On Wednesday 21 June, the Member States of the European Union adopted their mandate on the two legislative proposals presented last December on the collection and transfer of personal data (check-in information) relating to air passengers (see EUROPE 13083/13), known as API (advanced passenger information); this differs from PNR data, which includes more detailed reservation information.
The European Commission had proposed to Member States and the European Parliament to extend API data collection to intra-EU flights. The proposals were organised into two regulations that respectively related to: - the ‘collection and transfer of advance passenger information to facilitate external border controls’; - the ‘collection and transfer of advance passenger information for the prevention and detection of terrorist offences and serious crime’.
The texts that are adopted will put in place “a router that receives the API data transferred to it by air carriers. The router, in turn, transmits API data to national border and law enforcement authorities. The development of a single router, a central tool which will be developed by an EU agency, makes it easier for air carriers to transfer the information to national authorities and reduces the risk for errors and abuse”, explained the Council of the EU in a press release.
API data will consist of “a closed list of traveller information such as name, date of birth, nationality, type and number of the travel document, seating information and baggage information. In addition, air carriers will be obliged to collect certain flight information, for instance the flight identification number, the airport code and time of departure and arrival”.
The new law will enable law enforcement authorities to combine travellers’ API data and passenger name records (PNR). It will apply to all flights arriving in from, or bound outwards for, third countries from the EU and to all intra-EU flights departing from, arriving in or making a stopover in the territory of at least one Member State, insofar as Member States have notified their intention to apply Directive 2016/681 on PNR to intra-EU flights.
The new rules still require air carriers to transfer API data both at check-in, but no earlier than 48 hours before the scheduled departure time, and for all passengers on board, immediately after the flight has ended, i.e. once passengers have boarded the aircraft for departure and it is no longer possible to board the aircraft or disembark from it. With regard to all crew members, this data must be transferred immediately after the closure of the flight, when the crew is on board for departure.
This API data cannot be kept for more than 96 hours and must then be deleted. (Original version in French by Solenn Paulic)