API agreement between European Council and Parliament
4 March 2024: The European Council and the Parliament met on 1 March for Advance Passenger Information (API) regulations trilogues and to find an agreement. The regulations were proposed by the Commission in December 2022 with the aim to enhance security at the EU’s external borders and to boost the preventionand fight against crime by making the collection of API data mandatory and consistent in all Member States.
For border management purposes, the rules will apply to flights arriving in an EU country from a third country, and for law enforcement purposes, also to flights departing from an EU country. The collected data will include the passenger’s name, date of birth, nationality, passport details and flight information, but biometric data has been excluded from the scope.
API data will be transmitted automatically through a single router, which will also become the mandatory means of transmitting PNR data. The penalties will be limited to 2 per cent of the annual global turnover and only in cases when the air carrier repeatedly fails to transfer the data.
Regarding the next steps, the provisional agreement needs to be formally adopted by both the Parliament and the Council before it can enter into law. It will enter into force 20 days after publication in the EU’s Official Journal and be applied to API data two years after the central router starts its operations.
Furthermore, the Commission will be tasked with reporting on the impact of the laws on the travel experience of passengers and the aviation industry four years after the entry into force, and every four years thereafter.
10 January 2023: The Commission adopted on 13 December its proposal to strengthen the use of Advance Passenger Information (API) data. This proposal is one of the key actions identified in the EU Security Union Strategy.
The API system dates back to 2004 with Directive 2004/82/EC on the obligation of carriers to communicate passenger data to improve border control and fight against irregular migration (the 'API Directive').
New data sharing schemes have since been developed to improve EU border control and migration management and, specifically, fight terrorism and serious crimes. Today, air carriers are required to transfer not only API but also passenger name records (PNRs) in line with Directive (EU) 2016/681. PNRs comprise a larger set of data that encompass API.
To improve coherence in EU legislation and support harmonisation between Member States, the European Commission adopted its proposal to revise the API Directive to consider providing for the use of these data for countering serious crime, improving the effectiveness in the use of API data and the coherence with other instruments such as the entry/exit system, the European travel information and authorisation system, and the PNR system.
The new rules on API will introduce:
- Uniform rules on API data collection. The new rules include a closed list of API data elements, the means to collect API data, and a single point for the transfer of the data.
- Mandatory API data collection for the purposes of border management and combating irregular immigration on all flights entering the Schengen area. This will facilitate the travel of people travelling to the Schengen area, with reduced times at disembarkation and at the physical border checks. Mandatory API data collection for law enforcement purposes for all flights to and from the EU, as well as on selected flights within the EU. API data for such purposes is collected in full respect of EU personal data protection rules.
- Better quality API data, as air carriers will have to collect API data by automated means only.
- Streamlined transmission of API data by air carriers to national authorities through a new router, which will be managed by an EU Agency, eu-LISA. This technical solution is compliant with personal data protection safeguards as it will only transmit and not store any API data.
These proposals complete other EU systems and initiatives in the area of border management and security, and that are being rolled out in the course of 2023 (such as the Entry Exit System and the European Travel Information Authorisation System). The new rules on the collection and transfer of API data are expected to be applied in full as of 2028.
Read the EC's press release here: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7644