The European Union (EU) parliament and the European Council agreed to introduce two new rules on collecting and handling Advance Passenger Information (API).
API data refers to the information in travel documents that confirms passengers’ identities.
Airlines collect API data when passengers check-in online or physically at the airport.
It is then sent to border authorities and serves as the complete “passenger list manifest,” which contains the names of all passengers on board a plane upon departure.
The proposed new policies will allow a more efficient system of data collection and sharing with border and law enforcement authorities.
Annelies Verlinden, EU Minister of the Interior, Institutional Reform and Democratic Renewal, shared the benefits of the proposed legislation in a news release.
These include “a more efficient border management at airports” and “a strengthened information position for law enforcement authorities about people flying into and within the EU.”
The provisional agreement, signed on 1 March 2024, upgrades the EU’s 20-year-old legislative framework.
Coreper, or the parliament’s member state representatives, must confirm the agreement before the rules can be formally adopted.
Provisional agreement aims to beef up border security
The objective of the provisional agreement was to improve EU border security and to effectively combat serious crime and terrorism.
The collection and sharing of APIs are typically only for flights from outside the EU.
However, member states may include flights within the EU should law enforcement require it, such as in the event of a terrorist threat.
Without such a threat, enforcing it on internal EU flights must be supported by a thorough risk assessment.
The provisional agreement specifies the type of data all airlines must collect from passengers traveling to and within the EU.
It also outlines how carriers should collect API and how it should be shared with law enforcement and border management officials.
Additionally, it provides guidelines on how API data should be stored in compliance with the EU’s data protection laws.
Standardized API data
All air carriers must collect the following API data: passenger’s name, date of birth, nationality, type and number of travel documents, and seating and baggage information.
The API data collected must also contain certain flight information, such as the flight identification number, airport code, and departure and arrival times.
A representative from Members of the European Parliament (MEPs) guaranteed that API data does not include biometrics like fingerprints.
Automatic collection of API
Airlines should automatically collect standard passenger information by scanning machine-readable passports to ensure data accuracy and reliability.
During a two-year transitional period, manual API data collection can be done during the online or onsite airport check-in.
Only if an automated collection is not possible due to technical reasons can airlines collect API data manually.
Airlines can also collect API data manually, but only if automated collection is not possible due to technical reasons.
When data is collected manually, air carriers must have verification measures to guarantee the data’s accuracy.
Sharing API data with EU member states
The provisional rules also require a central router that will facilitate data transfer from airlines to border and law enforcement agencies.
Eu-LISA will manage the central router. It will replace the current system of multiple connections between air carriers and national authorities.
Having one central router improves the efficiency and cost of transferring data. It also reduces the risk of errors and abuses.
The same central router will also be used to transfer and store Passenger Name Record (PNR) data.
PNR is a more extensive data set collected when an airline passenger books a flight. It contains the passenger’s full name, date of birth, nationality, and itinerary.
Improving border management and security
The proposed legislation allows law enforcement authorities to effectively merge API and PNR data.
This will be a big help for law enforcement in identifying high-risk travelers and verifying the travel patterns of suspected individuals.
By storing data longer, border officials can perform necessary pre-checks on arriving travelers to manage borders more efficiently.
MEPs clarified that data collected will only be stored for 48 hours and retained only when necessary. It will be extended for another 48 hours if a passenger does not appear at border checks.
The provisional rules also forbid using API data for profiling or discriminating against gender, ethnicity, religion, disability, etc.
How new API guidelines affect passengers
The improved collection and handling of API data will benefit all travelers to the EU.
The final provisional agreement states that carriers are not required to check travel documents before boarding.
This will significantly reduce time spent at immigration checks and provide a more seamless travel experience.
It can also help speed up background checks on non-visa travelers who will require the European Travel Information and Authorization System (ETIAS).
For migrants or long-term visitors to the EU, the proposed rules will safeguard data sharing and improve border security.
Better use of technology for handling API data can also benefit neighboring countries such as the United Kingdom (UK).
The UK and EU recently signed a cooperation agreement against illegal migration. The deal includes sharing intelligence and best practices on border management.