39 Amendments of Tineke STRIK related to 2022/0425(COD)
Amendment 26 #
Proposal for a regulation
Recital 1
Recital 1
(1) The transnational dimension of serious and organised crime and the continuous threat of terrorist attacks on European soil calls for action at Union level to adopt appropriate measures to ensure security within an area of freedom, security and justice without internal borders. Information on air travellers, such as Passenger Name Records (PNR) and in particular Advance Passenger Information (API), is essential in order to identify high-risk travellers, including those who are not otherwise known to law enforcement authorities, and to establish links between members of criminal groups, and countering terrorist activities.
Amendment 31 #
Proposal for a regulation
Recital 3
Recital 3
(3) Directive (EU) 2016/681 of the European Parliament and of the Council28 lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national Passenger Information Unit (‘PIU’) established under that Directive to the extent that they have already collected such data in the normal course of their business. Consequently, that Directive does not guarantee the collection and transfer of API data in all cases, as air carriers do not have any business purpose to collect a full set of such data. Ensuring that PIUs receive API data together with PNR data is important, since the joint processing of such data is needed for the competent law enforcement authorities of the Member States to be able to effectively prevent, detect, investigate and prosecute terrorist offences and serious crime. In particular, such joint processing allows for the accurate identification of those passengers that may need to be further examined, in accordance with the applicable law, by those authorities. In addition, that Directive does not specify in detail which information constitutes API data. For those reasons, complementary rules should be established requiring air carriers to collect and subsequently transfer a specifically defined set of API data, which requirements should apply to the extent that the air carriers are bound under that Directive to collect and transfer PNR data on the same flightIn addition, that Directive does not specify in detail which information constitutes API data. _________________ 28 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, p. 132).
Amendment 35 #
Proposal for a regulation
Recital 4
Recital 4
(4) It is therefore necessary to establish clearer rules at Union level clear, harmonised and effective rules on the collection and transfer of API data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
Amendment 41 #
Proposal for a regulation
Recital 7
Recital 7
(7) In view of the complementary nature of this Regulation in relation to Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under Article 1 of Directive (EU) 2016/681, namely flights, including both scheduled and non- scheduled flights, both between Member States and third countries (extra-EU flights), and between several Member States (intra-EU flights) insofar as those flights have been selected in accordance with Directive (EU) 2016/681, irrespective of the place of establishment of the air carriers conducting those flights.
Amendment 45 #
Proposal for a regulation
Recital 7 a (new)
Recital 7 a (new)
(7a) This Regulation, however, does not cover the flights as defined in Article 3, point (3), of Directive (EU) 2016/681, namely any scheduled or non-scheduled flight by an air carrier flying from the territory of a Member State and planned to land on the territory of one or more of the other Member States, without any stop-overs in the territory of a third country (intra-EU flights), considering the potentially disproportionate effects that an automatic and indiscriminate collection of data through the router might have on several fundamental rights, including the right to freedom of movement and to data protection.
Amendment 48 #
Proposal for a regulation
Recital 8
Recital 8
(8) Accordingly, given that Directive (EU) 2016/681 does not cover domestic flights, that is, flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be covered by this Regulation either. This Regulation should not be understood as affecting the possibility for Member States to provide, under their national law and in compliance with Union law, for obligations on air carriers to collect and transfer API data on such domestic flights.
Amendment 50 #
Proposal for a regulation
Recital 10
Recital 10
(10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that traveller. Under this Regulation, such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned only where applicable, that is, not when the API data relate to intra-EU flightspassenger.
Amendment 61 #
Proposal for a regulation
Recital 12
Recital 12
(12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In this regard, it is important to ensure that the application of the system is limited to terrorist offences and serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large- Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner.
Amendment 71 #
Proposal for a regulation
Recital 14
Recital 14
Amendment 75 #
Proposal for a regulation
Recital 15
Recital 15
Amendment 79 #
Proposal for a regulation
Recital 16
Recital 16
Amendment 86 #
Proposal for a regulation
Recital 17 a (new)
Recital 17 a (new)
(17a) Taking into account the right of passengers to be informed of the processing of their personal data, Member States should ensure that passengers are provided with accurate information that is easily accessible and easy to understand about the collection of API data, their transfer to the PIU and their rights as data subjects.
Amendment 103 #
Proposal for a regulation
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
For the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime within the meaning of Article 6(2) of Directive (EU) 2016/681, this Regulation lays down the rules on:
Amendment 105 #
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) the collection by air carriers of advance passenger information data (‘API data’) on extra EU flights and selected intra EU flights;
Amendment 108 #
Proposal for a regulation
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data on extra-EU flights and selected intra-EU flights.
Amendment 111 #
Proposal for a regulation
Article 1 – paragraph 1 a (new)
Article 1 – paragraph 1 a (new)
This Regulation is without prejudice to Regulation (EU) 2016/679 [GDPR], Regulation (EU) 2018/1725 [EUDPR] and Directive (EU) 2016/680 [LED].
Amendment 113 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
This Regulation applies to air carriers conducting scheduled or non-scheduled extra-EU flights or intra-EU flights.
Amendment 114 #
Amendment 118 #
Proposal for a regulation
Article 3 – paragraph 1 – point d
Article 3 – paragraph 1 – point d
(d) ‘scheduled flight’ means a commercial flight as defined in Article 3, point (e), of Regulation (EU) [API border management];
Amendment 119 #
Proposal for a regulation
Article 3 – paragraph 1 – point e
Article 3 – paragraph 1 – point e
(e) ‘non-scheduled flight’ means a commercial flight as defined in Article 3, point (f), of Regulation (EU) [API border management];
Amendment 121 #
Proposal for a regulation
Article 3 – paragraph 1 – point h
Article 3 – paragraph 1 – point h
Amendment 133 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Air carriers shall collect API data of travellpassengers on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with paragraph 6. Where the flight is code- shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.
Amendment 141 #
Proposal for a regulation
Article 4 – paragraph 3 – subparagraph 1
Article 4 – paragraph 3 – subparagraph 1
Air carriers shall collect the API data referred to Article 4(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine-readable data of the travel document of the travellpassenger concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred to in paragraph 5, wheronce such rules have been adopted and are applicable.
Amendment 149 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. Air carriers shall transfer the encrypted API data collected pursuant to paragraph 1 to the router, by electronic means. They shall do so in accordance with the detailed rules referred to in paragraph 9, wheronce such rules have been adopted and are applicable.
Amendment 152 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
7. Air carriers shall transfer the API data both at the moment of check-in and immediately after flight closure, that is, once the travellpassengers have boarded the aircraft in preparation for departure and it is no longer possible for travellpassengers to board or to leave the aircraft.
Amendment 154 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
7a. Air carriers shall store, for a time period of 24 hours from the moment of departure of the flight, the API data relating to the passengers that they collected pursuant to paragraph 1. They shall immediately and permanently delete that API data after the expiry of that time period.
Amendment 155 #
Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 1 – introductory part
Article 4 – paragraph 8 – subparagraph 1 – introductory part
Amendment 157 #
Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 1 – point a
Article 4 – paragraph 8 – subparagraph 1 – point a
(a) where they become aware that the API data collected is inaccurate, incomplete or no longer up-to-date or was processed unlawfully, or that the data transferred does not constitute API data;
Amendment 158 #
Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 1 a (new)
Article 4 – paragraph 8 – subparagraph 1 a (new)
Air carriers shall immediately and permanently delete API data where they become aware that the API data collected was processed unlawfully or that the data transferred does not constitute API data.
Amendment 160 #
Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 2
Article 4 – paragraph 8 – subparagraph 2
Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph or in the second subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received the API data transmitted through the router.
Amendment 168 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1
Article 5 – paragraph 1 – subparagraph 1
The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on the territory of which the flight will land or from the territory of which the flight will depart, or to both in the case of intra- EU-flights. Where a flight has one or more stop-overs at the territory of other Member States than the one from which it departed, the router shall transmit the API data to the PIUs of all the Member States concerned.
Amendment 174 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
Article 5 – paragraph 1 – subparagraph 3
Amendment 176 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 4
Article 5 – paragraph 1 – subparagraph 4
The router shall transmit the API data in accordance with the detailed rules referred to in paragraph 3, wheronce such rules have been adopted and are applicable.
Amendment 180 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
Amendment 200 #
Proposal for a regulation
Article 6 a (new)
Article 6 a (new)
Article6a Processing of API data received 1. The PIUs shall process API data, transferred to them in accordance with this Regulation, only for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime within the meaning of Article 6(2) of Directive (EU) 2016/681. 2. The PIUs or other competent authorities shall under no circumstances process API data for the purposes of profiling.
Amendment 202 #
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article7a Personal data protection audits 1. The competent national data protection authorities referred to in Article 51 of Regulation (EU) 2016/679 shall ensure that an audit of processing operations of API data constituting personal data performed by the PIU’s for the purposes of this Regulation is carried out, in accordance with relevant international auditing standards, at least once every four years. 2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu-LISA for the purposes of this Regulation and Regulation (EU) [API border management] is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted. 3. In relation to the processing operations referred to in paragraph 2, upon request, eu-LISA shall supply information requested by the European Data Protection Supervisor, shall grant the European Data Protection Supervisor access to all the documents it requests and to the logs referred to in Article 13(1), and shall allow the European Data Protection Supervisor access to all eu-LISA’s premises at any time.
Amendment 204 #
Proposal for a regulation
Article 7 b (new)
Article 7 b (new)
Article7b Fundamental Rights 1. Collection and processing of personal data in accordance with this Regulation and Regulation (EU) [API border management] by air carriers and competent authorities shall not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. 2. This Regulation shall fully respect human dignity and the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life, to the protection of personal data and to freedom of movement. 3. Particular attention shall be paid to children, the elderly, persons with a disability and vulnerable persons. The best interests of the child shall be a primary consideration when implementing this Regulation.
Amendment 234 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
The Commission shall, in close cooperation with the PIUs, other relevant Member States’ authorities, the air carriers and relevant Union agencies, in particular the European Data Protection Supervisor and the Fundamental Rights Agency, prepare and make publicly available a practical handbook, containing guidelines, recommendations and best practices for the implementation of this Regulation.
Amendment 236 #
Proposal for a regulation
Article 18
Article 18
Regulation (EU) 2019/818
Article 39 – paragraphs 1 and 2
Article 39 – paragraphs 1 and 2