concerned in all cases covered by this Regulation. Where baggage or seat information is available within other IT systems that the air carrier, its handler, its system provider or the airport authority has at its disposal, air carriers should integrate that information in the API data to be transferred to the competent border authorities. API data as defined and regulated under this Regulation do not include biometric data.
(10) In order to allow for flexibility and innovation, it should in principle be left to each air carrier to determine how it meets its obligations regarding the collection of API data set out in this Regulation, taking into account the different types of air carrier as defined in this Regulation and their respective business models, including as regards check-in times and cooperation with airports. However, considering that suitable technological solutions exist that allow certain API data to be collected automatically while ensuring that the API data concerned are accurate, complete and up to date, and having regard to the advantages of the use of such technology in terms of effectiveness and efficiency, air carriers should be required to collect such API data using automated means, by reading information from the machine-readable data of the travel document. Where the use of such automated means is not technically possible in exceptional circumstances, air carriers should exceptionally collect the API data manually, either as part of the online check-in process or as part of the check-in at the airport, in such a manner as to ensure compliance with their obligations under this Regulation.
(11) The collection of API data by automated means should be strictly limited to the alphanumerical data contained in the travel document and should not lead to the collection of any biometric data from it. As the collection of API data is part of the check-in process, either online or at the airport, this Regulation does not include an obligation for air carriers to check a travel document of the passenger at the moment of boarding. Compliance with this Regulation does not include any obligation for passengers to carry a travel document at the moment of boarding. This should be without prejudice to obligations stemming from other Union legal acts or national law that is compatible with Union law.
(12) The collection of API data from travel documents should also be consistent with the ICAO standards on machine-readable travel documents, which have been incorporated into Union law by means of Regulation (EU) 2019/1157 of the European Parliament and of the Council (5), Council Regulation (EC) No 2252/2004 (6) and Council Directive (EU) 2019/997 (7).
(13) The requirements set out in this Regulation and the corresponding delegated and implementing acts should lead to the uniform implementation of this Regulation by the air carriers, thereby minimising the cost of the interconnection of their respective systems. To facilitate the harmonised implementation of those requirements by the air carriers, in particular as regards the data structure, format and transmission protocol, the Commission, on the basis of its cooperation with the competent border authorities, other Member States authorities, air carriers and relevant Union agencies, should ensure that the practical handbook to be prepared by the Commission provides all the necessary guidance and clarifications.
(14) In order to enhance the quality of API data, the router to be established under this Regulation should verify whether the API data transferred to it by air carriers comply with the supported data formats, including standardised data fields or codes, in terms of both content and structure. Where the verification determines that the data are not compliant with those data formats, the router should, immediately and in an automated manner, notify the air carrier concerned.
(15) It is important that the automated data collection systems and other processes established under this Regulation do not have a negative impact on the employees in the aviation industry, who are to be provided with upskilling and reskilling opportunities that would increase the efficiency and reliability of data collection and transfer as well as the working conditions in the sector.
(16) Passengers should have the possibility to provide certain API data themselves by automated means during an online check-in process, for example via a secure application on a passenger’s smartphone, a computer or a webcam with the capability to read the machine-readable data of the travel document. Where passengers do not check in online, air carriers should provide them with the possibility to provide the required machine-readable API data during check-in at the airport with the assistance of a self-service kiosk or of air carriers’ staff at the check-in counter. Without prejudice to air carriers’ freedom to set air fares and define their commercial policy, it is important that the obligations under this Regulation do not lead to disproportionate obstacles for passengers unable to use online means to provide API data, such as additional fees for providing API data at the airport. In addition, this Regulation should provide for a transitional period during which passengers are given the possibility to provide API data manually as part of the online check-in process. In such cases, air carriers should use data verification techniques.
(17) With a view to ensuring the fulfilment of the rights provided for under the Charter, as well as ensuring accessible and inclusive travel options, especially for vulnerable groups and persons with disabilities, and in accordance with the rights of disabled persons and persons with reduced mobility when travelling by air set out in Regulation (EC) No 1107/2006 of the European Parliament and of the Council (8), air carriers, supported by the Member States, should ensure that an option for the provision of the necessary data by passengers at the airport is available at all times.
(18) In view of the advantages offered by using automated means for the collection of machine-readable API data and the clarity resulting from the technical requirements in that regard to be adopted under this Regulation, air carriers that decide to use automated means to collect the information that they are required to transmit under Directive 2004/82/EC should be provided with the possibility, but not the obligation, to apply those requirements, once
(5) Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement (OJ L 188, 12.7.2019, p. 67).
(6) Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States (OJ L 385, 29.12.2004, p. 1).
(7) Council Directive (EU) 2019/997 of 18 June 2019 establishing an EU Emergency Travel Document and repealing Decision 96/409/CFSP (OJ L 163, 20.6.2019, p. 1).
(8) Regulation (EC) No 1107/2006 of the European Parliament and of the Council of 5 July 2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air (OJ L 204, 26.7.2006, p. 1).
adopted, in connection to such use of automated means, insofar as that Directive is applicable and permits it. Any such voluntary application of those specifications in application of Directive 2004/82/EC should not be understood as affecting in any way the obligations of air carriers and Member States under that Directive.
(19) With a view to ensuring that the pre-checks carried out in advance by competent border authorities are effective and efficient, the API data transferred to those authorities should contain the data of passengers that are effectively set to cross the external borders, that is, of passengers that are effectively on board of the aircraft, irrespective of whether the final destination of the passenger is inside or outside the Union. Therefore, air carriers should transfer API data immediately after flight closure. Moreover, API data help the competent border authorities to distinguish legitimate passengers from passengers who might be of interest and therefore require additional verifications, which would necessitate further coordination and preparation of follow-up measures to be taken upon arrival. That could occur, for example, in cases of an unexpected number of passengers of interest, whose physical checks at the borders could adversely affect the border checks and waiting times at the borders of other legitimate passengers. To provide the competent border authorities with an opportunity to prepare adequate and proportionate measures at the border, such as temporarily reinforcing or redeploying staff, particularly for flights where the time between the flight closure and the arrival at the external borders is insufficient to allow the competent border authorities to prepare the most appropriate response, API data should also be transferred prior to boarding, at the moment of check-in of each passenger.
(20) In order to avoid any risk of misuse and in line with the principle of purpose limitation, the competent border authorities should be expressly precluded from processing the API data that they receive under this Regulation for any purpose other than those explicitly provided for in this Regulation and in accordance with the rules set out in Regulation (EU) 2016/399 for Member States to which that Regulation applies or, where that Regulation does not apply, in accordance with the relevant rules set out in national law.
(21) To ensure that competent border authorities have sufficient time to carry out pre-checks effectively on all passengers, including passengers on long-haul flights and those travelling on connecting flights, as well as sufficient time to ensure that the API data collected and transferred by air carriers are accurate, complete and up to date, and where necessary to request additional clarifications, corrections or completions from air carriers, in order to ensure that API data remain available until all passengers have effectively presented themselves at the border crossing point, the competent border authorities should store the API data that they received under this Regulation for a fixed period of time that remains limited to what is strictly necessary for those purposes. In exceptional circumstances where individual passengers, after landing, do not present themselves at a border crossing point within such fixed period of time, the Member States should have the possibility to enable their competent border authorities to store the API data of such individual passengers until they present themselves at a border crossing point or at the latest for an additional fixed period of time. Where Member States want to make use of such possibility, Member States should be responsible to put in place the appropriate means to identify such individual passengers, in order to ensure that the longer retention of their specific API data remain limited to what is strictly necessary.
(22) In order to be able to respond to requests for additional clarifications, corrections or completions by the competent border authorities, air carriers should store the API data that they transferred under this Regulation for a fixed and strictly necessary period of time. Beyond that, and with a view to enhancing the travel experience of legitimate passengers, air carriers should be able to retain and use the API data where necessary for the normal course of their business in particular for travel facilitation, in compliance with the applicable law and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (9).
(23) In order to avoid a situation in which air carriers have to establish and maintain multiple connections with the competent border authorities of the Member States for the transfer of API data collected under this Regulation, and thereby avoid the related inefficiencies and security risks, provision should be made for a single router, created and operated at Union level in accordance with this Regulation and Regulation (EU) 2025/13 of the European Parliament and of the Council (10), that serves as a connection and distribution point for those transfers. In the interest of efficiency and cost-effectiveness, the router should, to the extent technically possible and in full compliance with the
(9) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(10) Regulation (EU) 2025/13 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818 (OJ L, 2025/13, 8.1.2025, ELI: data.europa.eu/eli/reg/2025/13/oj).
rules of this Regulation and Regulation (EU) 2025/13 rely on technical components from other relevant systems created under Union law, in particular the web service referred to in Regulation (EU) 2017/2226 of the European Parliament and of the Council (11), the carrier gateway referred to in Regulation (EU) 2018/1240 of the European Parliament and of the Council (12) and the carrier gateway referred to in Regulation (EC) No 767/2008 of the European Parliament and of the Council (13). In order to reduce the impact on air carriers and ensure a harmonised approach towards air carriers, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), established by Regulation (EU) 2018/1726 of the European Parliament and of the Council (14), should design the router, to the extent technically and operationally possible, in a way that is coherent and consistent with the obligations for air carriers set out in Regulations (EC) No 767/2008, (EU) 2017/2226 and (EU) 2018/1240.
(24) In order to improve the efficiency of the transmission of air traffic data and support the monitoring of the API data transmitted to competent border authorities, the router should receive real-time flight traffic data collected by other organisations, such as the European Organisation for the Safety of Air Navigation (Eurocontrol).
(25) Under this Regulation, the router should transmit the API data, in an automated manner, to the relevant competent border authorities, which should be determined on the basis of the border crossing point of entry into the territory of the Member State included in the API data in question. In order to facilitate the distribution process, each Member State should indicate which border authorities are competent to receive the API data transmitted from the router. It is possible for Member States to establish a single data entry point that receives the API data from the router and that immediately and in an automated manner forwards those data to the competent border authorities of the Member State concerned. To ensure the proper functioning of this Regulation and in the interest of transparency, the information on the competent border authorities should be made public.
(26) The router should serve only to facilitate the transfer of API data from the air carriers to the competent border authorities in accordance with this Regulation, and should not be a repository of API data. Therefore, and in order to minimise any risk of unauthorised access or other misuse and in accordance with the principle of data minimisation, no storage should take place unless strictly necessary for technical purposes related to the transmission and the API data should be deleted from the router, immediately, permanently and in an automated manner, from the moment that the transmission has been completed.
(27) In order to allow air carriers to benefit as soon as possible from the advantages offered by the use of the router developed by eu-LISA in accordance with this Regulation and Regulation (EU) 2025/13, and to gain experience in using it, air carriers should be provided with the possibility, but not the obligation, to use the router to transfer the information that they are required to transfer under Directive 2004/82/EC during an interim period. That interim period should commence at the moment at which the router starts operations and end when the obligations under that Directive cease to apply. With a view to ensuring that any such voluntary use of the router takes place in a responsible manner, the prior written agreement of the Member State that is to receive the information should be required, upon request of the air carrier and after that Member State having conducted verifications and obtained assurances, as necessary. Similarly, in order to avoid a situation in which air carriers repeatedly start and stop using the router, once an air carrier starts such use on a voluntary basis, it should be required to continue it, unless there are objective reasons to discontinue the use of the router for the transfer of the information to the responsible authorities of the Member State concerned, such as it having become apparent that the information is not transferred in a lawful, secure, effective and swift manner. In the interest of the proper application of the possibility
(11) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).
(12) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).
(13) Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of information between Member States on short-stay visas, long-stay visas and residence permits (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).
(14) Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LlSA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99).
of voluntarily using the router, with due regard to the rights and interests of all affected parties, the necessary rules on consultations and the provision of information should be provided for in this Regulation. Any such voluntary use of the router in application of Directive 2004/82/EC as provided for in this Regulation should not be understood as affecting in any way the obligations of air carriers and Member States under that Directive.
(28) The router to be created and operated under this Regulation and Regulation (EU) 2025/13 should reduce and simplify the technical connections needed to transfer API data under this Regulation, limiting them to a single connection per air carrier and per competent border authority. Therefore, this Regulation should provide for the obligation for the competent border authorities and air carriers to each establish such a connection to, and achieve the required integration with, the router, to ensure that the system for transferring API data established by this Regulation can function properly. The design and development of the router by eu-LISA should enable the effective and efficient connection and integration of air carriers’ systems and infrastructure by providing for all relevant standards and technical requirements. To ensure the proper functioning of the system set up by this Regulation, detailed rules should be provided for. When designing and developing the router, eu-LISA should ensure that API data transferred by air carriers and transmitted to competent border authorities are encrypted in transit.
(29) In view of the Union interests at stake, all the costs incurred by eu-LISA for the performance of its tasks under this Regulation in respect of the router should be borne by the Union budget, including the design and development of the router, the hosting and technical management of the router, and the governance structure at eu-LISA to support the design, development, hosting and technical management of the router. The same might apply for the costs incurred by the Member States in relation to their connections to, and integration with, the router and their maintenance, as required under this Regulation, in accordance with the applicable Union law. It is important that the Union budget provides appropriate financial support to the Member States for those costs. To that end, the financial needs of the Member States should be supported by the general budget of the Union, in accordance with the eligibility rules and co-financing rates set by the relevant Union legal acts. The annual Union contribution allocated to eu-LISA should cover the needs related to the hosting and the technical management of the router based on an assessment carried out by eu-LISA. The Union budget should also cover the support, such as training, provided by eu-LISA to air carriers and competent border authorities to enable effective transfer and transmission of API data through the router. The costs incurred by the independent national supervisory authorities in relation to the tasks entrusted to them under this Regulation should be borne by the respective Member States.
(30) It cannot be excluded that, due to exceptional circumstances and despite all reasonable measures having been taken in accordance with this Regulation, the central infrastructure or one of the technical components of the router, or the communication infrastructures connecting the competent border authorities and the air carriers thereto, fail to function properly, thus leading to a technical impossibility for air carriers to transfer, or for competent border authorities to receive, API data. Given the unavailability of the router, and that it will generally not be reasonably possible for air carriers to transfer the API data affected by the failure in a lawful, secure, effective and swift manner through alternative means, the obligation for air carriers to transfer such API data to the router should cease to apply for as long as the technical impossibility persists. However, to ensure the availability of API data necessary for enhancing and facilitating the effectiveness and efficiency of border checks at the external borders and combatting illegal immigration, air carriers should continue to collect and store API data so that they can be transferred as soon as the technical impossibility has been resolved. In order to minimise the duration and negative consequences of any technical impossibility, the parties concerned should in such a case immediately inform each other and immediately take all measures necessary to address the technical impossibility. This arrangement should be without prejudice to the obligations under this Regulation of all parties concerned to ensure that the router and their respective systems and infrastructure function properly, as well as to the fact that air carriers are subject to penalties if they fail to meet those obligations, including in cases where they seek to rely on this arrangement where such reliance is not justified. In order to deter such abuse and to facilitate supervision and, where necessary, the imposition of penalties, air carriers that rely on this arrangement on account of the failure of their own system and infrastructure should report thereon to the competent supervisory authority.
(31) Where air carriers maintain direct connections to competent border authorities for the transfer of API data, those connections can constitute appropriate means, ensuring the necessary level of data security, to transfer API data directly to the competent border authorities where it is technically impossible to use the router. Competent border authorities should be able, in the exceptional case of technical impossibility to use the router, to request air carriers to use such appropriate means, which does not imply an obligation on air carriers to maintain or introduce such direct connections or any other appropriate means, ensuring the necessary level of data security, to transfer API data directly to the competent border authorities. The exceptional transfer of API data by any other appropriate means, such as encrypted email or a secure web portal, and excluding the use of non-standard electronic formats, should ensure the necessary level of data security, data quality and data protection. API data received by the competent border authorities by such other appropriate means should be further processed in accordance with the rules and data protection safeguards set out in Regulation (EU) 2016/399 and applicable national law. Following the notification from eu-LISA that the technical impossibility has been successfully addressed, and where it is confirmed that the transmission of the API data through the router to the competent border authority has been completed, the competent border authority should immediately delete the API data they previously received by any other appropriate means. That deletion should not affect specific cases where the API data that competent border authorities received by any other appropriate means has meanwhile been further processed in accordance with Regulation (EU) 2016/679 for the specific purposes of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and of combating illegal immigration.
(32) In the interest of ensuring compliance with the fundamental right to protection of personal data, this Regulation should identify the controller and processor and set out rules on audits. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be in line with the generally applicable Union legal acts on the protection of personal data, in particular Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 of the European Parliament and of the Council (15).
(33) Without prejudice to more specific rules laid down in this Regulation for the processing of personal data, Regulation (EU) 2016/679 should apply to the processing of personal data by the Member States and air carriers under this Regulation. Regulation (EU) 2018/1725 should apply to the processing of personal data by eu-LISA when carrying out its responsibilities under this Regulation.
(34) Taking into account the right of passengers to be informed of the processing of their personal data, Member States should ensure that passengers are provided with accurate information about the collection of API data, the transfer of such data to the competent border authorities and their rights as data subjects that is easily accessible and easy to understand, at the moment of booking and at the moment of check-in.
(35) The personal data protection audits that Member States are responsible for should be carried out by the independent supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679 or by an auditing body entrusted with this task by the supervisory authority.
(36) The purposes of the processing operations under this Regulation, namely the transmission of API data from air carriers via the router to the competent border authorities of the Member States, are to assist those authorities in the performance of their border management obligations and tasks related to combating illegal immigration. Therefore, Member States should designate authorities to be controllers for the processing of the data in the router, the transmission of the data from the router to the competent border authorities, and the subsequent processing of those data to enhance and facilitate border checks at external borders. Member States should communicate those authorities to the Commission and eu-LISA. For the processing of personal data in the router, Member States should be joint controllers in accordance with Article 26 of Regulation (EU) 2016/679. The air carriers, in turn, should be separate controllers with regard to the processing of API data constituting personal data under this Regulation. On this basis, both the air carriers and the competent border authorities should be separate controllers with regard to the processing operations for API data under this Regulation. As eu-LISA is responsible for the design, development, hosting and technical management of the router, it should be the processor for the processing of API data constituting personal data via the router, including the transmission of the data from the router to the competent border authorities and the storage of those data on the router insofar as such storage is needed for technical purposes.
(37) In order to ensure that the rules of this Regulation are applied effectively by air carriers, provision should be made for the designation and empowerment of national authorities as national API supervision authorities charged with monitoring the application of those rules. Member States can designate their competent border authorities as national API supervision authorities. The rules of this Regulation on such monitoring, including as regards the
(15) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural
persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
imposition of penalties where necessary, should leave the tasks and powers of the supervisory authorities established in accordance with Regulation (EU) 2016/679 unaffected, including in relation to the processing of personal data under this Regulation.
(38) Effective, proportionate and dissuasive penalties, which include financial as well as non-financial penalties, should be provided for by Member States against those air carriers failing to meet their obligations under this Regulation, including on the collection of API data by automated means and the transfer of the data in accordance with the required time frames, formats and protocols. In particular, Member States should ensure that a recurrent failure on the part of air carriers as legal persons to comply with their obligation to transfer any API data to the router in accordance with this Regulation is subject to proportionate financial penalties of up to 2 % of the air carrier’s global turnover of the preceding financial year. In addition, Member States should be able to apply penalties, including financial penalties, to air carriers for other forms of non-compliance with obligations under this Regulation.
(39) When providing for rules on the penalties applicable to air carriers under this Regulation, Member States could take into account the technical and operational feasibility of ensuring complete data accuracy. Additionally, when penalties are imposed, their application and value should be established. National API supervision authorities could take into consideration the actions undertaken by the air carrier to mitigate the issue as well as its level of cooperation with national authorities.
(40) There should be a single governance structure for the purposes of this Regulation and Regulation (EU) 2025/13. With the objective of enabling and fostering communication between the representatives of air carriers and the representatives of Member States authorities competent under this Regulation and under Regulation (EU) 2025/13 to have API data transmitted from the router, two dedicated bodies should be established at the latest two years after the start of operations of the router. Technical matters related to the usage and functioning of the router should be discussed in the API-PNR Contact Group where eu-LISA representatives should be also present. Policy matters, such as in relation to penalties, should be discussed in the API Expert Group.
(41) As this Regulation provides for the establishment of new rules on the collection and transfer of API data for the purpose of enhancing and facilitating the effectiveness and efficiency of border checks at external borders, Directive 2004/82/EC should be repealed.
(42) As the router should be designed, developed, hosted and technically managed by eu-LISA, it is necessary to amend Regulation (EU) 2018/1726 by adding that task to the tasks of eu-LISA. In order to store reports and statistics of the router on the central repository for reporting and statistics (CRRS) established by Regulation (EU) 2019/817 of the European Parliament and of the Council (16), it is necessary to amend that Regulation. In order to support the enforcement of this Regulation by the national API supervision authority, it is necessary that the amendments to Regulation (EU) 2019/817 include provisions on statistics on whether the API data are accurate and complete, for example by indicating whether the data were collected by automated means. It is also important to collect reliable and useful statistics concerning the implementation of this Regulation in order to support its objectives and inform the evaluations under this Regulation. Such statistics should not contain any personal data. Therefore, the CRRS should provide statistics based on API data only for the implementation and effective monitoring of the application of this Regulation. The data that the router automatically transmits to the CRRS to that end should not allow for the identification of the passengers concerned.
(43) In order to increase clarity and legal certainty, to contribute to ensuring data quality, ensuring the responsible use of the automated means for the collection of machine-readable API data under this Regulation and ensuring the manual collection of API data in exceptional circumstances and during the transitional period, to provide clarity on the technical requirements that are applicable to air carriers and that are needed to ensure the API data that they collected under this Regulation are transferred to the router in a secure, effective and swift manner, and to ensure that inaccurate or incomplete data or data that are no longer up to date are corrected, completed or updated, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission to terminate the transitional period for the manual collection of API data; to adopt measures relating to the technical requirements and operational rules with which air carriers should comply with regard to the use of automated means for the collection of machine-readable API data under this Regulation, for the manual collection of API data in exceptional circumstances, and for the collection of API data during the
(16) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for
interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27).
| transitional period, including on requirements for data security; to lay down detailed rules on the common protocols and supported data formats to be used for the encrypted transfer of API data by air carriers, including requirements for data security; and to lay down rules on correcting, completing and updating API data. It is of particular importance that the Commission carry out appropriate consultations with relevant stakeholders, including air carriers, during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (17). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Taking into account the state of the art, those technical requirements and operational rules might change over time. | |
| (44) | In order to ensure uniform conditions for the implementation of this Regulation, namely as regards the start of operations of the router; the technical and procedural rules for the data verifications and notifications; the technical and procedural rules for the transmission of API data from the router to the competent border authorities in a way that ensures that the transmission is secure, effective and swift and impacts passengers’ travel and air carriers no more than necessary, and the competent border authorities’ and air carriers’ connections to and integration with the router, and to specify the responsibilities of the Member States as joint controllers, such as regards the identification and management of security incidents, including of personal data breaches, and the relationship between the joint controllers and eu-LISA as the processor, including the assistance of eu-LISA to the controllers with appropriate technical and organisational measures, insofar as it is possible, for the fulfilment of the controller’s obligations to respond to requests for exercising the data subject’s rights, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (18). |
| (45) | All interested parties, and in particular the air carriers and the competent border authorities, should be afforded sufficient time to make the preparations necessary to be able to meet their respective obligations under this Regulation, taking into account that some of those preparations, such as those regarding the obligations on the connection to and integration with the router, can be finalised only when the design and development phases of the router have been completed and the router starts operations. Therefore, this Regulation should apply only from an appropriate date after the date on which the router starts operations, as specified by the Commission in accordance with this Regulation and Regulation (EU) 2025/13. However, it should be possible for the Commission to adopt delegated and implementing acts under this Regulation already from an earlier date, so as to ensure that the system set up by this Regulation is operational as soon as possible. |
| (46) | The design and development phases of the router established under this Regulation and Regulation (EU) 2025/13 should be commenced and completed as soon as possible so that the router can start operations as soon as possible, which also requires the adoption of the relevant delegated and implementing acts provided for by this Regulation. For the smooth and effective development of those phases, a dedicated Programme Management Board should be established with the function to supervise eu-LISA on fulfilling its tasks during those phases. It should cease to exist two years after the router has started its operations. In addition, a dedicated advisory body, the API-PNR Advisory Group, should be created in accordance with Regulation (EU) 2018/1726, with the objective of providing expertise to eu-LISA and to the Programme Management Board on the design and development phases of the router, as well as to eu-LISA on the hosting and management of the router. The Programme Management Board and the API-PNR Advisory Group should be established and operated following the models of existing programme management boards and advisory groups. |
| (47) | This Regulation should be subject to regular evaluations to ensure the monitoring of its effective application. In particular, the collection of API data should not be to the detriment of the travel experience of legitimate passengers. Therefore, the Commission should include in its regular evaluation reports on the application of this Regulation an assessment of the impact of this Regulation on the travel experience of legitimate passengers. The evaluation should also include an assessment of the quality of the data sent by the router, as well as the performance of the router in respect of the competent border authorities. |
| (17) (18) | OJ L 123, 12.5.2016, p. 1. Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). |
(48) The clarification provided by this Regulation regarding the application of specifications concerning the use of automated means in application of Directive 2004/82/EC should also be provided without delay. Therefore, the provisions on those matters should apply from the date of the entry into force of this Regulation. In addition, in order to allow for the voluntary use of the router as soon as possible, the provisions on such use, as well as certain other provisions needed to ensure that such use takes place in a responsible manner, should apply from the earliest possible moment, that is, from the moment at which the router starts operations.
(49) Given that this Regulation requires additional adjustment and administrative costs by air carriers, the overall regulatory burden for the aviation sector should be kept under close review. Against this backdrop, the report evaluating the functioning of this Regulation should assess the extent to which the objectives of this Regulation have been met and the extent to which it has had an impact on the competitiveness of the sector.
(50) This Regulation is without prejudice to the competences of Member States with regard to national law concerning national security, provided that such law complies with Union law.
(51) This Regulation is without prejudice to the competence of Member States to collect, under their national law, passenger data from transportation providers other than those specified in this Regulation, provided that such national law complies with Union law.
(52) Since the objectives of this Regulation, namely enhancing and facilitating the effectiveness and efficiency of border checks at external borders and combating illegal immigration, relate to matters that are inherently of a cross-border nature, they cannot be sufficiently achieved by the Member States individually, but can rather be better achieved at Union level. The Union may therefore adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
(53) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.
(54) Ireland is taking part in this Regulation, in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union, annexed to the TEU and to the TFEU, and Article 6(2) of Council Decision 2002/192/EC (19).
(55) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters’ association with the implementation, application and development of the Schengen acquis (20), which fall within the area referred to in Article 1, point A, of Council Decision 1999/437/EC (21).
(56) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (22), which fall within the area referred to in Article 1, point A, of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (23).
(57) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association
(19) Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).
(20) OJ L 176, 10.7.1999, p. 36.
(21) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).
(22) OJ L 53, 27.2.2008, p. 52.
(23) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).
with the implementation, application and development of the Schengen acquis (24) which fall within the area referred to in Article 1, point A, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (25).
(58) As regards Cyprus, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(1) of the 2003 Act of Accession.
(59) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 8 February 2023 (26).