Regulation (EU) 2025/12 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for enhancing and facilitating external border checks, amending Regulations (EU) 2018/1726 and (EU) 2019/817, and repealing Council Directive 2004/82/EC

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 77(2), points (b) and (d), and Article 79(2), point (c), thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1) The carrying out of border checks of persons at the external borders significantly contributes to ensuring the long-term security of the Union, its Member States and its citizens and, as such, remains an important safeguard, especially in the area without internal border control. Border checks are to be carried out in accordance with Regulation (EU) 2016/399 of the European Parliament and of the Council (3) where applicable, in order to help combat illegal immigration and prevent threats to the Member States’ internal security, public policy, public health and international relations. Such border checks are to be carried out in such a way as to fully respect human dignity and be in full compliance with relevant Union law, including the Charter of Fundamental Rights of the European Union (‘the Charter’).

(2) The use of passenger data and flight information transferred ahead of the arrival of passengers, known as advance passenger information or API data, contributes to speeding up the required border checks during the border-crossing process. For the purposes of this Regulation that process concerns, more specifically, the crossing of borders between a third country or a Member State to which this Regulation does not apply and a Member State to which this Regulation applies. The use of API data strengthens border checks at those external borders by providing sufficient time to enable detailed and comprehensive border checks to be carried out on all passengers, without having a disproportionate negative effect on those travelling in good faith. Therefore, in the interest of the effectiveness and efficiency of border checks at external borders, an appropriate legal framework should be provided for to ensure that Member States’ competent border authorities at such external border crossing points have access to API data prior to the arrival of passengers.

(3) The existing legal framework on API data, which consists of Council Directive 2004/82/EC (4) and national law transposing that Directive, has proven important in improving border checks, in particular by setting up a framework for Member States to introduce provisions for laying down obligations on air carriers to transfer API data on passengers transported into their territory. However, divergent practices remain at national level. In particular, API data are not systematically requested from air carriers and air carriers are faced with different requirements regarding the type of information to be collected and the conditions under which the API data need to be transferred to competent border authorities. Those divergences not only lead to unnecessary costs and complications for air carriers, but they are also prejudicial to ensuring effective and efficient pre-checks on persons arriving at external borders.

(4) The existing legal framework needs to be updated and replaced to ensure that the rules regarding the collection and transfer of API data for the purpose of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and for combating illegal immigration are clear, harmonised and effective, in accordance with the rules set out in Regulation (EU) 2016/399 for Member States to which it applies, and with national law where it does not apply.

(5) In order to ensure a consistent approach at both Union and international level as much as possible and in view of the rules on the collection of API data applicable at international level, the updated legal framework established by this Regulation should take into account the relevant practices internationally agreed with the air industry, such as in the context of the World Customs Organisation, International Aviation Transport Association and International Civil Aviation Organisation (ICAO) Guidelines on Advance Passenger Information.

(6) The collection and transfer of API data affect the privacy of individuals and entail the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter, adequate limits and safeguards should be provided for. For example, any processing of API data and, in particular, API data constituting personal data should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the processing of any API data collected and transferred under this Regulation does not lead to any form of discrimination precluded by the Charter.

(7) In order to achieve its objectives, this Regulation should apply to all air carriers conducting flights into the Union, as defined in this Regulation, irrespective of the place of establishment of the air carriers conducting those flights, and operating both scheduled and non-scheduled flights. The collection of data from any other civil aircraft operations, such as flight schools, medical flights, emergency flights, as well as from military flights, is not within the scope of this Regulation. This Regulation is without prejudice to the collection of data from such flights as provided for in national law that is compatible with Union law. The Commission should assess the feasibility of a Union scheme obliging operators of private flights to collect and transfer air passenger data.

(8) The obligations on air carriers to collect and transfer API data under this Regulation should include all passengers on flights into the Union, transit passengers whose final destination is outside of the Union and any off-duty crew member positioned on a flight by an air carrier in connection with their duties.

(9) In the interest of effectiveness and legal certainty, the items of information that together constitute the API data to be collected and subsequently transferred under this Regulation should be listed clearly and exhaustively, covering both information relating to each passenger and information on the flight taken by that passenger. Under this Regulation, and in accordance with international standards, such flight information should cover seating and baggage information, where such information is available, and information on the border crossing point of entry into the territory of the Member State concerned in all cases covered by this Regulation. Where baggage or seat information is available within other IT systems that the air carrier, its handler, its system provider or the airport authority has at its disposal, air carriers should integrate that information in the API data to be transferred to the competent border authorities. API data as defined and regulated under this Regulation do not include biometric data.

(10) In order to allow for flexibility and innovation, it should in principle be left to each air carrier to determine how it meets its obligations regarding the collection of API data set out in this Regulation, taking into account the different types of air carrier as defined in this Regulation and their respective business models, including as regards check-in times and cooperation with airports. However, considering that suitable technological solutions exist that allow certain API data to be collected automatically while ensuring that the API data concerned are accurate, complete and up to date, and having regard to the advantages of the use of such technology in terms of effectiveness and efficiency, air carriers should be required to collect such API data using automated means, by reading information from the machine-readable data of the travel document. Where the use of such automated means is not technically possible in exceptional circumstances, air carriers should exceptionally collect the API data manually, either as part of the online check-in process or as part of the check-in at the airport, in such a manner as to ensure compliance with their obligations under this Regulation.

(11) The collection of API data by automated means should be strictly limited to the alphanumerical data contained in the travel document and should not lead to the collection of any biometric data from it. As the collection of API data is part of the check-in process, either online or at the airport, this Regulation does not include an obligation for air carriers to check a travel document of the passenger at the moment of boarding. Compliance with this Regulation does not include any obligation for passengers to carry a travel document at the moment of boarding. This should be without prejudice to obligations stemming from other Union legal acts or national law that is compatible with Union law.

(12) The collection of API data from travel documents should also be consistent with the ICAO standards on machine-readable travel documents, which have been incorporated into Union law by means of Regulation (EU) 2019/1157 of the European Parliament and of the Council (5), Council Regulation (EC) No 2252/2004 (6) and Council Directive (EU) 2019/997 (7).

(13) The requirements set out in this Regulation and the corresponding delegated and implementing acts should lead to the uniform implementation of this Regulation by the air carriers, thereby minimising the cost of the interconnection of their respective systems. To facilitate the harmonised implementation of those requirements by the air carriers, in particular as regards the data structure, format and transmission protocol, the Commission, on the basis of its cooperation with the competent border authorities, other Member States authorities, air carriers and relevant Union agencies, should ensure that the practical handbook to be prepared by the Commission provides all the necessary guidance and clarifications.

(14) In order to enhance the quality of API data, the router to be established under this Regulation should verify whether the API data transferred to it by air carriers comply with the supported data formats, including standardised data fields or codes, in terms of both content and structure. Where the verification determines that the data are not compliant with those data formats, the router should, immediately and in an automated manner, notify the air carrier concerned.

(15) It is important that the automated data collection systems and other processes established under this Regulation do not have a negative impact on the employees in the aviation industry, who are to be provided with upskilling and reskilling opportunities that would increase the efficiency and reliability of data collection and transfer as well as the working conditions in the sector.

(16) Passengers should have the possibility to provide certain API data themselves by automated means during an online check-in process, for example via a secure application on a passenger’s smartphone, a computer or a webcam with the capability to read the machine-readable data of the travel document. Where passengers do not check in online, air carriers should provide them with the possibility to provide the required machine-readable API data during check-in at the airport with the assistance of a self-service kiosk or of air carriers’ staff at the check-in counter. Without prejudice to air carriers’ freedom to set air fares and define their commercial policy, it is important that the obligations under this Regulation do not lead to disproportionate obstacles for passengers unable to use online means to provide API data, such as additional fees for providing API data at the airport. In addition, this Regulation should provide for a transitional period during which passengers are given the possibility to provide API data manually as part of the online check-in process. In such cases, air carriers should use data verification techniques.

(17) With a view to ensuring the fulfilment of the rights provided for under the Charter, as well as ensuring accessible and inclusive travel options, especially for vulnerable groups and persons with disabilities, and in accordance with the rights of disabled persons and persons with reduced mobility when travelling by air set out in Regulation (EC) No 1107/2006 of the European Parliament and of the Council (8), air carriers, supported by the Member States, should ensure that an option for the provision of the necessary data by passengers at the airport is available at all times.

(18) In view of the advantages offered by using automated means for the collection of machine-readable API data and the clarity resulting from the technical requirements in that regard to be adopted under this Regulation, air carriers that decide to use automated means to collect the information that they are required to transmit under Directive 2004/82/EC should be provided with the possibility, but not the obligation, to apply those requirements, once adopted, in connection to such use of automated means, insofar as that Directive is applicable and permits it. Any such voluntary application of those specifications in application of Directive 2004/82/EC should not be understood as affecting in any way the obligations of air carriers and Member States under that Directive.

(19) With a view to ensuring that the pre-checks carried out in advance by competent border authorities are effective and efficient, the API data transferred to those authorities should contain the data of passengers that are effectively set to cross the external borders, that is, of passengers that are effectively on board of the aircraft, irrespective of whether the final destination of the passenger is inside or outside the Union. Therefore, air carriers should transfer API data immediately after flight closure. Moreover, API data help the competent border authorities to distinguish legitimate passengers from passengers who might be of interest and therefore require additional verifications, which would necessitate further coordination and preparation of follow-up measures to be taken upon arrival. That could occur, for example, in cases of an unexpected number of passengers of interest, whose physical checks at the borders could adversely affect the border checks and waiting times at the borders of other legitimate passengers. To provide the competent border authorities with an opportunity to prepare adequate and proportionate measures at the border, such as temporarily reinforcing or redeploying staff, particularly for flights where the time between the flight closure and the arrival at the external borders is insufficient to allow the competent border authorities to prepare the most appropriate response, API data should also be transferred prior to boarding, at the moment of check-in of each passenger.

(20) In order to avoid any risk of misuse and in line with the principle of purpose limitation, the competent border authorities should be expressly precluded from processing the API data that they receive under this Regulation for any purpose other than those explicitly provided for in this Regulation and in accordance with the rules set out in Regulation (EU) 2016/399 for Member States to which that Regulation applies or, where that Regulation does not apply, in accordance with the relevant rules set out in national law.

(21) To ensure that competent border authorities have sufficient time to carry out pre-checks effectively on all passengers, including passengers on long-haul flights and those travelling on connecting flights, as well as sufficient time to ensure that the API data collected and transferred by air carriers are accurate, complete and up to date, and where necessary to request additional clarifications, corrections or completions from air carriers, in order to ensure that API data remain available until all passengers have effectively presented themselves at the border crossing point, the competent border authorities should store the API data that they received under this Regulation for a fixed period of time that remains limited to what is strictly necessary for those purposes. In exceptional circumstances where individual passengers, after landing, do not present themselves at a border crossing point within such fixed period of time, the Member States should have the possibility to enable their competent border authorities to store the API data of such individual passengers until they present themselves at a border crossing point or at the latest for an additional fixed period of time. Where Member States want to make use of such possibility, Member States should be responsible to put in place the appropriate means to identify such individual passengers, in order to ensure that the longer retention of their specific API data remain limited to what is strictly necessary.

(22) In order to be able to respond to requests for additional clarifications, corrections or completions by the competent border authorities, air carriers should store the API data that they transferred under this Regulation for a fixed and strictly necessary period of time. Beyond that, and with a view to enhancing the travel experience of legitimate passengers, air carriers should be able to retain and use the API data where necessary for the normal course of their business in particular for travel facilitation, in compliance with the applicable law and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (9).