COMMISSION STAFF WORKING DOCUMENT Subsidiarity Grid Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818
Tilhører sager:
Aktører:
1_EN_autre_document_travail_service_part1_v3.pdf
https://www.ft.dk/samling/20221/kommissionsforslag/kom(2022)0731/forslag/1917348/2640182.pdf
EN EN EUROPEAN COMMISSION Strasbourg, 13.12.2022 SWD(2022) 424 final COMMISSION STAFF WORKING DOCUMENT Subsidiarity Grid Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818 {COM(2022) 731 final} Offentligt KOM (2022) 0731 - SWD-dokument Europaudvalget 2022 1 1. Can the Union act? What is the legal basis and competence of the Unions’ intended action? 1.1 Which article(s) of the Treaty are used to support the legislative proposal or policy initiative? Under point (d) of paragraph 1 of Article 82 TFEU, the Union has the power to adopt measures relating to facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions. Under point (a) of paragraph 2 of Article 87 TFEU, the Union has the power to adopt measures on the collection, storage, processing, analysis, and exchange of relevant information for the purposes of police cooperation in the EU. This is the appropriate legal basis for the proposed Regulation on the collection and transfer of API data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime [law enforcement purposes]. 1.2 Is the Union competence represented by this Treaty article exclusive, shared or supporting in nature? Both in the case of the proposed Regulation on the collection and transfer of API data for border management purposes and the proposed Regulation on the collection and transfer of API data for law enforcement purposes, the Union’s competence is shared. 2. Subsidiarity Principle: Why should the EU act? 2.1 Does the proposal fulfil the procedural requirements of Protocol No. 21 : - Has there been a wide consultation before proposing the act? - Is there a detailed statement with qualitative and, where possible, quantitative indicators allowing an appraisal of whether the action can best be achieved at Union level? - The preparation of the proposals involved a wide range of consultations of concerned stakeholders, including Member States’ authorities (competent border authorities, Passenger Information Units), transport industry representatives and individual air carriers. EU agencies – such as the European Border and Coast Guard Agency (Frontex), the EU Agency for Law Enforcement Cooperation (Europol), the EU Agency for the Operational Management of Large-Scale IT systems in the Area of Freedom, Security and Justice (eu-LISA) and the EU Agency for Fundamental Rights (FRA), also provided input in light of their mandate and expertise. This initiative also integrates the views and feedback received during the public consultation carried out end of 2019 within the framework of the evaluation of the API Directive. - Consultation activities in the context of the preparation of the impact assessment supporting the proposals gathered feedback from stakeholders using various methods. These activities included notably an inception impact assessment, an external supporting study and a series of technical workshops. - An inception impact assessment was published for feedback from 5 June 2020 to 14 August 2020, with a total of seven contributions received providing feedback on the extension of the scope of the future API Directive, data quality, sanctions, relation of API and PNR data, and protection of personal data. - The external supporting study was conducted based on desk research, interviews and surveys with subject matter experts which examined different possible measures for the processing of API data with clear rules that facilitate legitimate travel, are consistent with 1 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12016E/PRO/02&from=EN 2 interoperability of EU information systems, EU personal data protection requirements, and other existing EU instruments and international standards. - The Commission services also organised a series of technical workshops with experts from Member States and Schengen Associated Countries. These workshops aimed at bringing together experts for an exchange of views on the possible options which were envisaged to strengthen the future API framework for border management purposes, and also for fighting crime and terrorism. - The explanatory memorandum of the proposals and the impact assessment (chapter 3) contain a section on the principle of subsidiarity (see the reply to question 2.2 below). 2.2 Does the explanatory memorandum (and any impact assessment) accompanying the Commission’s proposal contain an adequate justification regarding the conformity with the principle of subsidiarity? The proposed Regulation on the collection and transfer of API data for law enforcement purposes, law enforcement authorities must be provided with effective tools to fight terrorism and serious crime. As most serious crimes and terrorist acts involve international travel, often by air, PNR data have proven to be very efficient to protect the internal security of the EU. Furthermore, investigations for the purpose of preventing, detecting, investigating, and prosecuting terrorist offences and serious crime carried out by the competent authorities of the Member States are largely dependent on international and cross-border cooperation. In an area without internal border controls, collection, processing and exchange of passenger data, including PNR and API data, by Member States are also efficient compensatory measures. By acting coherently at EU level, the proposal will contribute to increasing the security of the Member States and, by extension, of the EU as a whole. The current API Directive is part of the Schengen acquis related to the crossing of the external borders. It therefore does not regulate the collection and transfer of API data on intra-EU flights. In the absence of API data to complement the PNR data for these flights, Member States have implemented a variety of different measures that seek to compensate the lack of identity data on the passengers. This includes physical conformity checks to verify identity data between travel document and boarding card that generate new issues without solving the underlying problem of not having API data. Action at EU level will help to ensure the application of harmonised provisions on safeguarding fundamental rights, in particular personal data protection, in the Member States. The different systems of Member States that have already established similar mechanisms, or will do so in the future, may impact negatively on the air carriers as they may have to comply with several diverging national requirements, for example regarding the types of information to be transferred and the conditions under which this information needs to be provided to the Member States. These differences are prejudicial to effective cooperation between the Member States for the purposes of preventing, detecting, investigating, and prosecuting terrorist offences and serious crime. Such harmonised rules can only be set at EU level. Since the objectives of this proposal cannot be sufficiently achieved by the Member States, and can be better achieved at Union level, it can be concluded that the EU is both entitled to act and better placed to do so than the Member States acting independently. The proposal therefore complies with the subsidiarity principle as set out in Article 5 of the Treaty on European Union. 2.3 Based on the answers to the questions below, can the objectives of the proposed action be achieved sufficiently by the Member States acting alone (necessity for EU action)? The need for common rules on the collection and transfer of API data for border management is 3 linked to the creation of the Schengen area and the establishment of common rules governing the movement of persons across the external borders, in particular with the Schengen Borders Code.2 In this context, the decisions of one Member State affect other Member States, therefore it is necessary to have common and clear rules and operational practices in this area. Efficient and effective external border controls require a coherent approach across the entire Schengen area, including on the possibility of pre-checks of travellers with API data. (a) Are there significant/appreciable transnational/cross-border aspects to the problems being tackled? Have these been quantified? The threat posed by serious crime and terrorism is both transnational and cross-border. (b) Would national action or the absence of the EU level action conflict with core objectives of the Treaty3 or significantly damage the interests of other Member States? Yes, enhancing external border management can only be achieve by way of joint action. Likewise, an effective fight against serious crime and terrorism requires joint action across Member States. (c) To what extent do Member States have the ability or possibility to enact appropriate measures? The current API Directive is part of the Schengen acquis related to the crossing of the external borders. It therefore does not regulate the collection and transfer of API data on intra-EU flights. In the absence of API data to complement the PNR data for these flights, Member States have implemented a variety of different measures that seek to compensate the lack of identity data on the passengers. This includes physical conformity checks to verify identity data between travel document and boarding card that generate new issues without solving the underlying problem of not having API data. (d) How does the problem and its causes (e.g. negative externalities, spill-over effects) vary across the national, regional and local levels of the EU? While there are some regional differences, the threat posed by serious crime and terrorism is also shared threat across the EU. (e) Is the problem widespread across the EU or limited to a few Member States? The need to enhance external border management is shared across the EU. The threat posed by serious crime and terrorism is also shared threat across the EU. (f) Are Member States overstretched in achieving the objectives of the planned measure? No. (g) How do the views/preferred courses of action of national, regional and local authorities differ across the EU? The comprehensive stakeholder consultation carried out in preparation of the proposals did not indicate any difference of views at national, regional or local level. 2 Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code). 3 https://europa.eu/european-union/about-eu/eu-in-brief_en 4 2.4 Based on the answer to the questions below, can the objectives of the proposed action be better achieved at Union level by reason of scale or effects of that action (EU added value)? The 2020 evaluation showed that the API Directive has had a number of positive effects in those Member States that had established a national API system when implementing the Directive and request API data from air carriers.4 This would not have been realised by Member States acting alone.5 Using the international standards alone to establish national API systems in the Member States would have been possible without the API Directive but it may not have resulted in a coordinated outcome. However, the evaluation of the Directive also showed that the EU legal current framework leads to inconsistent and diverging practices in the Member States on API data requiring further EU action in this area, including with a separate legal instrument on law enforcement. (a) Are there clear benefits from EU level action? Yes. As illustrated by the effectiveness of existing EU instruments for external border management or law enforcement, such as the Schengen Information System, EU action can bring significant added value to Member States in these areas. Likewise, EU action brings added value for the management of the Schengen external borders and for internal security in the Union. (b) Are there economies of scale? Can the objectives be met more efficiently at EU level (larger benefits per unit cost)? Will the functioning of the internal market be improved? Yes. (c) What are the benefits in replacing different national policies and rules with a more homogenous policy approach? A homogenous policy approach overcomes existing inconsistent and diverging practices in the Member States on API data. (d) Do the benefits of EU-level action outweigh the loss of competence of the Member States and the local and regional authorities (beyond the costs and benefits of acting at national, regional and local levels)? Yes. (e) Will there be improved legal clarity for those having to implement the legislation? Yes. 3. Proportionality: How the EU should act 3.1 Does the explanatory memorandum (and any impact assessment) accompanying the Commission’s proposal contain an adequate justification regarding the proportionality of the proposal and a statement allowing appraisal of the compliance of the proposal with the principle of proportionality? The proposed Regulation on the collection and transfer of API data for law enforcement purposes, subject to strict limitations and safeguards, will strengthen the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Consequently, the proposed rules 4 The 202 evaluation of the API also showed that Cyprus and Greece did not establish an API system and do not request API data. 5 Evaluation of the API Directive, SWD(2020)174, p. 51. 5 correspond to an identified need to enhance internal security, responding effectively to the problem resulting from the absence of joint processing of API data and PNR data, including on those intra-EU flights for which Member States receive PNR data. The scope of the proposal is limited to what is strictly necessary, i.e. it is limited to those elements that require a harmonised EU approach, namely the purposes for which API can be used by the Passenger Information Units, the data elements that need to be collected and the means for the collection and transfer of the API data from travellers. The transfer of the API data to the router reduces the complexity for air carriers to maintain connections with Passenger Information Units and introduces economies of scale, whilst reducing the scope for errors and abuse. The purpose covers only terrorist offences and serious crime, as defined in the proposal, in view of the serious nature thereof and their transnational dimension. To limit the interference on the rights of passengers to what is strictly necessary, a number of safeguards are set out in the proposals. More specifically, the processing of API data under the proposed Regulations is restricted to a closed and limited list of API data. Beyond that, no additional identity data are to be collected. Moreover, the proposed Regulation only provides for rules on the collection and transfer of API data through the router to the PIUs for the limited purposes specified therein and does not regulate the further processing of API data by the PIUs, given that, as explained above, that is covered by other acts of EU law (PNR Directive, personal data protection law, the Charter). The functionalities of the router and in particular its capability to collect and provide comprehensive statistical information also supports the monitoring of the implementation of this Regulation by air carriers and Passenger Information Units. Certain specific safeguards are also provided for, such as rules on logging, personal data protection and security. To ensure the necessity and proportionality of the data processing under the proposed Regulation, and more specifically as regards the collection and transfer of API data on intra-EU flights, Member States will only receive API data for those intra-EU flights that they have selected in line with the abovementioned case law of the CJEU. In addition, the further processing of API data by PIUs would be subject to the limits and safeguards established in the PNR Directive, as interpreted by the CJEU in the Ligue des droits humains case6 in the light of the Charter. 3.2 Based on the answers to the questions below and information available from any impact assessment, the explanatory memorandum or other sources, is the proposed action an appropriate way to achieve the intended objectives? Yes, the two proposals set out an appropriate way to achieve the intended objectives. (a) Is the initiative limited to those aspects that Member States cannot achieve satisfactorily on their own, and where the Union can do better? Yes. (b) Is the form of Union action (choice of instrument) justified, as simple as possible, and coherent with the satisfactory achievement of, and ensuring compliance with the objectives pursued (e.g. choice between regulation, (framework) directive, recommendation, or alternative regulatory methods such as co-legislation, etc.)? Yes. (c) Does the Union action leave as much scope for national decision as possible while achieving 6 CJEU, iudgment of 21 June 2022, case C-817/19, Ligue des droits humains. 6 satisfactorily the objectives set? (e.g. is it possible to limit the European action to minimum standards or use a less stringent policy instrument or approach?) Yes. (d) Does the initiative create financial or administrative cost for the Union, national governments, regional or local authorities, economic operators or citizens? Are these costs commensurate with the objective to be achieved? Yes, as assessed in the impact assessment and the legislative financial statement, the proposal will mean additional costs for the Union, national authorities and carriers. These costs will be offset in the medium to the long term thanks to the efficiencies created by the establishment of the router – a single point of entry – for the data to be collected and transmitted by air carriers to the Member States. (e) While respecting the Union law, have special circumstances applying in individual Member States been taken into account? No, as there are no such special circumstances in the aspects addressed by the proposal.