BETA

Activities of Clare DALY related to 2022/0425(COD)

Shadow reports (1)

2023/12/07
Committee: LIBE
Dossiers: 2022/0425(COD)
Documents: PDF(399 KB) DOC(173 KB)
Authors: [{'name': 'Assita KANKO', 'mepid': 197469}]

Shadow opinions (1)

2023/07/19
Committee: TRAN
Dossiers: 2022/0425(COD)
Documents: PDF(200 KB) DOC(163 KB)
Authors: [{'name': 'Jan-Christoph OETJEN', 'mepid': 197432}]

Amendments (36)

Proposal for a regulation
Recital 1

(1) The transnational dimension of serious and organised crime and the continuous threat of terrorist attacks on European soil call for action at Union level to adopt appropriate measures to ensure security within an area of freedom, security and justice without internal borders. Information on air travellers, such as Passenger Name Records (PNR) and in particular Advance Passenger Information (API), ~~is essential~~may be useful in certain circumstances in order to identify ~~high-risk~~air travellers~~, including those~~ suspected of crime, as well as those criminals who are not otherwise known to law enforcement authorities, ~~and to establish links between members of criminal groups, and countering~~investigating terrorist acts, and preventing imminent terrorist act~~ivitie~~s.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 2

(2) While Council Directive 2004/82/EC27 establishes a legal framework for the collection and transfer of API data by air carriers with the aims of improving border controls and combating illegal immigration, it also states that Member States may use API data for law enforcement purposes. However, only creating such a possibility leads to several gaps and shortcomings. In particular, it means that, despite its potential relevance for law enforcement purposes, API data is not in all cases collected and transferred by air carriers for those purposes. It also means that, where Member States acted upon the possibility, air carriers are faced with diverging requirements under national law as regards when and how to collect and transfer API data for this purpose. Those divergences lead not only to unnecessary costs and complications for the air carriers, but they are also prejudicial to ~~the Union’s internal security and~~ effective cooperation between the competent law enforcement authorities of the Member States. Moreover, in view of the different nature of the purposes of facilitating border controls and law enforcement, it is appropriate to establish a distinct legal framework for the collection and transfer of API data for each of those purposes. _________________ 27 Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ L 261, 6.8.2004, p. 24).

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 3

(3) Directive (EU) 2016/681 of the European Parliament and of the Council28 lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national Passenger Information Unit (‘PIU’) established under that Directive to the extent that they have already collected such data in the normal course of their business. Consequently, that Directive does not guarantee the collection and transfer of API data in all cases, as air carriers do not have any business purpose to collect a full set of such data. Ensuring that PIUs receive API data together with PNR data is important, since the joint processing of such data is needed for the competent law enforcement authorities of the Member States to be able to effectively prevent, detect, investigate and prosecute terrorist offences and serious crime . In particular, such joint processing ~~allows for the accurate identification of~~might improve the accuracy with which those passengers that may need to be further examined, are identified, in accordance with the applicable law, by those authorities. In addition, that Directive does not specify in detail which information constitutes API data. For those reasons, complementary rules should be established requiring air carriers to collect and subsequently transfer a specifically defined set of API data, which requirements should apply to the extent that the air carriers are bound under that Directive to collect and transfer PNR data on the same flight. _________________ 28 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, p. 132).

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 6

(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of personal data. In order to fully respect fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API ~~data and, in particular, API data constituting personal~~ data, should remain limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the ~~API~~ collectedion and ~~transferred~~processing of API data under this Regulation does not lead to any form of discrimination precluded by the Charter.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 7

(7) In view of the complementary nature of this Regulation in relation to Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under Directive (EU) 2016/681, namely flights, including both scheduled and non-scheduled flights, both between Member States and third countries (extra-EU flights), ~~and between several Member States (intra-EU flights)~~ insofar as those flights have been selected in accordance with Directive (EU) 2016/681, irrespective of the place of establishment of the air carriers conducting those flights.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 8

(8) Accordingly, given that Directive (EU) 2016/681 does not cover domestic flights, that is, flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be covered by this Regulation either. This Regulation should not be understood as affecting the possibility for Member States to provide, under their national law and in compliance with Union law, for obligations on air carriers to collect and transfer API data on such domestic flights. In light of the uncertainties regarding the compatibility of Directive (EU) 2016/681 with the Treaty on European Union and the EU Charter as regards freedom of movement, this Regulation shall not apply to intra- EU flights.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 10

(10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that air traveller. Under this Regulation, such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned only where applicable~~, that is, not when the API data relate to intra-EU flights~~.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 11

(11) In order to ensure a consistent approach on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. That concerns, in particular, the rules on data quality, ~~the air carriers’ use of automated means for such collection,~~ the precise manner in which they are to transfer the collected API data to the router and the deletion of the API data.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 12

(12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API ~~data constituting personal~~ data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 14

(14) As regards intra-EU flights, in line with the case law of the Court of Justice of the European Union (CJEU), in order to avoid unduly interfering with the relevant fundamental rights protected under the Charter and to ensure compliance with the requirements of Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of Directive (EU) 2016/681. For those reasons, API data on those flights should only be transmitted from the router to the relevant PIUs, where the Member States have selected the flights concerned in application of Article 2 of Directive (EU) 2016/681. As recalled by the CJEU, the selection entails Member States targeting the obligations in question only at, inter alia, certain routes, travel patterns or airports, subject to the regular review of that selection.deleted

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 15

(15) In order to enable the application of that selective approach under this Regulation in respect of intra-EU flights, the Member States should be required to draw up and submit to eu-LISA the lists of the flights they selected, so that eu- LISA can ensure that only for those flights API data is transmitted from the router to the relevant PIUs and that the API data on other intra-EU flights is immediately and permanently deleted.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 16

(16) In order not to endanger the effectiveness of the system that relies on the collection and transfer of API data set up by this Regulation, and of PNR data under the system set up by Directive (EU) 2016/681, for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, in particular by creating the risk of circumvention, information on which intra-EU flights the Member States selected should be treated in a confidential manner. For that reason, such information should not be shared with the air carriers and they should thereforeAir carriers should be required to collect API data on all flights covered by this Regulation~~, including all intra-EU flights,~~ and then transfer it to the router, where the necessary selection should be enacted. Moreover, by collecting API data on all intra-EU flights, passengers are not made aware on which selected intra-EU flights API data, and hence also PNR data, is transmitted to PIUs in accordance with Member States’ assessment. That approach ~~also~~ ensures that any changes relating to that selection can be implemented swiftly and effectively, without imposing any undue economic and operational burdens on the air carriers.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 19

(19) ~~In view of the Union interests at stake, a~~Appropriate costs incurred by the Member States in relation to their connections to, and integration with, the router, as required under this Regulation, should be borne by the Union budget, in accordance with the applicable legislation and subject to certain exceptions. The costs covered by those exceptions should be borne by each Member State concerned itself.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 20

(20) In accordance with Regulation (EU) 2018/1726, Member States ~~may~~should entrust eu-LISA with the task of facilitating connectivity with air carriers in order to assist Member States in the implementation of Directive (EU) 2016/681, particularly by collecting and transferring PNR data via the router.

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 23

(23) Effective, proportionate and dissuasive penalties, including financial ones, should be provided for by Member States against those air carriers failing to meet their obligations regarding the collection and transfer of API data under this Regulation.deleted

2023/09/06
Committee: LIBE

Proposal for a regulation
Recital 24

(24) In order to adopt measures relating ~~to the technical requirements and operational rules for the automated means for the collection of machine- readable API data,~~ to the common protocols and formats to be used for the transfer of API data by air carriers, to the technical and procedural rules for the transmission of API data from the router and to the PIUs and to the PIU’s and air carriers’ connections to and integration with the router, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of Articles 4, 5, 10 and 11, respectively. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201633 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. _________________ 33 OJ L 123, 12.5.2016, p. 1.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point a

(a) the collection by air carriers of advance passenger information data (‘API data’) on extra EU ~~flights and selected intra EU~~ flights;

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 3 – paragraph 1 – point c

~~(c) ‘intra-EU flight’ means any flight as defined in Article 3, point (3), of Directive (EU) 2016/681;~~deleted

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 3 – paragraph 1 – point h

(h) ‘air traveller’ means any person as defined in Article 3, point (i), of Regulation (EU) [API border management];

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 1

1. Air carriers shall collect API data of air travellers on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with paragraph 6. Where the flight is code- shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 3

3. Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine-readable data of the travel document of the traveller concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred paragraph 5, where such rules have been adopted and are applicable. However, where such use of automated means is not possible due to the travel document not containing machine- readable data, air carriers shall collect that data manually, in such a manner as to ensure compliance with paragraph 2.deleted

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 4

~~4. Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up-to-date.~~deleted

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 5

~~5. The Commission is empowered to adopt~~ delegated acts in accordance with Article 19 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means in accordance with paragraphs 3 and 4 of this Article.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 7

7. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the air travellers have boarded the aircraft in preparation for departure and it is no longer possible for air travellers to board or to leave the aircraft.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 1 – introductory part

~~Without prejudice to the possibility for air carriers to retain and use the data where necessary for the normal course of their business in compliance with the applicable law, a~~Air carriers shall immediately either correct, complete or update, or permanently delete, the API data concerned in both of the following situations:

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1

The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on the territory of which the flight will land or from the territory of which the flight will depart~~, or to both in the case of intra- EU-flights~~. Where a flight has one or more stop-overs at the territory of other Member States than the one from which it departed, the router shall transmit the API data to the PIUs of all the Member States concerned.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3

~~However, for intra-EU flights, the router shall only transmit the API data to that PIU in respect of the flights included in the list referred to in paragraph 2.~~deleted

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 2

2. Member States that decide to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2 of that Directive shall each establish a list of the intra-EU flights concerned and shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, provide eu-LISA with that list. Those Member States shall, in accordance with Article 2 of that Directive, regularly review and where necessary update those lists and shall immediately provide eu-LISA with any such updated lists. The information contained on those lists shall be treated confidentially.deleted

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 6 – paragraph 1

1. Air carriers shall create logs of all processing operations under this Regulation undertaken using the automated means referred to in Article ~~4(3)~~5. Those logs shall cover the date, time, and place of transfer of the API data.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 8 – paragraph 1

PIUs and air carriers shall ensure the security ~~of the API data, in particular API data constituting personal~~, integrity, confidentiality and authenticity of the API data, that they process pursuant to this Regulation.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 9 – paragraph 1

Air carriers and the PIUs shall monitor their compliance with their respective obligations under this Regulation, in particular as regards their processing of API ~~data constituting personal~~ data, including through frequent verification of the logs in accordance with Article 7.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 16

Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure they are implemented. The penalties provided for shall be effective, proportionate and dissuasive penalties. Member States shall, by the date of application of this Regulation referred to in Article 21, second subparagraph, notify the Commission of those rules and of those measures and shall notify it without delay of any subsequent amendment affecting them.Article 16 deleted Penalties

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 18

Regulation (EU) 2019/818
Article 39

Amendments to Regulation (EU) ___________ In Article 39, paragraphs 1 and 2 are replaced by the following: ‘1. A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of the SIS, Eurodac and ECRIS-TCN, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes. The CRRS shall also support the objectives of Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation].” * Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)” 2. eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 74 of Regulation (EU) 2018/1862 and Article 32 of Regulation (EU) 2019/816 logically separated by EU information system. eu-LISA shall also collect the data and statistics from the router referred to in Article 13(1) of Regulation (EU) …/… * [this Regulation ]. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purpose of reporting and statistics, to the authorities referred to in Article 74 of Regulation (EU) 2018/1862, Article 32 of Regulation (EU) 2019/816 and Article 13(1) of Regulation (EU) …/… * [this Regulation ].rticle 18 deleted 2019/818

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 19 – paragraph 2

2. The power to adopt delegated acts referred to in Article 4~~(5) and~~ (9), Article 5(3), Article 10(2) and Article 11(2) shall be conferred on the Commission for a period of five years from [date of adoption of the Regulation]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 19 – paragraph 3

3. The delegation of power referred to in Article 4~~(5) and~~ (9), Article 5(3), Article 10(2) and Article 11(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

2023/09/06
Committee: LIBE

Proposal for a regulation
Article 21 – paragraph 3

However, Article 4~~(5) and~~ (9), Article 5(3), Article 10(2), Article 11(2) and Article 19 shall apply from [Date of entry into force of this Regulation].

2023/09/06
Committee: LIBE