Summary of the Opinion of the European Data Protection Supervisor on the proposals for Regulations on the collection and transfer of advance passenger information (API)

(2023/C 84/02)

(The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)

On 13 December 2022 the European Commission issued two legislative proposals on the collection and transfer of advance passenger information (‘API’): a proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for enhancing and facilitating external border controls (‘API Border management proposal’), and a proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘API Law enforcement proposal’) (together ‘the proposals’).

The objective of the API Border management proposal is enhancing and facilitating the effectiveness and efficiency of border checks at external borders and combating illegal immigration, and replacing the existing Council Directive 2004/82/EC (1) (‘API Directive’). The objective of the API Law enforcement proposal is to lay down better rules for the collection and transfer of API data by air carriers for the purpose of preventing, detecting, investigating, and prosecuting terrorist offences and serious crime, complementing the existing Directive (EU) 2016/681 of the European Parliament and of the Council (2) (‘PNR Directive’).

Taking into account that the data processing operations that would result from the proposals correspond to or complement already existing data processing operations provided for in Union law, the Opinion focuses primarily on the necessity and proportionality of the envisaged processing of API data from intra-EU flights and its compatibility with the PNR Directive as interpreted by the CJEU judgment in Case C-817/19 (3).

While the EDPS considers the proposed solution for intra-EU flights broadly sufficient to ensure compliance with the CJEU judgment on Article 2 of the PNR Directive, he nevertheless invites the co-legislators to consider the development of harmonised criteria for the selection of intra-EU flights, from which API data should be collected, in line with the conditions spelled out by the Court. Furthermore, the EDPS recommends further strengthening of the security of processing of API data in the router with additional safeguards, such as pseudonymisation and/or encryption of the API data, if technically and operationally feasible.

The Opinion also provides other specific recommendations, such as the need to explicitly clarify in the proposals that in case of technical impossibility of the router to transmit the API data transferred by the air carriers to the competent national authorities, the data should be automatically deleted.

1. INTRODUCTION

On 13 December 2022 the European Commission issued two legislative proposals on the collection and transfer of advance passenger information (‘the proposals’):

—

a proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC (4),

—	a proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818 (5).

2.	The objective of the API Border management proposal is enhancing and facilitating the effectiveness and efficiency of border checks at external borders and combating illegal immigration (6), thus replacing the existing Directive 2004/82/EC.

The objective of the API Law enforcement proposal is to lay down better rules for the collection and transfer of API data by air carriers for the purpose of preventing, detecting, investigating, and prosecuting terrorist offences and serious crime (7), complementing the existing Directive (EU) 2016/681.

The proposals are consistent with the Schengen Strategy of June 2021, presented in the Commission Communication ‘A strategy towards a fully functioning and resilient Schengen area’ which specifically underlined the need for an increased use of API data in combination with PNR data to significantly enhance internal security, in compliance with the fundamental right to the protection of personal data and the fundamental right to freedom of movement (8). Moreover, at international level, the United Nations’ Security Council and the Organization for Security and Co-operation in Europe (OSCE) also repeatedly called for the establishment and global rollout of API and PNR systems for law enforcement purposes (9).

The present Opinion of the EDPS is issued in response to a consultation by the European Commission of 14 December 2022 pursuant to Article 42(1) of EUDPR (10). The EDPS welcomes the reference to this consultation in recital 44 of the API Border management proposal and recital 29 of the API Law enforcement proposal. In this regard, the EDPS also positively notes that he has already been informally consulted on the proposals pursuant to recital 60 of EUDPR.

6.	In view of the close alignment between the proposals (11), including the numerous cross-referencing between them, it seems most appropriate for the EDPS to assess them in a single Opinion.

9. CONCLUSIONS

45.

In light of the above, the EDPS recommends to the co-legislators to:

(1)	consider the development of harmonised criteria and methodology for the selection of intra-EU flights, from which API data should be collected;

(2)

provide for specific measures in API Law enforcement proposal ensuring the security of API data processed for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, or, alternatively, refer to the relevant rules on security in the API Border management proposal;

(3)	clarify in Article 12 of the API Border management proposal that in cases of technical impossibility of the router to subsequently transmit the API data to the competent national authorities, the data should be automatically deleted;

(4)	to clarify in the API Border management proposal the allocation of the obligation to transfer API data in cases where the flight is code-shared between several air carriers.

Brussels, 8 February 2023.

Wojciech Rafał WIEWIÓROWSKI

(1) Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ L 261, 6.8.2004, p. 24).

(2) Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, p. 132).

(3) ECLI:EU:C:2022:491

(4) COM(2022) 729 final.

(5) COM(2022) 731 final.

(6) See Article 1 of API Border management proposal.

(7) COM(2022) 731 final, Explanatory memorandum to the API Law enforcement proposal, page 3.

(8) COM(2021) 277 final.

(9) UN Security Council resolutions 2178 (2014), 2309 (2016), 2396 (2017), 2482 (2019), and OSCE Ministerial Council Decision 6/16 of 9 December 2016 on Enhancing the use of Advance Passenger Information.

(10) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(11) See recital 11 of API Law enforcement proposal.