The EDPS has issued an Opinion on two legislative Proposals on the collection and transfer of advance passenger information (API), which includes air passengers’ personal data included in their travel documents (passport or identity cards) that is collected during check-in. The Proposals have two different aims: the first one, to facilitate effective border checks and to combat illegal immigration, and the other one, to prevent, detect, investigate, and prosecute terrorist offences and serious crime.
The EDPS Opinion focuses on whether it is necessary and proportional for individuals’ API data from intra-EU flights, meaning flights from one EU country to another EU country, to be collected and transferred to the competent national authorities for law enforcement purposes. In particular, the EDPS assesses whether such processing is compatible with the existing Passenger Name Record Directive (PNR) - which lays down the rules on the collection of passengers’ personal travel data to tackle cross-border crime and terrorism, and the recent ruling of the Court of Justice of the European Union (CJEU) in the Ligue des droits humains case.
Wojciech Wiewiórowski, EDPS, said: "According to the CJEU’s ruling on the PNR Directive, EU countries are able to process individuals’ travel data from selected intra-EU flights, as a way of preventing serious crime and terrorism. API data may not be as intrusive for the right to private life and protection of personal data as the full PNR datasets considered by the Court in its ruling. However, in line with the fundamental rights guaranteed in the EU Charter of Fundamental Rights, including the right to free movement, processing of API data must also be limited to what is strictly necessary. EU law should be clear in that respect. Therefore, I call for harmonised criteria for the selection of intra-EU flights, from which API data should be collected, to avoid divergent practices amongst EU countries."
In the Opinion, the EDPS recommends the development of harmonised criteria and a common methodology to help determine, on what basis, and from which intra-EU flights, individuals’ API data would be collected, in line with the CJEU’s ruling. The EDPS also recommends further strengthening the security measures envisaged by applying additional data protection safeguards, such as pseudonymisation or encryption of API data, if technically and operationally possible.
The EDPS Opinion includes other recommendations as well, in particular on the deletion of personal data if it cannot be transferred to the competent national authorities for technical reasons.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.