2004, as regards the use of digital travel credentials

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2024)670 - Application for the electronic submission of travel data (“EU Digital Travel application”) and amending Regulations (EU) ...
document	COM(2024)670
date	October 8, 2024

(1) The carrying out of effective and efficient border checks at the external borders contributes to the proper functioning of the area without internal border controls (‘the Schengen area’) and the internal security of the Union. The inclusion in travel documents issued by Member States of a storage medium (chip), with a facial image of the holder, by Council Regulation (EC) 2252/2004 ³¹ and Regulation (EU) 2019/1157 ³², and the entry into force of Regulation (EC) No 562/2006 of the European Parliament and of the Council ³³ have significantly contributed to high security standards and robust external border management. Border checks carried out in accordance with Regulation (EU) 2016/399 of the European Parliament and of the Council ³⁴, serve the purposes of reliably identifying travellers, preventing threats to the internal security, public policy, public health and international relations of Member States as well as combatting irregular migration while respecting fundamental rights.

(2) With the current reliance on physical travel documents and physical interactions for the examination of travel documents and the carrying out of border checks, Member States’ border authorities are unable to remotely verify the authenticity and integrity of travel documents and to carry out the relevant checks against databases before travellers arrive at the physical border crossing point, with the exception of air passengers for whom advance passenger information has been transmitted and processed. In light of increasing traveller flows across the external borders of the Schengen area as well as the entry into operation of the Entry/Exit System established by Regulation (EU) 2017/2226 of the European Parliament and of the Council ³⁵ that will require third-country nationals to whom it applies to provide additional data as part of border checks, it is essential to enable border authorities to use secure technical solutions to carry out relevant checks before travellers arrive at the border-crossing points.

(3) The existing legal framework on travel documents and border checks, consisting notably of Regulations (EC) No 2252/2004, (EU) XXXX/XXXX ³⁶[COM(2024) 316 final] and (EU) 2016/399, does not allow for the use of data contained in the storage medium of travel documents for the purpose of carrying out such advance border checks and pre-clearing travellers or using that data for other purposes. Following recent developments at international level, namely in the context of standardisation work carried out by the International Civil Aviation Organization (ICAO), and on the capabilities and reliability of facial recognition, that technology is available and responds to the calls for facilitating cross-border travel while ensuring high levels of security in full respect of fundamental rights, including the right to privacy and the protection of personal data.

(4) Therefore, the existing legal framework should be updated to ensure that both travellers and border authorities can benefit from more efficient and effective border checks using so-called digital travel credentials, that is, a digital representation of the person’s identity that is derived from the information stored in the storage medium (chip) of the travel document (i.e. passport or EU identity card) and that can be validated, leading ultimately to shorter waiting and processing times at border-crossing points and improving the authorities’ ability to pre-screen travellers, plan and manage resources and focus on higher risk travellers.

(5) In order to achieve its objectives, this Regulation should cover persons enjoying the right of free movement under Union law as well as third-country nationals.

(6) In the interest of achieving a uniform approach at Union level and maximising gains in travel facilitation and economies of scale, a common technical solution for the submission of electronic travel data should be established, as opposed to each Member State developing their own. This application for the electronic submission of travel data (‘the EU Digital Travel application’) should consist of a user-friendly mobile application, a backend validation service that can verify the authenticity and integrity of travel documents and match the facial image of the user to the image stored on the travel document’s chip and a technical component for the secure communication of travel data from the application to the receiving authority (‘Traveller Router’). In the longer term, the EU Digital Travel application should be developed with new functionalities with a view to establishing a comprehensive one-stop shop application at Union level to support external border management.

(7) The EU Digital Travel application should allow travellers to create a digital travel credential for single or multiple use and to retrieve of an already created digital travel credential. For reasons of security and for combatting identity fraud, the EU Digital Travel application backend validation service should be able to verify, before the creation of the digital travel credential, the authenticity and integrity of the travel document and verify that the user is the legitimate holder of the travel document by comparing the facial image stored on the chip of the travel document to the user’s live facial image. Digital travel credentials to be used several times should be able to be stored in the user’s European Digital Identity Wallet that complies with Regulation (EU) No 910/2014 of the European Parliament and of the Council³⁷. Persons not having a European Digital Identity Wallet established by that Regulation should be able to store the digital travel credential locally in the mobile application.

(8) In order to support the carrying out of advance border checks on persons enjoying the right of free movement under Union law when these apply to them and the pre-clearance of third-country nationals, travellers using digital travel credentials should also declare certain relevant travel data, such as the intended time of crossing the border and the Member State in which the external border is crossed. Such data should be limited to what is necessary for the purpose of carrying out the border check, including for the purposes of supporting the verification of the fulfilment of entry conditions.

(9) The Traveller Router should transmit the travel data submitted by the traveller to the border authorities for the advance border check and pre-clearance. Consequently, Member States should be obliged to designate the border authorities authorised to receive such data.

(10) The creation, submission and use of digital travel credentials for the purpose of carrying out border checks impacts the right to privacy and the protection of personal data. In order to fully respect the fundamental rights of travellers, adequate limits and safeguards should be in place. Any data that is submitted by travellers to border authorities ahead of travel, and in particular personal data, should be limited to what is necessary and proportionate to the objectives of increasing security, facilitating travel and ensuring the well-functioning of the Schengen area pursued by this Regulation. It should be guaranteed that the processing of data under this Regulation does not lead to any form of discrimination. No personal data should be stored at EU level beyond the stage that is necessary for its submission to the border authority.

(11) Travellers should be free to choose whether they use a digital travel credential or a physical travel document for the purpose of undergoing border checks and should be able to withdraw their consent for the processing of their personal data at any time without it affecting the eligibility to cross external borders. Any processing of personal data under this Regulation should be carried out in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council ³⁸ and Regulation (EU) 2018/1725 of the European Parliament and of the Council ³⁹, within their respective scope of application.

(12) In the interest of ensuring compliance with the fundamental right to privacy and the protection of personal data and to promote legal clarity, the controller and processor should be identified. To ensure adequate safeguards and security, all communication between the Traveller Router and the competent authority should be protected by strong encryption methods so that any potential data breaches would not involve the disclosure of data that can be traced back to a person. Member States should also provide adequate training, covering data security and data protection aspects, to border authorities before they can process data transmitted through the EU Digital Travel application.

(13) The European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) established by Regulation (EU) 2018/1726 of the European Parliament and of the Council ⁴⁰ should be responsible for the development and maintenance of the EU Digital Travel application. Consequently, eu-LISA should put in place the necessary measures for the operational management of the EU Digital Travel application, including for the development, monitoring and reporting of the system. Before the start of operation of the EU Digital Travel application, a test should be carried out in accordance with the technical specifications by eu-LISA in cooperation with the relevant authorities. eu-LISA should also collect statistics on the use of the EU Digital Travel application.

(14) While eu-LISA should be responsible for the overall development, operation and maintenance of the EU Digital Travel application, including the Traveller Router that transmits the travel data to the competent authorities, each Member State should be responsible for ensuring, at national level, a secure connection in its national system in order to receive the travel data, including the development, operation and maintenance of that connection. Member States should also be responsible for the management and arrangements for access of duly authorised staff of border authorities to the travel data.

(15) In order to increase public awareness of digital travel credentials and to promote the uptake of their use, the Commission should, together with eu-LISA, the European Border and Coast Guard Agency and national border authorities carry out information campaigns on the objectives, use and other important aspects, including on data protection and data security, of the EU Digital Travel application.

(16) In view of the Union interests at stake, the costs incurred by eu-LISA for the performance of its tasks under this Regulation and Regulation (EU) 2018/1726 in respect of the development, operation, maintenance and overall management of the EU Digital Travel application should be borne by the Union budget. Member States should remain liable for the costs incurred at national level for developing, operating and maintaining the secure connection for the reception of the travel data transmitted via the Traveller Router.

(17) eu-LISA should regularly report on the progress of the design and development of the EU Digital Travel application to the European Parliament and to the Council, including on costs, financial impacts and any possible technical problems and risks that may arise. A separate report should be submitted to the European Parliament and the Council once the development of the EU Digital Travel application is finalised.

(18) As the EU Digital Travel application should be designed, developed, hosted and technically managed by eu-LISA, it is necessary to amend Regulation (EU) 2018/1726 by adding the necessary tasks.

(19) In order to establish the Union standard specification for digital travel credentials based on travel documents, it is necessary to amend Regulation (EC) No 2252/2004. To boost the uptake of digital travel credentials, when applying for or renewing a travel document, applicants should be allowed to request that the competent authority issues, together with the physical document, a corresponding digital travel credential. Holders of valid travel documents should also be able to create a digital travel credential based on their existing physical travel document. The digital travel credentials should also be storable in the European Digital Identity Wallet.

(20) In order to ensure a consistent approach at international level and global interoperability of digital travel credentials, the updated legal framework should as far as possible be based on the relevant international standards and practices agreed upon in the framework of ICAO.

(21) While the use of digital travel credentials should be voluntary for travellers, in order to achieve the objectives of increasing security throughout the Schengen area, of facilitating travel and of reaching a minimum level of digital maturity among all Member States in the area of border management, all Member States should be obliged to allow travellers to use digital travel credentials for the purpose of crossing external borders once the EU Digital Travel application is operational. Before that, Member States may develop national solutions for the use of digital travel credentials, in accordance with the uniform format, for the purpose of border checks.

(22) To further speed up processes and reduce overall time spent at border-crossing points, third-country nationals subject to the Entry/Exit System should be allowed to use the EU Digital Travel application for pre-enrolling certain data required for the border-crossing. For third-country nationals whose data are not yet recorded in the Entry/Exit system, as an alternative to being referred to a border guard for the physical verification of identity, Member States should be allowed to use effective and proportionate technical measures, including self-service systems and e-gates, for the verification of identity as long as physical verifications are performed at random and as long as the alternative verification is not based solely on the EU Digital Travel application.

(23) The Commission should, five years after the start of operations of the EU Digital Travel application, carry out an evaluation of that application and its use and prepare a report, including recommendations, to be submitted to the European Parliament, the Council, the European Data Protection Supervisor and the European Union Agency for Fundamental Rights. The evaluation and report should consider how the objectives of this regulation have been met and how, if at all, fundamental rights have been impacted.

(24) In order to ensure uniform conditions for the implementation of this Regulation, as regards the technical standard for digital travel credentials, the technical architecture and technical specifications for the EU Digital Travel application and its testing, the collection of statistics as well as the start of operations of the EU Digital Travel application and how checks are done on travel documents and digital travel credentials, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council ⁴¹.

(25) This Regulation should not affect the possibility to provide, under Union or national law, for the use of digital travel credentials for other purposes than the carrying out of border checks, provided that such national law complies with Union law.

(26) Since the objectives of this Regulation, notably increasing security and facilitating travel in the context of external border management cannot be sufficiently achieved by the Member States, but can rather, by reason of their inherently cross-border nature, be better achieved at Union level, the Union may therefore adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on the European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(27) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.

(28) This Regulation does not constitute a development of the provisions of the Schengen acquis in which Ireland takes part in accordance with Council Decision 2002/192/EC ⁴²; Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(29) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latter’s association with the implementation, application and development of the Schengen acquis ⁴³ which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC ⁴⁴.

(30) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis⁴⁵ which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC ⁴⁶.

(31) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis⁴⁷ which fall within the area referred to in Article 1, point A, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU ⁴⁸.

(32) As regards Cyprus, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(1) of the 2003 Act of Accession.

(33) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on [XX]⁴⁹.