23 March 2023
Legislation is incoming to step up surveillance of air travel, and the possibility of extending the scheme to ferry journeys has been raised in the Council. The Presidency is concerned about delaying the air passenger surveillance plans but has set out options for maritime transport, whilst proposing the Commission launch a study on the surveillance of international bus and coach travel.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Something in the air
In mid-December 2022, the European Commission unveiled two legislative proposals to extend the EU’s existing scheme for the transmission of air passengers’ passport data to the border authorities and police.
That data, known as Advance Passenger Information (API), is taken from passports during check-in and forwarded to authorities in the destination state, but according to an official evaluation the 2004 Directive that introduced this obligation is insufficient.
The new proposals will see data collected and transmitted on “all flights entering the Union” for pre-arrival checks by border authorities, in order to “identify people posing security risks”. The other proposal is for policing purposes, and will apply to “all flights to and from the EU, as well as on selected flights within the EU”. It will complement the existing Passenger Name Record (PNR) Directive, covering data collected by travel agents and operators, and which had its scope severely limited by the Court of Justice last year.
Novelties introduced by the new proposals include uniform API data collection rules; better quality API data; streamlined transmission of the data from carriers to authorities using a new router managed by the EU IT agency, eu-Lisa, bringing API data within the architecture of “interoperable” policing and migration data systems. Full application of the rules is expected by 2028, with the router’s completion scheduled for 2026.
On the ground
During meetings of the Council Working Party on Information Exchange (IXIM), some national delegations have asked whether the collection and transfer of advanced passenger information (API) could apply to other modes of transport, as discussed in the Commission’s proposals.
The Belgian authorities, for example, have argued (pdf) that "the growing number of travelers by train within Europe is also a valid argument to include other modes of transport in the scope of the regulations," and the Slovenian delegation is of the opinion (pdf) that the authorities should "also collect passenger data when passengers board ships and railways."
The Czech delegation to the Council, on the other hand, has said that:
"...we would have significant problems with proportionality and with impact on the industry if the scope of the European rules would be extended on rail or even bus transport... in rail and bus transport the issue of personalised tickets and identity checks on boarding are not standard practices and would require significant investments."
On 3 March the Swedish Council Presidency circulated a document (pdf) on the feasibility of an extension in scope of the proposal to maritime and land transport, bearing in mind the impact of such measures on “transport operators, competent authorities and passengers”.
The note highlights that if the proposals were extended to other modes of transport, agreement on the Council’s negotiating mandate would be delayed and negotiations with the European Parliament would become more complicated, and “would potentially make it impossible to conclude these two important files during the current legislature.”
Extending the proposals to other modes of transport – as has previously been mooted regarding Passenger Name Record systems – would also imply a vast extension of the police surveillance of movement.
In the area of maritime transport, one option could be not to amend current proposals’ scope, but to initiate a Commission-led study “on how to regulate the collection, transfer and processing of API data from maritime transport”, whilst enabling work to reach an agreement during the current legislature on air transport.
Currently, inbound and outbound maritime transport operators are obliged to submit crew and passenger lists to border authorities, for the data to be checked against a host of EU policing and migration databases as well as Interpol’s systems. However, ferry connections with ports based in third countries are currently excluded from these obligations.
The note offers three potential “cumulative” options if delegations insist on including maritime transport in the current API proposals.
Option 1: border management only
This would require an amendment to the Schengen Borders Code (SBC) to extend reporting obligations to ferry connections with ports in third countries and require automated collection of data elements.
The presidency notes that the “logic, clarity and coherence of the legal framework” may be negatively affected by the parallel applicability of the SBC and the API borders Regulation.
Option 2: external border control and law enforcement
The Presidency warns that this raises important data protection issues by expanding the scope for processing personal data, without any guarantees that the ECJ will authorise processing as it has done for air travel.
This would raise issues concerning data retention in relation to the subsequent processing of data by national law enforcement authorities.
Option 3: border control and law enforcement, including intra-EU travel
The requirement to collect data for law enforcement purposes within the EU would, according to the Presidency:
“…aggravate the impact on data protection, since covering domestic travel can trigger greater implications for fundamental rights, but also affect freedom of movement.” [emphasis in the original]
A further obstacle has been posed by CJEU case law and its requirement that “in the absence of a terrorist threat such extension [of data processing] should be limited to selected routes or travel patterns” and should be reviewed at regular intervals.
Issues also exist concerning the deletion of transport operations not deemed to pose a threat, a function that exists under the PNR system, but not in the “European Maritime Single Window environment”.
Regarding land transport, the context differs – “heavy investments” and infrastructural work would be needed for the implementation of API systems, leading the Presidency to conclude that “it does not seem feasible to extend the Commission proposal to land transport” (emphasis in original).
Nonetheless, considering “operational needs expressed by some Delegations, there is a need for further analysis of the necessity, proportionality and feasibility of processing passenger data on rail and bus transport to fight serious crime and terrorism,” whilst bearing in mind the relevance of data protection, freedom of movement and Court of Justice case law, says the Presidency.
The Presidency concludes by stating that “the Council could call on the Commission” to carry out an assessment of the experiences that some member states have with rail and bus transport data collection.
Last June the EU's Court of Justice massively restricted the scope of the Passenger Name Record (PNR) Directive, which allows the mass surveillance and profiling of air passengers. According to the ruling, member states should make substantial changes to their practices in order to uphold fundamental rights. Instead, they would like to find ways to maintain maximum data collection to continue the hunt for "persons of interest" - yet such practices are incompatible with the rule of law.
The Council is set to approve a decision that will allow the UK's continued derogation from safeguards for the automated surveillance and profiling of all air passengers arriving from the EU. The UK-EU Trade and Cooperation Agreement allows the UK to derogate from applying those safeguards while it tries to align its systems with the requirements of Court of Justice jurisprudence. This is the final derogation permitted; it will expire on 31 December 2023.
The ICAO, Interpol and various UN bodies are continuing their efforts to aid the establishment of systems for the surveillance of air travel and the automated profiling of passengers.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.