Questions and Answers - Revised rules on Advance Passenger Information
What is Advance Passenger Information (API)?
API data is biographic information on passengers, as contained in travel documents, collected by air carriers during check-in and complemented with travel route information. API data usually contains information which allows to confirm of the identity of passengers.
How is API data collected?
API data is collected by air carriers at the moment of check-in (online or at the airport). This data is stored in the air carriers systems and generally sent to competent border authorities as a complete ‘passenger list manifest' containing all passengers on board at departure of the plane.
How will API data be transferred to national authorities?
API data will be transmitted by air carriers to a router. This device will receive and immediately transmit the information to the relevant competent national authorities (border authorities and passenger information units) of Member States. This will replace the current system comprised of multiple connections between air carriers and national authorities, improving the data flow and facilitating the transfer of information.
Why is the Commission proposing a revision of the EU rules on advance passenger information?
Every year, over a billion passengers enter or leave, or travel within the EU. This puts a strain on the external air borders of the EU as all travellers, meaning non-EU nationals, and EU citizens crossing the external borders, should be effectively and systematically checked against the relevant databases. To ensure that checks can be performed efficiently on every air passenger, there is a need to speed up border controls at airports and ensure the facilitation of passenger flows while at the same time maintaining a high level of security.
The recent evaluation assessing the implementation of the API Directive showed that the lack of legal precision resulted in a multitude of national interpretations, creating gaps in the collection and use of API data and therefore undermining the overall effectiveness of the Directive.
The evaluation also indicated that the use of API data for law enforcement fulfils a distinct purpose, with specific operational needs, therefore requiring a dedicated legal instrument. Effective rules will step up the fight against serious crime and terrorism.
Which type of flights will be covered by the new rules?
The new rules will cover all flights within, into and from the EU.
What are the key elements of the proposal to revise the Advance Passenger Information Directive?
The proposal provides an updated framework of rules that will improve the flow of Advance Passenger Information.
The revision aims to:
-
-harmonise the requirements for the collection of API data, by setting a clear and mandatory list of API data elements to be collected by air carriers from travellers;
-
-cover all air travellers on all flights (including those travelling on business aviation and charter flights);
-
-improve the accuracy and completeness of data collected, as air carriers will have to collect data by automated means only. This will increase the efficiency and reliability of the analysis of the data by national authorities;
-
-establish a central router, that will act as the single point of reception and onward distribution of data, replacing the current system comprised of multiple connections between air carriers and national authorities.
What will be the benefits for air carriers?
The new rules will allow air carriers to transfer API data on passengers only to one single point of reception, namely the router that will distribute the data to national authorities. The router will ensure that each relevant authority in Member States receives the data.
The proposal will clarify the API data elements to be collected and transferred, also on which flights and on which travellers, so that carriers will no longer face different requirements from each Member State. The proposal also provides clarity on the two specific moments to transfer API data, as opposed to the current API Directive which provides that API data needs to be transmitted “by the end of the check-in”, which is used by some Member States to request API transmission several times (up to four transmissions per flight).
What will be the obligations for air carriers?
The obligation to collect and provide passenger information already exists since the 1990s, with EU rules in place since 2004.
Air carriers will now need to collect and transfer more API data, as the scope of the proposals includes inbound flights, outbound flights and intra-EU flights. Most carriers already collect API data on inbound and outbound flights, as API systems are now implemented in nearly all countries in the world. The proposals will have the biggest impact for air carriers operating flights within the EU, as there's currently no obligation to collect API data on these flights. Additional collection and transfers of data imply additional costs; however, these will be mitigated with the set-up of the API router. To comply with the obligation to collect API data in an automated manner, some air carriers will need to invest in additional equipment at airports, also resulting in slight changes in the online check-in applications and processes.
The use of automated means (or using optical character recognition to ‘read' the machine-readable data of travel documents) is already a wide-spread practice in the air industry. The collection of automated means to collect API data from travellers is used on international flights and this obligation will therefore have most impact for air carriers operating flights within the EU. The proposals leave sufficient flexibility for air carriers to comply with this obligation: a delegated act will explain which formats and specifications should be followed by air carriers without obliging them to implement a unique solution.
Will there be obligations for other carriers?
The proposals do not extend the obligation to collect API data from other transport modes than air transport. This is due to the fact that there are already existing rules on the collection and transmission of passenger data for maritime transport operators.
EU and international obligations already exist on maritime transport operators to collect and transmit in passenger information in advance to border authorities of Member States on incoming and outgoing routes. In this context, any additional requirement to transmit ‘API' data in a separate instrument, would be redundant and create considerable burden on maritime operators.
There are no international nor EU rules for the collection of passenger data from land transport operators such as rail or bus. Rail transport has specific characteristics in terms of infrastructure, passenger journey and density of networks. Such observations can also be extended to the bus transport sector, composed of a variety of small to medium sized companies. Compared to the air transport sector, the collection of passenger data is more challenging as the issuing of nominative tickets is not a standard practice. To introduce a systematic collection of API data for rail and/or bus transport would require heavy investments in the physical infrastructure of operators, with substantial consequences on their economic model and on passengers. However, this means that Member States can adopt national legislation to collect passenger data from other modes of transport (some Member States already do).
When will the new rules be fully applicable?
It is now for the European Parliament and the Council to examine the proposal. Once adopted, the rules will be directly applicable across the EU. The proposals complete other EU systems and initiatives in the area of border management and security, some of which are being rolled out in the course of 2023 (such as the Entry Exit System and the European Travel Information Authorisation System). The new rules on the collection and transfer of API data are expected to be applied in full as of 2028. Once the router is developed, which is expected to be by 2026, public authorities and air carriers will have two years to adjust to the new requirements, and test the router, before it becomes mandatory.
Is financial support available to Member States to implement these changes?
Financial support will be available to Member States through the Internal Security Fund (ISF) and the Border Management and Visa Instrument (BMVI). However, knowing that Member States already have the systems in place to process API data, the financial part would be necessary to support only certain upgrades, namely, to receive additional data.
The setup of the router and its management by eu-LISA will be entirely financed by the EU budget.
How will data protection and privacy be guaranteed?
The proposals update the data protection framework related to the collection of API data by air carriers. They contain all necessary restrictions and safeguards to ensure compliance with the Charter of Fundamental Rights, including as regards the security of processing of personal data, deletion and purpose limitation and the travellers' right of information. Any processing of API data remains limited to what is necessary for and proportionate to achieving the objectives of border management and the fight against serious crime and terroism. The necessary safeguards include rules on independent supervision, logs on any processing of the data, and data protection rules such as purpuse limitation and strict retention periods. It is also ensured that the API collected and transferred under do not lead to any form of discrimination precluded by the Charter.
For More Information
Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for facilitating external border controls
Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information (API) for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Webpage on Advanced Passenger Information