Opinion of the European Economic and Social Committee on the proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC

(COM(2022) 729 final)

and on the proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818

(COM(2022) 731 final)

(2023/C 228/13)

Rapporteur:

Tymoteusz Adam ZYCH

Referral	European Commission, 8.2.2023
Legal basis	Article 77(2)(b) and (d) and Article 79(2)(c) of the Treaty on the Functioning of the European Union (TFEU)
Section responsible	Employment, Social Affairs and Citizenship
Adopted in section	3.4.2023
Adopted at plenary	27.4.2023
Plenary session No	578
Outcome of vote (for/against/abstentions)	137/0/0

1.   Conclusions and recommendations

1.1.

The European Economic and Social Committee (EESC) welcomes the European Commission’s proposals on advance passenger information (1), considering the need for effective collection and transfer of API and passenger name records (PNR) data for border management purposes and for combatting illegal immigration, as well as for security reasons, including the need to prevent and combat terrorism and serious crime.

1.2.

The EESC is convinced that as long as API and PNR data remain the subject of the current Directives (API Directive (2) and PNR Directive (3)), there will be undesirable differences in their implementation at national level.

1.3.

In order to harmonise the implementation of such Directives, as well as to increase the efficiency of API and PNR data collection and transfer, the Regulations are necessary since they will eliminate differences resulting from varied practices of Member States (MS); increase legal certainty; accelerate passenger flow; and reduce administrative difficulties for air carriers.

1.4.

The EESC emphasises the importance of the Charter of Fundamental Rights (the Charter) when applying the proposed Regulations. The rights of vulnerable groups, especially disabled persons, should be carefully taken into consideration.

1.5.

An important argument in favour of adopting the proposals is the fact that the current API and PNR Directives are subject to criticism due to their non-compliance with current data protection standards.

1.6.

The EESC recognises the necessity of incurring costs generated by eu-LISA in relation to the design, development, hosting and technical management of the router, to be borne by the general budget of the EU, as well as the costs incurred by MS in relation to their connection to and integration with the router.

1.7.

However, the EESC notes that the proposed Regulations introduce significant legal changes, in addition to the far-reaching modifications of the currently functioning system from the technical side. Therefore the new API and PNR frameworks require continuous and thorough monitoring, carried out not only at MS level but also at those of the Commission, air carriers and competent authorities, as well as by eu-LISA, especially in the context of personal data. For this reason, the EESC highlights that there is a strong need to organise an information campaign on the new legislation, as well as training for air carriers. More frequent audits are also suggested, as well as the consideration of additional procedures for monitoring the functioning of the new frameworks for collecting and transmitting API and PNR data.

1.8.

The EESC is aware that the scope of the proposals does not cover all passengers crossing the external borders of the EU. However, having regard to the principle of proportionality and to the specificity of air travel, limiting the proposals to air travel seems justified at this stage. When the Regulations are subject to an ex post impact assessment, it is suggested that the Commission assess the need to broaden the scope to other modes of transport, in particular maritime.

1.9.

In addition, the EESC understands the concerns related to the practical application of the provisions set out in the proposals. It suggests further clarifying the norms on penalties imposed on private operators in the aviation industry. Taking into account the fact that it is impossible in practice to ensure full accuracy of API data, it is also proposed that a ‘threshold of tolerance’ at EU level be considered for errors in collecting and transferring the data, and that it be made clear that penalties are imposed on non-cooperative carriers, or imposed only where the minimum acceptable quality level for API data (as defined at EU level) is not achieved.

2.   Introduction

2.1.

The focus of this opinion is mainly on the proposed Regulation regarding the collection and transfer of API data for border management (4), and it briefly examines the second proposed Regulation on the collection and transfer of API in the context of serious crime and terrorist offences (5) in paragraph 7 below, which applies to PNR data due to planned changes to API data.

2.2.

The proposed Regulations apply to air transport only, excluding other means of transport, such as travel by sea or overland. The proposals apply to both charter and business flights.

2.3.

The proposed Regulations will repeal the existing API Directive. Once adopted, they will become part of the Schengen acquis.

3.   General remarks

3.1.

The EESC recognises the fact that, owing to the increase in the popularity of air travel, existing passenger service systems are insufficiently effective and need to be improved, particularly to ensure a smooth flow of passengers. In 2019, the International Civil Aviation Organisation reported that 4,5 billion passengers travelled by air on scheduled services, with over half a billion passengers entering or leaving the EU every year. Neither the COVID-19 pandemic nor Russia’s invasion of Ukraine have changed this situation, which makes it necessary to look for innovative solutions to speed up and improve the process of border control. Despite the collapse in air traffic that occurred in 2020-2021 due to the pandemic, air travel is recovering.

3.2.

On the other hand, the EESC is aware of the fact that, regardless of the efficiency of checks and the speed of the process of servicing air passengers, effective instruments are needed to counteract the phenomenon of illegal immigration, as well as to secure the EU’s borders.

3.3.

In the EESC’s view, the use of automatic data collection systems can have significant advantages, including increasing efficiency, technological development, improving quality, and accelerating the acquisition of data.

3.4.

As with every innovative technology, the automation of data collection and transfer also entails risks and complex policy challenges in areas such as security, safety and monitoring, socioeconomic aspects, ethics and privacy, reliability, etc.

3.5.

API data is a set of identity information on passengers contained in their travel documents, combined with flight information collected at check-in, and then transferred to the border authorities of the country of destination. API information includes biographic data of the passenger, ideally captured from the Machine Readable Zone of their travel documents, as well as some information related to their flight.

3.6.

The API collection and transfer system relies on delivering to competent authorities API data in advance of a flight’s arrival, so that these authorities can perform advance screening, in accordance with the applicable legislation, of travellers against risk profiles, watchlists and databases.

3.7.

The EESC is aware that the present Directive imposes an obligation on air carriers to transfer API data, upon request, to the border authorities of the country of destination prior to the flight’s take-off; however, it does not impose an obligation on MS to request API data from air carriers. As a result, MS authorities act inconsistently: some request API, others do not. According to the Explanatory Memorandum, it is estimated that API data is collected on 65 % of inbound flights, and therefore in practice it is easy to bypass controls and checks. Moreover, as noted in the evaluation of the API Directive by the Commission (6), even where MS request API data, their national authorities do not always use the data in a consistent way.

3.8.

The EESC is aware of the weaknesses of the current system established under the Directive. As the evaluation showed, the lack of standardisation and harmonisation leads to a diminishing of the benefits of processing API data, creating a burden on stakeholders and generating a certain level of legal uncertainty.

3.9.

The EESC also sees a potential threat for employees in the aviation industry, arising from the use of automatic data collection systems. Therefore, the EESC sees a need to organise training for such employees, which could help address the potential problems as a result of implementing the proposed Regulations.

3.10.

However, the EESC notes that the proposed Regulation on border management should not have a negative impact on the level of employment and the situation of employees, but only result in increased efficiency and reliability of data collection and transfer methods which are already implemented using automated procedures.

4.   The need for the new API Regulation to enhance and facilitate border controls

4.1.

Experiences related to the application and evaluation of the current Directive have revealed numerous shortcomings in the current system, including inefficiency, cost-intensiveness and formal and administrative difficulties for carriers. In addition, some provisions of the Directive are unclear, cause doubts in interpretation and discrepancies in their application in MS, as well as inconsistencies with other provisions of EU law.

4.2.

The key shortcomings of the present Directive should be indicated: — today, air carriers are obliged to understand and adapt to the national API information transfer systems of individual MS; — at present, carriers are in some cases obliged to send the same data to different authorities; — currently, the number and type of data elements required by responsible authorities also vary across MS; — Article 3(2) of the Directive provides a non-exhaustive list of data elements, and this list is not in line with international standards; — Article 6(1) of the Directive allows data transmission ‘electronically or, in case of failure, by any other appropriate means’, which does not mandate a specific messaging protocol and format. This results in an additional burden for carriers (e.g. by complying with the varied formats required by responsible authorities for transmission of data), but has also an effect on the timeliness and quality of API data and hence impacts its usefulness; — the operational procedures for capturing, transmitting, processing and analysing API data vary across MS in terms of methods, timing, format and frequency of transmission; — the Directive does not itself lay down detailed safeguards for the protection of personal data (with the exception of Article 6(1), which provides that, for border control and migration purposes, authorities must delete API data within 24 hours after transmission), while analogous provisions of other legal acts, such as the EES (chapter VII Articles 51-59), ETIAS (chapter XII data protection Articles 59-70) and PNR (Articles 12 and 13) include more detailed provisions on data protection.

4.3.

An important argument in favour of adopting the proposed Regulation is also the fact that the Directive is subject to criticism due to its non-compliance with current data protection standards. First of all, the Directive raises the following doubts: — the list of API data required from air carriers is not exhaustive, which is against the principle of data minimisation; — the purpose of API data collection (either for border control and/or law enforcement purposes) is unclear; — from the perspective of border control requirements, the 24-hour data retention limit is too short and impractical; — rules on data retention and subsequent use are not sufficiently defined and clear.

4.4.

To counteract the identified shortcomings, the proposed Regulation assumes the creation of a central API router in order to enhance pre-checks at the relevant external borders with high quality and complete API data and facilitate the flow of travellers.

5.   The scope and level of the Regulation

5.1.

Considering the above findings, the EESC finds that an introduction of a uniform system at EU level for all MS will allow, among other things, the development of ‘single window approach’, i.e. centralising the process of collecting all data coming from carriers and further transferring it to relevant authorities. A unified system would allow an improvement of the quality of the data obtained and also for the entire process to be fully automated, reducing costs on the part of public entities, carriers, and the travellers themselves.

5.2.

The proposed Regulation serves to unify and simplify the procedure for collecting and transferring API data, which is beneficial not only from the point of view of MS authorities, but above all from the point of view of the aviation industry, although it will oblige them to collect and transfer API data for all flights into the EU. Nevertheless, the proposed Regulation will bring legal certainty and foreseeability, and therefore also increased compliance by air carriers.

5.3.

The EESC believes that, in order to guarantee what the API Directive has aimed for, the objectives of the Directive are better served by having the proposed Regulation. It is unlikely that the benefits derived from the implementation of API systems by implementing countries would have been achieved without EU intervention. In short, the idea behind the proposed Regulation is the belief that the lack of harmonisation in the implementation of the Directive is an obstacle to its effectiveness and coherence.

5.4.

The EESC also notes the need to amend the Directive due to the passage of time since its entry into force, particularly in light of the development of information technologies since 2004. According to the proposed Regulation, the new system will be fully compatible with the solutions already in use, i.e. the Schengen Information System (SIS), the Visa Information System (VIS), the Eurodac system, the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS) and the centralised system for the identification of MS holding information on convictions of third-country nationals and stateless persons (ECRIS-TCN system).

6.   The efficiency of the proposed solutions

6.1.

The EESC supports the adoption of solutions that will ensure effective external border controls and a coherent approach across the entire Schengen area, including in relation to the possibility of pre-checks of travellers using API data.

6.2.

However, regardless of the general support for the proposed Regulation, the EESC is concerned about the risks of abuse related to the centralisation of the collection process and API data transfer, including in particular personal data. These fears are also justified by the fact that the router through which the data will be transmitted is still in the planning phase — the task of its design, construction, development, management and technical maintenance was delegated to the eu-LISA agency.

6.3.

The EESC acknowledges that the adoption of the proposed Regulation will have an impact on the budget and staff needs of eu-LISA and the competent border authorities of MS. It is estimated that the additional costs will include EUR 45 million (33 million under current MFF) to set-up the router and EUR 9 million per year from 2029 onwards for the technical management thereof, and about EUR 27 million for MS — and this will be borne by the EU budget.

6.4.

The EESC appreciates the precise and comprehensive specifying of the data included in the data API (defined in Article 4(2) and (3) of the proposal) for enhancing and facilitating external border controls.

6.5.

The EESC emphasises that the proposed Regulation allows the Commission to clarify numerous detailed issues, especially technical ones, by means of delegated acts issued later. Therefore, the final assessment of the proposed Regulation depends on the detailed provisions issued in the future, as well as the quality of the adopted technical solutions.

6.6.

As a consequence, the EESC is obliged to highlight security concerns relating to data protection. From the EESC’s viewpoint, effective data protection especially needs to be looked at in the context of the protection of fundamental rights, in particular the right to privacy and the right to the protection of personal data, which includes the right to information on the acquisition, storage and processing of personal data. Therefore, the EESC fully endorses a new obligation to carry out regular personal data protection audits. At the same time, the EESC suggests considering whether the relevant national data protection authorities should ensure that the processing of API data constituting personal data is audited more frequently than once every four years.

6.7.

In order to ensure the best performance of the router, it is necessary to ensure cooperation between eu-LISA, MS, and air carriers. Consequently, eu-LISA’s obligation to provide training to those interested in the technical use of the router is a positive step.

6.8.

The EESC, guided by the principle of proportionality and concern for maximum protection of personal data, supports the exclusion from the statistical obligation of data such as nationality, gender and date of birth.

7.   The importance of the PNR Regulation (the second proposed Regulation)

7.1.

The EESC sees the second of the proposed Regulations as a necessary and consistent modification of the system for collecting and transmitting PNR data in connection with the reform of API data.

7.2.

As a consequence, the unification of the system through the adoption of both Regulations at EU level and the creation of a router managed by eu-LISA will also increase security through a more effective identification process for high-risk travellers, and confirm the travel pattern of individuals under suspicion.

8.   The cost of the Regulations

8.1.

The EESC concludes that the adoption of the proposed Regulations will generate costs on the part of the EU budget, expenses for MS, and also investment needs on the part of the aviation industry (estimated at approx. EUR 75 million, according to the impact assessment), but that on balance the benefits will outweigh the costs, because those costs will be compensated by the rationalised and centralised approach to transmitting the information to competent national authorities.

8.2.

The proposed Regulations reduce operating costs and also the penalties usually imposed from poor or missing travel data. Moreover, the entry into force of the Regulations will improve the surveillance of border crossings, the work of airport services and national border authorities, and will also contribute to improving security and counteracting illegal immigration. Taking into account all of the above, the EESC considers the proposed Regulations to be justified in the light of the positive costs-benefits analysis, as stated in the Commission’s impact assessment.

9.   Specific comments

9.1.

The Committee emphasises the importance of the Charter in the process of application of the proposed Regulation, with special respect to vulnerable groups, including disabled persons. The case law of the Court of Justice of the European Union (CJEU) and the context of currently pending cases should be taken into consideration in this respect.

9.2.

CJEU case law is of particular importance for the new rules on collecting and transferring PNR data within the proposed institutional framework, in particular the ruling in Case C-817/19. The EESC also suggests that the terminology of both proposals should take into account the established CJEU case law.

9.3.

As noted in paragraph 1.6 above, the EESC considers the scope justified at this stage. However, when the Regulations are subject to an ex post impact assessment, it is suggested that the Commission assess the need to broaden the scope to other modes of transport, in particular maritime. In such an assessment, factors such as the specificity of each mode of transport, the administrative burden imposed on carriers, and the efficiency and effectiveness of securing the EU’s borders should be taken into account.

9.4.

As noted in paragraph 1.7 above, the EESC suggests further clarification regarding penalties imposed on private operators in the aviation industry, that a ‘threshold of tolerance’ at the EU level be considered for errors in data collection and transfer, and that penalties only be imposed under certain conditions.

9.5.

The EESC points out that the entry into force of the proposed Regulations should be accompanied by a broad information campaign, which could help communicate their aims to the public and reduce the likelihood of unforeseen circumstances when implementing the new provisions.

---

(1)  There are two proposals: (a) proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC; and (b) proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818.

(2)  Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ L 261, 6.8.2004, p. 24).

(3)  Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, p. 132).

(4)  COM(2022) 729 final.

(5)  COM(2022) 731 final.

(6)  European Commission, Staff Working Document, Evaluation of the Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data (API Directive), Brussels, 8.9.2020, SWD(2020)174 final.