COMMISSION STAFF WORKING DOCUMENT Subsidiarity Grid Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818

EN EN
EUROPEAN
COMMISSION
Strasbourg, 13.12.2022
SWD(2022) 424 final
COMMISSION STAFF WORKING DOCUMENT
Subsidiarity Grid
Accompanying the document
Proposal for a Regulation of the European Parliament and of the Council
on the collection and transfer of advance passenger information for the prevention,
detection, investigation and prosecution of terrorist offences and serious crime, and
amending Regulation (EU) 2019/818
{COM(2022) 731 final}
Offentligt
KOM (2022) 0731 - SWD-dokument
Europaudvalget 2022
1
1. Can the Union act? What is the legal basis and competence of the Unions’ intended action?
1.1 Which article(s) of the Treaty are used to support the legislative proposal or policy initiative?
Under point (d) of paragraph 1 of Article 82 TFEU, the Union has the power to adopt measures
relating to facilitate cooperation between judicial or equivalent authorities of the Member States in
relation to proceedings in criminal matters and the enforcement of decisions. Under point (a) of
paragraph 2 of Article 87 TFEU, the Union has the power to adopt measures on the collection,
storage, processing, analysis, and exchange of relevant information for the purposes of police
cooperation in the EU. This is the appropriate legal basis for the proposed Regulation on the
collection and transfer of API data for the prevention, detection, investigation and prosecution of
terrorist offences and serious crime [law enforcement purposes].
1.2 Is the Union competence represented by this Treaty article exclusive, shared or supporting in
nature?
Both in the case of the proposed Regulation on the collection and transfer of API data for border
management purposes and the proposed Regulation on the collection and transfer of API data for
law enforcement purposes, the Union’s competence is shared.
2. Subsidiarity Principle: Why should the EU act?
2.1 Does the proposal fulfil the procedural requirements of Protocol No. 21
:
- Has there been a wide consultation before proposing the act?
- Is there a detailed statement with qualitative and, where possible, quantitative indicators
allowing an appraisal of whether the action can best be achieved at Union level?
- The preparation of the proposals involved a wide range of consultations of concerned
stakeholders, including Member States’ authorities (competent border authorities,
Passenger Information Units), transport industry representatives and individual air carriers.
EU agencies – such as the European Border and Coast Guard Agency (Frontex), the EU
Agency for Law Enforcement Cooperation (Europol), the EU Agency for the Operational
Management of Large-Scale IT systems in the Area of Freedom, Security and Justice (eu-LISA)
and the EU Agency for Fundamental Rights (FRA), also provided input in light of their
mandate and expertise. This initiative also integrates the views and feedback received during
the public consultation carried out end of 2019 within the framework of the evaluation of the
API Directive.
- Consultation activities in the context of the preparation of the impact assessment supporting
the proposals gathered feedback from stakeholders using various methods. These activities
included notably an inception impact assessment, an external supporting study and a series
of technical workshops.
- An inception impact assessment was published for feedback from 5 June 2020 to 14 August
2020, with a total of seven contributions received providing feedback on the extension of the
scope of the future API Directive, data quality, sanctions, relation of API and PNR data, and
protection of personal data.
- The external supporting study was conducted based on desk research, interviews and
surveys with subject matter experts which examined different possible measures for the
processing of API data with clear rules that facilitate legitimate travel, are consistent with
1
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12016E/PRO/02&from=EN
2
interoperability of EU information systems, EU personal data protection requirements, and
other existing EU instruments and international standards.
- The Commission services also organised a series of technical workshops with experts from
Member States and Schengen Associated Countries. These workshops aimed at bringing
together experts for an exchange of views on the possible options which were envisaged to
strengthen the future API framework for border management purposes, and also for fighting
crime and terrorism.
- The explanatory memorandum of the proposals and the impact assessment (chapter 3)
contain a section on the principle of subsidiarity (see the reply to question 2.2 below).
2.2 Does the explanatory memorandum (and any impact assessment) accompanying the
Commission’s proposal contain an adequate justification regarding the conformity with the
principle of subsidiarity?
The proposed Regulation on the collection and transfer of API data for law enforcement purposes,
law enforcement authorities must be provided with effective tools to fight terrorism and serious
crime. As most serious crimes and terrorist acts involve international travel, often by air, PNR data
have proven to be very efficient to protect the internal security of the EU. Furthermore,
investigations for the purpose of preventing, detecting, investigating, and prosecuting terrorist
offences and serious crime carried out by the competent authorities of the Member States are
largely dependent on international and cross-border cooperation.
In an area without internal border controls, collection, processing and exchange of passenger data,
including PNR and API data, by Member States are also efficient compensatory measures. By acting
coherently at EU level, the proposal will contribute to increasing the security of the Member States
and, by extension, of the EU as a whole.
The current API Directive is part of the Schengen acquis related to the crossing of the external
borders. It therefore does not regulate the collection and transfer of API data on intra-EU flights. In
the absence of API data to complement the PNR data for these flights, Member States have
implemented a variety of different measures that seek to compensate the lack of identity data on the
passengers. This includes physical conformity checks to verify identity data between travel document
and boarding card that generate new issues without solving the underlying problem of not having API
data.
Action at EU level will help to ensure the application of harmonised provisions on safeguarding
fundamental rights, in particular personal data protection, in the Member States. The different
systems of Member States that have already established similar mechanisms, or will do so in the
future, may impact negatively on the air carriers as they may have to comply with several diverging
national requirements, for example regarding the types of information to be transferred and the
conditions under which this information needs to be provided to the Member States. These
differences are prejudicial to effective cooperation between the Member States for the purposes of
preventing, detecting, investigating, and prosecuting terrorist offences and serious crime. Such
harmonised rules can only be set at EU level.
Since the objectives of this proposal cannot be sufficiently achieved by the Member States, and can
be better achieved at Union level, it can be concluded that the EU is both entitled to act and better
placed to do so than the Member States acting independently. The proposal therefore complies with
the subsidiarity principle as set out in Article 5 of the Treaty on European Union.
2.3 Based on the answers to the questions below, can the objectives of the proposed action be
achieved sufficiently by the Member States acting alone (necessity for EU action)?
The need for common rules on the collection and transfer of API data for border management is
3
linked to the creation of the Schengen area and the establishment of common rules governing the
movement of persons across the external borders, in particular with the Schengen Borders Code.2
In
this context, the decisions of one Member State affect other Member States, therefore it is necessary
to have common and clear rules and operational practices in this area. Efficient and effective
external border controls require a coherent approach across the entire Schengen area, including on
the possibility of pre-checks of travellers with API data.
(a) Are there significant/appreciable transnational/cross-border aspects to the problems being
tackled? Have these been quantified?
The threat posed by serious crime and terrorism is both transnational and cross-border.
(b) Would national action or the absence of the EU level action conflict with core objectives of
the Treaty3
or significantly damage the interests of other Member States?
Yes, enhancing external border management can only be achieve by way of joint action. Likewise, an
effective fight against serious crime and terrorism requires joint action across Member States.
(c) To what extent do Member States have the ability or possibility to enact appropriate
measures?
The current API Directive is part of the Schengen acquis related to the crossing of the external
borders. It therefore does not regulate the collection and transfer of API data on intra-EU flights. In
the absence of API data to complement the PNR data for these flights, Member States have
implemented a variety of different measures that seek to compensate the lack of identity data on the
passengers. This includes physical conformity checks to verify identity data between travel document
and boarding card that generate new issues without solving the underlying problem of not having API
data.
(d) How does the problem and its causes (e.g. negative externalities, spill-over effects) vary
across the national, regional and local levels of the EU?
While there are some regional differences, the threat posed by serious crime and terrorism is also
shared threat across the EU.
(e) Is the problem widespread across the EU or limited to a few Member States?
The need to enhance external border management is shared across the EU. The threat posed by
serious crime and terrorism is also shared threat across the EU.
(f) Are Member States overstretched in achieving the objectives of the planned measure?
No.
(g) How do the views/preferred courses of action of national, regional and local authorities
differ across the EU?
The comprehensive stakeholder consultation carried out in preparation of the proposals did not
indicate any difference of views at national, regional or local level.
2
Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union
Code on the rules governing the movement of persons across borders (Schengen Borders Code).
3
https://europa.eu/european-union/about-eu/eu-in-brief_en
4
2.4 Based on the answer to the questions below, can the objectives of the proposed action be
better achieved at Union level by reason of scale or effects of that action (EU added value)?
The 2020 evaluation showed that the API Directive has had a number of positive effects in those
Member States that had established a national API system when implementing the Directive and
request API data from air carriers.4
This would not have been realised by Member States acting
alone.5
Using the international standards alone to establish national API systems in the Member
States would have been possible without the API Directive but it may not have resulted in a
coordinated outcome. However, the evaluation of the Directive also showed that the EU legal
current framework leads to inconsistent and diverging practices in the Member States on API data
requiring further EU action in this area, including with a separate legal instrument on law
enforcement.
(a) Are there clear benefits from EU level action?
Yes. As illustrated by the effectiveness of existing EU instruments for external border management or
law enforcement, such as the Schengen Information System, EU action can bring significant added
value to Member States in these areas. Likewise, EU action brings added value for the management
of the Schengen external borders and for internal security in the Union.
(b) Are there economies of scale? Can the objectives be met more efficiently at EU level (larger
benefits per unit cost)? Will the functioning of the internal market be improved?
Yes.
(c) What are the benefits in replacing different national policies and rules with a more
homogenous policy approach?
A homogenous policy approach overcomes existing inconsistent and diverging practices in the
Member States on API data.
(d) Do the benefits of EU-level action outweigh the loss of competence of the Member States
and the local and regional authorities (beyond the costs and benefits of acting at national,
regional and local levels)?
Yes.
(e) Will there be improved legal clarity for those having to implement the legislation?
Yes.
3. Proportionality: How the EU should act
3.1 Does the explanatory memorandum (and any impact assessment) accompanying the
Commission’s proposal contain an adequate justification regarding the proportionality of the
proposal and a statement allowing appraisal of the compliance of the proposal with the
principle of proportionality?
The proposed Regulation on the collection and transfer of API data for law enforcement purposes,
subject to strict limitations and safeguards, will strengthen the prevention, detection, investigation
and prosecution of terrorist offences and serious crime. Consequently, the proposed rules
4
The 202 evaluation of the API also showed that Cyprus and Greece did not establish an API system and do not request API data.
5 Evaluation of the API Directive, SWD(2020)174, p. 51.
5
correspond to an identified need to enhance internal security, responding effectively to the problem
resulting from the absence of joint processing of API data and PNR data, including on those intra-EU
flights for which Member States receive PNR data.
The scope of the proposal is limited to what is strictly necessary, i.e. it is limited to those elements
that require a harmonised EU approach, namely the purposes for which API can be used by the
Passenger Information Units, the data elements that need to be collected and the means for the
collection and transfer of the API data from travellers. The transfer of the API data to the router
reduces the complexity for air carriers to maintain connections with Passenger Information Units and
introduces economies of scale, whilst reducing the scope for errors and abuse. The purpose covers
only terrorist offences and serious crime, as defined in the proposal, in view of the serious nature
thereof and their transnational dimension.
To limit the interference on the rights of passengers to what is strictly necessary, a number of
safeguards are set out in the proposals. More specifically, the processing of API data under the
proposed Regulations is restricted to a closed and limited list of API data. Beyond that, no additional
identity data are to be collected. Moreover, the proposed Regulation only provides for rules on the
collection and transfer of API data through the router to the PIUs for the limited purposes specified
therein and does not regulate the further processing of API data by the PIUs, given that, as explained
above, that is covered by other acts of EU law (PNR Directive, personal data protection law, the
Charter). The functionalities of the router and in particular its capability to collect and provide
comprehensive statistical information also supports the monitoring of the implementation of this
Regulation by air carriers and Passenger Information Units. Certain specific safeguards are also
provided for, such as rules on logging, personal data protection and security.
To ensure the necessity and proportionality of the data processing under the proposed Regulation,
and more specifically as regards the collection and transfer of API data on intra-EU flights, Member
States will only receive API data for those intra-EU flights that they have selected in line with the
abovementioned case law of the CJEU. In addition, the further processing of API data by PIUs would
be subject to the limits and safeguards established in the PNR Directive, as interpreted by the CJEU in
the Ligue des droits humains case6
in the light of the Charter.
3.2 Based on the answers to the questions below and information available from any impact
assessment, the explanatory memorandum or other sources, is the proposed action an
appropriate way to achieve the intended objectives?
Yes, the two proposals set out an appropriate way to achieve the intended objectives.
(a) Is the initiative limited to those aspects that Member States cannot achieve satisfactorily on
their own, and where the Union can do better?
Yes.
(b) Is the form of Union action (choice of instrument) justified, as simple as possible, and
coherent with the satisfactory achievement of, and ensuring compliance with the objectives
pursued (e.g. choice between regulation, (framework) directive, recommendation, or
alternative regulatory methods such as co-legislation, etc.)?
Yes.
(c) Does the Union action leave as much scope for national decision as possible while achieving
6
CJEU, iudgment of 21 June 2022, case C-817/19, Ligue des droits humains.
6
satisfactorily the objectives set? (e.g. is it possible to limit the European action to minimum
standards or use a less stringent policy instrument or approach?)
Yes.
(d) Does the initiative create financial or administrative cost for the Union, national
governments, regional or local authorities, economic operators or citizens? Are these costs
commensurate with the objective to be achieved?
Yes, as assessed in the impact assessment and the legislative financial statement, the proposal will
mean additional costs for the Union, national authorities and carriers. These costs will be offset in
the medium to the long term thanks to the efficiencies created by the establishment of the router – a
single point of entry – for the data to be collected and transmitted by air carriers to the Member
States.
(e) While respecting the Union law, have special circumstances applying in individual Member
States been taken into account?
No, as there are no such special circumstances in the aspects addressed by the proposal.