Regulating the collection and transfer of API Data to strengthen EU border controls27 March 2023
"The API Regulation will apply to carriers, irrespective of their place of establishment, conducting both scheduled and non-scheduled inbound flights from non-EU countries or EU Member States not participating in the API Regulation to a Schengen country or Ireland."
The need for reviewing the current regulation through the imposition of common rules stems from the following:
- the API Directive does not mandate Member States to request collection and transmission of API by carriers;
- inconsistent use of API by border authorities;
- lack of exhaustive criteria for the collection and transmission of API;
- significant increase in online check-in processing time where passenger data are currently manually collected and recorded;
- need for aligning the transmission of API with the current rules governing the movement of persons across EU external borders; and
- need for providing certain safeguards in the processing of personal data.
Accordingly, the EU Commission proposed to adopt the API Regulation revolving around automated means to collect API² and a centralised transmission mechanism² to border authorities that will, amongst others, help simplify the technical connections to transmit API while seemingly reducing costs on air industry.
Below is a brief summary of the main provisions set out in the API Regulation.
SCOPE OF APPLICATION
The API Regulation will apply to carriers, irrespective of their place of establishment, conducting both scheduled and non-scheduled inbound flights from non-EU countries³ or EU Member States not participating in the API Regulation⁴ to a Schengen country⁶ or Ireland. The current language of the API Regulation does not seem to clarify whether its scope of application will be limited to operating carriers or if it will extend to include marketing carriers and/or codeshare partners too. However, since the API Regulation will mandate transfer of API “at the moment of check-in” and “immediately after flight closure”,⁷ it is reasonable to maintain that it will bind operating carriers only. That is, an operating carrier established either in a EU Member State or in a non-EU country and operating flights from a non-EU country (or a EU Member State not participating in the API Regulation) to a Schengen country or Ireland will be bound by the API Regulation.
COLLECTION OF DATA
The API Regulation will provide for a more comprehensive list of API to be collected and transferred. This is a combination of existing and new (*) requirements vis-à-vis the content of the API Directive.
Carriers will now be required to collect the following passenger information:
Senior Associate Milan
"Where carriers become aware that transferred API is inaccurate, incomplete, no longer up-to-date or processed unlawfully, they must immediately inform eu-LISA which, in turn, must inform the border authorities."
a) the surname (family name), first name or names (given names);
b) the date of birth, sex* and nationality;
c) the type and number of the travel document and the three-letter code of the issuing country* of the travel document;
d) the date of expiry of the validity of the travel document*;
e) whether the traveller is a passenger or a crew member (traveller’s status)*;
f) the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator)*;
g) the seating information, such as the number of the seat in the aircraft assigned to a passenger, where the air carrier collects such information*; and
h) baggage information, such as number of checked bags, where the air carrier collects such information*.
In addition, carriers will be required to collect the following flight information:
A) the flight identification number or, if no such number exists, other clear and suitable means to identify the flight*;
B) when applicable, the border crossing point of entry into the territory of the Member State;
C) the code of the airport of entry into the territory of the Member State*;
D) the initial point of embarkation;
E) the local date* and estimated time of departure; and
F) the local date* and estimated time of arrival.
The API Regulation will require carriers to collect API “in such a manner that the API that they transfer (…) is accurate, complete and up-to-date”, i.e. using automated means to collect machine-readable data.⁸ Manual collection will still be required where the passenger’s document is not machine-readable.
DATA TRANSFER TO THE ROUTER
Carriers will transfer API to the router by electronic means both at the moment of check-in and immediately after flight closure.
Where carriers become aware that transferred API is inaccurate, incomplete, no longer up-to-date or processed unlawfully, they must immediately inform eu-LISA⁹ which, in turn, must inform the border authorities.
Since the development and implementation of the router will likely precede the entry into force of the API Regulation, carriers will be meanwhile authorised to transfer API to the router under the API Directive upon agreement with the border authorities.
"Both carriers and border authorities will act as 'controllers' as per GDPR regulation with respect to personal data that they process, ensuring their security. eu-LISA will be the 'processor', ensuring security of the data processed on its end."
DATA TRANSFER TO THE BORDER AUTHORITIES
API will be transferred immediately and in an automated manned by the router to the border authorities.
STORAGE OF DATA
Storage of API by carriers and border authorities will be limited to 48 hours from flight departure. Data will then be permanently cancelled.
PERSONAL DATA PROTECTION
Both carriers and border authorities will act as “controllers” as per GDPR regulation with respect to personal data that they process, ensuring their security. eu-LISA will be the “processor”, ensuring security of the data processed on its end.
Member States shall appoint supervisory authorities to enforce the API Regulation. Enforcement will include imposition of “effective, proportionate and dissuasive” penalties. The API Regulation does not itself provide for penalty amounts or ranges. Using Italy as an exmaple, it is likely that border police airport offices (“Polizia di Frontiera”) will be delegated to monitor the transfer of API, whereas the Italian Civil Aviation Authority (“ENAC – Ente Nazionale per l’Aviazione Civile”) will enforce the API Regulation through the issue of administrative fines.
While the use of automated means to collect certain API (i.e. machine-readable) would lessen the burden on carriers, its practical implications remain to be seen. Leaving aside data that must be provided by carriers directly (e.g. seating or baggage information, flight identification number etc.) a question arises as to whether the API Regulation will help carriers improve efficiency in the collection and transmission of API.
At a glance, since carriers will be required to transfer API “both at the moment of check-in and immediately after flight closure” one may maintain that carriers will not be relieved from double-checking (and correcting) passenger data at gates in the (amongst others) following circumstances:
- travel document uploaded by passenger at the time of online check-in is no longer valid at the flight date;
- passenger travelling with a document other than that uploaded at the time of online check-in; and
- passenger misplacing the document uploaded at the time of online check-in, therefore showing a different document for boarding.
From a first assessment, it remains unclear whether the above circumstances will be deemed as a violation of the API Regulation upon arrival of passengers at the border control even where carriers promptly informed eu-LISA of the error and irrespective of eu-LISA informing border authorities or not. It is also unclear if the possibility to inform eu-LISA of wrong, inaccurate, outdated API will limit the application of the API Regulation to carriers’ failure to collect and transmit API at all. As a result, enforcement, prosecution and the applicable penalties and sanctions will likely be decided by each Member State and could vary between the members of the EU.
 2022/0424 (COD) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL On the collection and transfer of advance passenger information (API) for enhancing and facilitating external border controls, amending Regulation (EU) 2019/817 and Regulation (EU) 2018/1726, and repealing Council Directive 2004/82/EC.
 E.g. an app on passenger’s smartphone, laptop or webcam that can read machine-readable travel documents.
 I.e. a centralized router.
 The European Union currently comprises of 27 countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
 Denmark will have a time-limited option to decide whether to adopt the API Regulation.
 The Schengen Area currently includes the following countries: Austria, Belgium, Croatia, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Iceland, Norway, Switzerland, and Liechtenstein. Cyprus, Bulgaria, and Romania will be bound by the API Regulation once they have accessed the Schengen Area.
 i.e. “(…) once the passengers have boarded the aircraft in preparation for departure and it is no longer possible for passengers to board or to leave the aircraft.” (see article 6.2 of API Regulation).
 The EU Commission will adopt delegated acts to lay out technical requirements and operational rules for automatic collection.
 European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (in charge with development and maintenance of the router)
Senior Associate Milan