Council agrees: New EU rules on collecting passenger data are in place

On Thursday, the EU Council of Ministers gave its final approval to two draft regulations to close loopholes in the collection and analysis of Advance Passenger Information (API). This is information on the identity of passengers that can be found in travel documents and is supplemented with information on travel routes at check-in. This includes names, dates of birth, nationality and other data from electronic passports, for example. According to the previous API Directive from 2004, this data must be transmitted to the authorities at the point of arrival before and after departure. Until now, however, member states have been able to decide for themselves whether to request the API from airlines and pass it on to investigators.

The two new laws are intended to harmonize the requirements in order to increase EU border security and strengthen the fight against terrorism and serious crime, explains the Council. One of the two laws adopted regulates the automated collection through scans of machine-readable identification documents and the transfer of APIs. In future, airlines will have to transmit this passenger data to the authorities together with baggage information, for example, before passengers reach the EU's external borders. This should ensure that the responsible officials can carry out checks in advance, assess potential security risks and manage them as effectively as possible.

API and PNR are to be evaluated together

The second regulation on the use of API for law enforcement purposes is intended to support the prevention, detection and prosecution of terrorism and serious crime. The basic data on passengers will be combined with the more comprehensive Passenger Name Records (PNR), which are also collected by the airlines. This also includes seat numbers, baggage and contact details, email addresses, payment methods and an undefined free text field. According to the PNR Directive of 2016, airlines must transfer this data to special collection points in the destination country – in Germany to the Federal Criminal Police Office (BKA). However, the European Court of Justice (ECJ) raised the bar for PNR retention in a landmark ruling in 2022. The Wiesbaden Administrative Court subsequently classified the BKA sky search based on this as unlawful, meaning there is a need for adjustment.

According to the new API regulations, the EU is setting up a central router for data transmission in order to ensure a more accurate exchange and reduce the administrative burden. Airlines will have to connect their automated systems to it, with a transitional period for manual data collection if necessary. The EU member states want to launch the information hub as a priority together with the Commission and EU-Lisa, the agency responsible for the management of large-scale IT systems. The regulations will now enter into force 20 days after their publication in the EU Official Journal. Hungarian Interior Minister Sándor Pintér welcomed the approval on behalf of the Council Presidency: "We cannot afford to have blind spots with regard to passengers arriving in the EU."

(vbr)