The European Commission last week proposed rules governing the use of Advance Passenger Information in a bid to strengthen border security.
As commissioner for home affairs Ylva Johansson explained during a press conference, travel in and out of the Schengen zone – the 26 European countries between which passengers are free to travel without visas – involves the obligation to give border authorities Personal Name Records (PNR). That’s just the minimal information passengers provide airlines when booking tickets.
Airlines, she said, less formally share Advance Passenger Information [PDF] – flight details and passenger passport data collected by airlines upon check-in. It’s provided to border authorities as a passenger manifest list.
“With this proposal, we will make it mandatory to share the Advanced Passenger Information for all flights that go in and out of Schengen but also for intra-Schengen flights that are the same as those that are required for the PNR,” explained Johansson. “This will significantly help to prepare the readiness for the border guards – what kind of people they will expect – but also of course to track significant criminal individuals.”
According to Johansson, PNR sharing alone is insufficient to catch criminals because they often book multiple tickets on airlines at the same time to make it difficult for authorities to know where they’re actually traveling. With the addition of obligatory, standardized API data, authorities should be better able to determine who is traveling where and when.
Johansson said that the proposed rules – which won’t be applied until 2028 – will be enforced using a central “router,” managed by an EU agency called eu-LISA. That agency will receive data from departure points and send it to arrival points without storing it.
“The transmission of API data through the router will reduce costs on the air industry and would ensure that border guards have [fast and seamless] access … to API data they need to perform in the context of advanced border checks,” the proposal [PDF] explains. “This approach will drastically reduce the number of connections to establish and maintain from a member states perspective. Conversely, this will reduce the complexity for air carriers to maintain connections with competent border authorities and introduce economies of scale.”
eu-LISA will have to comply with EU data protection obligations and will be considered a personal data processor under EU law. Air carriers and relevant authorities will monitor themselves to make sure they’re compliant with the law.
The router isn’t expected to be developed until 2026, at which point two years have been allotted for adjustment and testing. The projected cost is €45 million ($47.6M) for development and €9 million ($9.5M) for operation from 2029 onward. It’s anticipated that member states will have to spend €27 million ($28.6M) to make existing systems compatible, plus €5 million ($5.3M) per year in operational expenses from 2028 onwards.
(Member states contribute €8 million ($8.4M) per year to the present system under the current Multiannual Financial Framework.)
The revised data sharing requirement – part of the EU Security Union Strategy – is intended to harmonize rules on the collection of API data. Previously PNR records were governed by a separate legal framework – the 2016 PNR Directive.
The rule change is also intended to ensure that data collected is accurate, complete, and high quality – air carriers will be required to use automated data collection methods, so manual data entry problems can be avoided.
People traveling into, out of, and within the EU – over one billion passengers annually – will be affected. ®