49 Amendments of Birgit SIPPEL related to 2022/0424(COD)
Amendment 72 #
Proposal for a regulation
Recital 2
Recital 2
(2) The use of traveller data and flight information transferred ahead of the arrival of travellers, known as advance passenger information (‘API’) data, contributes to the speeding up of the process of carrying out the required checks during the border- crossing process. For the purposes of this Regulation that process concerns, more specifically, the crossing of borders between a third country or a Member State not participating in this Regulation, on the one hand, and a Member State participating in this Regulation, on the other hand. Such use could strengthens checks at those external borders by providing sufficient time to enable detailed and comprehensive checks to be carried out on all travellers, without having a disproportionate negative effect on persons travelling in good faith. Therefore, in the interest of the effectiveness and efficiency of checks at external borders, an appropriate legal framework should be provided for to ensure that Member States’ competent border authorities at such external border crossing points have access to API data prior to the arrival of travellers.
Amendment 74 #
Proposal for a regulation
Recital 5
Recital 5
(5) In order to ensure as consistent approach at internats possible at the Unional level as much as possible and in view of the rules on the collection of API data applicable at that level, the updated legal framework established by this Regulation should take into account the relevant practices internationally agreed with the air industry and, specifically in the context of the World Customs Organisation, International Aviation Transport Association and International Civil Aviation Organisation Guidelines on Advance Passenger Information.
Amendment 75 #
Proposal for a regulation
Recital 6
Recital 6
(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the APIprocessing of any API data collected and transferred under this Regulation does not lead to any form of discrimination precluded by the Charter.
Amendment 77 #
Proposal for a regulation
Recital 7
Recital 7
(7) In order to achieve its objectives, this Regulation should apply to all air carriers conducting flights into the Union, as defined in this Regulation, covering both scheduled and non-scheduled flights, irrespective of the place of establishment of the air carriers conducting those flights.
Amendment 81 #
Proposal for a regulation
Recital 8
Recital 8
(8) In the interest of effectiveness and legal certainty, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be listed clearly and exhaustively, covering both information relating to each traveller and information on the flight oftaken by that traveller. Such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned in all cases covered by this Regulation, but that. However, such information should be collected only where applicable under Regulation (EU) [API law enforcement], that is, not when the API data relate to intra-EU flights.
Amendment 83 #
Proposal for a regulation
Recital 9
Recital 9
(9) In order to allow for flexibility and innovation, it should in principle be left to each air carrier to determine how it meets its obligations regarding the collection of API data set out in this Regulation. However, considering that suitable technological solutions exist that allow collecting certain API data automatically while guaranteeing that the API data concerned is accurate, complete and up-to- date, and having regard to the advantages of the use of such technology in terms of effectiveness and efficiency, air carriers should be required to collect thate API data using automated means, specifically by reading information from the machine- readable data of the travel document. The collection of API data by automated means should be limited to the alphanumerical data contained in the travel document and should not lead to the collection of any biometric data from it.
Amendment 86 #
Proposal for a regulation
Recital 10
Recital 10
(10) Automated means enable travellers to provide certain API data themselves during an online check-in process. Such means could, for example, include a secure app on a travellers’ smartphone, computer or webcam with the capability to read the machine-readable data of the travel document. Where the travellers did not check-in online, air carriers should in practice provide them with the possibility to provide the required machine-readable API data concerned during the check-in at the airport, with the assistance of a self-service kiosk or of airline staff at the counter.
Amendment 88 #
Proposal for a regulation
Recital 11
Recital 11
(11) The Commission should be empowered to adopt technical requirements and procedural rules that air carriers are toshould comply with in connection toregarding the use of automated means for the collection of machine-readable API data under this Regulation, so as to increase clarity and legal certainty and to contribute to ensuring data quality and the responsible use of the automated means.
Amendment 101 #
Proposal for a regulation
Recital 17
Recital 17
(17) In order to avoid that air carriers have to establish and maintain multiple connections with the competent border authorities of the Member States’ for the transfer of API data collected under this Regulation and the related inefficiencies and security risks, provision should be made for a single router, created and operated at Union level, that serves as a connection and distribution point for those transfers. In the interest of efficiency and cost effectiveness, the router should, to the extent technically possible and in full respect of the rules of this Regulation and Regulation (EU) [API law enforcement], rely on technical components from other relevant systems created under Union law. To provide for the same level of clarity and certainty, the provisions related to the router, security and support tasks by eu- LISA should be mirrored in this Regulation and Regulation (EU) [API law enforcement], as eu-LISA should build and maintain only one router for the purposes of both Regulations.
Amendment 105 #
Proposal for a regulation
Recital 19
Recital 19
(19) The router should serve only to facilitate the transmission of API data from the air carriers to the competent border authorities in accordance with this Regulation and to PIUs in accordance with Regulation (EU) [API law enforcement], and should not be a repository of API data. Therefore, and in order to minimise any risk of unauthorised access or other misuse and in accordance with the principle of data minimisation, any storage of the API data on the router should remain limited to what is strictly necessary for technical purposes related to the transmission and the API data should be deleted from the router, immediately, permanently and in an automated manner, from the moment that the transmission has been completed or, where relevant under Regulation (EU) [API law enforcement], the API data is not to be transmitted at all.
Amendment 113 #
Proposal for a regulation
Recital 23
Recital 23
(23) In view of the Union interests at stake, the costs incurred by eu-LISA for the performance of its tasks under this Regulation and Regulation (EU) [API law enforcement] in respect of the router should be borne by the Union budget. The same should go for appropriate costs incurred by the Member States in relation to their connections to, and integration with, the router, as required under this Regulation and in accordance with the applicable legislation, subject to certain exceptions. The costs covered by those exceptions should be borne by each Member State concerned itself.
Amendment 114 #
Proposal for a regulation
Recital 25
Recital 25
(25) In the interest of ensuring compliance with the fundamental right tof the travellers to the protection of their personal data, this Regulation should identify the controller and processor and set out rules on audits. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be understood as complementing the generally applicable acts of Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council34 and Regulation (EU) 2018/1725 of the European Parliament and the Council.35 Those acts, which also apply to the processing of personal data under this Regulation in accordance with the provisions thereof, should not be affected by this Regulation. Taking due consideration of the right of the travellers to be informed of the processing of their personal data for the purposes of this Regulation, the air carriers should inform travellers, at the moment of booking and at the moment of check-in, of the purpose of the collection of their personal data and of their rights as data subjects. _________________ 34 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). 35 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Amendment 118 #
Proposal for a regulation
Recital 30
Recital 30
(30) As the router should be designed, developed, hosted and technically managed by the eu-LISA, established by Regulation (EU) 2018/1726 of the European Parliament and of the Council36 , it is necessary to amend that Regulation by adding that task to the tasks of eu-LISA. In order to store reports and statistics of the router on the Common Repository for Reporting and Statistics it is necessary to amend Regulation (EU) 2019/817 of the European Parliament and of the Council37 . The Common Repository for Reporting and Statistics should only provide statistics based on API data for the implementation and effective supervision of this Regulation. The data that the router automatically transmits to the Common Repository for Reporting and Statistics to that end should not allow for the identification of the travellers concerned. _________________ 36 Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99). 37 Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27).
Amendment 127 #
Proposal for a regulation
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
For the purposes of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and of combating illegal immigration, this Regulation lays down the rules on:
Amendment 150 #
Proposal for a regulation
Article 3 – paragraph 1 – point l
Article 3 – paragraph 1 – point l
(l) ‘Passenger Information Unit’ or ‘PIU’ means the competent authority referred to in Article 3, point ik, of Regulation (EU) [API law enforcement];
Amendment 152 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Air carriers shall collect API data of travellers, consisting of the traveller data and the flight information specified in paragraphs 2 and 3 of this Article, respectively, on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with Article 6. Where the flight is code- shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.
Amendment 163 #
Proposal for a regulation
Article 5 – paragraph 2 – subparagraph 1
Article 5 – paragraph 2 – subparagraph 1
Air carriers shall collect the alphanumerical API data referred to Article 4(2), points (a) to (d), using automated means to collect the machine- readable data of the travel document of the traveller concerned. Air carriers shall collect that data during the check-in procedures, either as part of the online check-in or as part of the check-in at the airport. They shall do so in accordance with the detailed technical requirements and operational rules referred to in paragraph 4, where such rules have been adopted and are applicable. Specifically, the collection of API data with automated means shall not lead to the collection of any biometric data from the travel document.
Amendment 168 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up- to-date. Air carriers shall ensure that API data is encrypted during the transmission of the data from the traveller to the air carriers.
Amendment 176 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
The competent border authorities shall process API data, transferred to them in accordance with this Regulation, solely for the purposes referred to in Article 1. The competent border authorities shall under no circumstances process API data for the purposes of profiling.
Amendment 181 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. Air carriers shall store, for a time period of 248 hours from the moment of departure of the flight, the API data relating to that passenger that they collected pursuant to Article 4. They shall immediately and permanently delete that API data after the expiry of that time period.
Amendment 186 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The competent border authorities shall store, for a time period of 248 hours from the moment of departure of the flight, the API data relating to that passenger that they received through the router pursuant to Article 11. They shall immediately and permanently delete that API data after the expiry of that time period.
Amendment 196 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. eu-LISA shall design, develop, host and technically manage, in accordance with Articles 22 and 23, a router for the purpose of facilitating the transfer of API data by the air carriers to the competent border authorities and to the PIUs in accordance with this Regulation and Regulation (EU) [API law enforcement], respectively.
Amendment 203 #
Proposal for a regulation
Article 9 – paragraph 3 a (new)
Article 9 – paragraph 3 a (new)
3a. eu-LISA shall design and develop the router in a way that for any transfer of API data from the air carriers to the router in accordance with Article 6, and for any transmission of API data from the router to the competent border authorities in accordance with Article 11 and to the central repository for reporting and statistics in accordance with Article 31(2), the API data is encrypted during transit.
Amendment 206 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
Amendment 220 #
Proposal for a regulation
Article 12 – paragraph 1 – introductory part
Article 12 – paragraph 1 – introductory part
API data, transferred to the router pursuant to this Regulation and Regulation (EU) [API law enforcement], shall be stored on the router only insofar as necessary to complete the transmission to the relevant competent borders authorities or PIUs, as applicable, in accordance with those Regulations and shall be deleted from the router, immediately, permanently and in an automated manner, in both of the following situations:
Amendment 222 #
Proposal for a regulation
Article 12 – paragraph 1 – point a
Article 12 – paragraph 1 – point a
(a) where the transmission of the API data to the relevant competent border authorities or PIUs, as applicable, has been completed;
Amendment 223 #
Proposal for a regulation
Article 12 – paragraph 1 – point a a (new)
Article 12 – paragraph 1 – point a a (new)
(aa) in cases of technical impossibility of the router to subsequently transmit the API data to the competent national authorities, after 12 hours;
Amendment 226 #
Proposal for a regulation
Article 12 – paragraph 1 – point b
Article 12 – paragraph 1 – point b
Amendment 228 #
eu-LISA shall keep logs of all processing operations relating to the transfer of API data through the router under this Regulation and Regulation (EU) [API law enforcement]. Those logs shall cover the following:
Amendment 229 #
Proposal for a regulation
Article 13 – paragraph 1 – subparagraph 1 – point b
Article 13 – paragraph 1 – subparagraph 1 – point b
(b) the competent border authorities and PIUs to which the API data was transmitted through the router;
Amendment 232 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
3. The logs referred to in paragraphs 1 and 2 shall be used only for ensuring the security and integrity of the API data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation and Regulation (EU) [API Law Enforcement], including proceedings for penalties for infringements of those requirements in accordance with Articles 29 and 30 of this Regulation.
Amendment 238 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
The competent border authorities shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, in relation to the processing of API data constituting personal data through the router , including the transmission of the data from the router to the authorities and the storage for technical reasons of that data in the router, as well as in relation to their processing of API data constituting personal data referred to in Article 7 of this Regulation.
Amendment 241 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
eu-LISA shall be the processor on behalf of the competent border authorities within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation and Regulation (EU) [API law enforcement].
Amendment 243 #
Proposal for a regulation
Article 16 a (new)
Article 16 a (new)
Article16a Information to travellers In accordance with the right of information in Article 13 of Regulation (EU) 2016/679, air carriers shall provide travellers, on flights covered by this Regulation, with information on the purpose of the collection of personal data, the type of data collected, the recipients of the personal data and the means to exercise the data subject rights. This information should be communicated to travellers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the data at the moment of check-in in accordance with Article 5.
Amendment 246 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
1. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation and Regulation (EU) [API law enforcement]. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu-LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.
Amendment 250 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu- LISA for the purposes of this Regulation and Regulation (EU) [API law enforcement] is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted.
Amendment 251 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
Member States shall ensure that their competent border authorities are connected to the router. They shall ensure that the competent border authorities’ systems and infrastructure for the reception of API data transferred purpsuant to this Regulation are integrated with the router.
Amendment 255 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation and Regulation (EU) [API law enforcement], and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in Article 5(4), Article 6(3), Article 11(4), Article 20(2) and Article 21(2).
Amendment 256 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 1
Article 23 – paragraph 2 – subparagraph 1
eu-LISA shall be responsible for the technical management of the router, including its maintenance and technical developments, in such a manner as to ensure that the API data are securely, effectively and swiftly transmitted through the router, in compliance with this Regulation and Regulation (EU) [API law enforcement].
Amendment 257 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
Article 23 – paragraph 2 – subparagraph 2
The technical management of the router shall consist of carrying out all the tasks and enacting all technical solutions necessary for the proper functioning of the router in accordance with this Regulation, Regulation (EU) [API law enforcement], in an uninterrupted manner, 24 hours a day, 7 days a week. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability, accuracy and reliability of the transmission of API data, in accordance with the technical specifications and, as much as possible, in line with the operational needs of the competent border authorities, PIUs and air carriers.
Amendment 259 #
Proposal for a regulation
Article 24 – paragraph 2
Article 24 – paragraph 2
2. eu-LISA shall provide support to the competent border authorities and PIUs regarding the reception of API data through the router pursuant to this Regulation and Regulation (EU) [API law enforcement], respectively, in particular as regards the application of Articles 11 and 20 of this Regulation and Articles 5 and 10 of Regulation (EU) [API law enforcement].
Amendment 262 #
Proposal for a regulation
Article 25 – paragraph 1
Article 25 – paragraph 1
1. Costs incurred by eu-LISA in relation to the design, development, hosting and technical management of the router under this Regulation and Regulation (EU) [API law enforcement] shall be borne by the general budget of the Union.
Amendment 271 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. Every quarterTo support the implementation and supervision of this Regulation and based on the statistical information referred to in paragraph 5 of this Article, eu-LISA shall publish every quarter statistics on the functioning of the router, and on compliance by air carriers. The stastistics shall showing in particular, the number, the nationality and the country of departure of the travellers, and specifically of the of flights for which the router transmitted API data to competent border authorities. The statistics shall also show the number of flights for which air carriers did not transfer API data, and the number of travellers who boarded the aircraft with inaccurate, incomplete or no longer up-to-date API data, with a non- recognised travel document, without a valid visa, without a valid travel authorization, or reported as overstay, the number and nationality of travellers.
Amendment 274 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
2. eu-LISA shall store the daily statistics inFor the purposes set out in paragraph 1, the router shall automatically transmit the data listed in paragraph 5 to the central repository for reporting and statistics established in Article 39 of Regulation (EU) 2019/817 without the data allowing for the identification of the travellers concerned.
Amendment 275 #
Proposal for a regulation
Article 31 – paragraph 3
Article 31 – paragraph 3
3. At the end of each year, to support the implementation and supervision of this Regulation, eu-LISA shall compile statistical data in an annual report for that year. It shall publish that annual report and transmit it to the European Parliament, the Council, the Commission, the European Data Protection Supervisor, the European Border and Coast Guard Agency and the national supervisory authorities referred to in Article 29.
Amendment 277 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation and Regulation (EU) [API Law enforcement] as well as the statistics pursuant to paragraph 3.
Amendment 278 #
Proposal for a regulation
Article 31 – paragraph 5 – introductory part
Article 31 – paragraph 5 – introductory part
5. eu-LISA shall have the right to access the following API data transmitted through to the router, solely for the purposes ofThe central repository for reporting and statistics shall provide eu- LISA with the statistical information necessary for the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, without however such accessbased on the following data elements, and without the statistical information provided allowing for the identification of the travellers concerned:
Amendment 283 #
Proposal for a regulation
Article 31 – paragraph 5 – point b
Article 31 – paragraph 5 – point b
(b) the nationality, sex and year of birth of the traveller;
Amendment 291 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. For the the purposes of the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, eu-LISA shall store the data referred to in paragraph 5 of this Article in the central repository for reporting and statistics established by Article 39 of Regulation (EU) 2019/817. The cross-system statistical data and analytical reporting referred to in Article 39(1) of that Regulation shall allow the competent border authorities and other relevant authorities of the Member States to obtain customisable reports and statistics, for the purposes referred to in Article 1 of this Regulationthe central repository for reporting and statistics shall store for a period of three years the data listed in paragraph 5 that it received automatically from the router in accordance with paragraph 2, without the data allowing for the identification of the travellers concerned.