James Browne (Wexford, Fianna Fail) | Oireachtas source

I move:

That Dáil Éireann approves the exercise by the State of the option or discretion under Protocol No. 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, to take part in the adoption and application of the following proposed measure: Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818, a copy of which was laid before Dáil Éireann on 13th January, 2023.

I seek Dáil approval to opt in to a proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information, API, for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. This proposed regulation, as it relates to law enforcement, is a key part of cooperation with other member states in the area of information exchange for the purposes of detection, prevention, investigation and prosecution of terrorist offences and serious crime. The proposed regulation aims to build on and improve the existing rules in terms of the collection and transfer of API data. This motion follows on from the publication in December 2022 by the European Commission of two proposals for regulations, both regarding the collection and processing of API data relating to air travel.

To provide some background, advance passenger information refers to information contained in the machine-readable zone of a passenger's passport or travel document. This includes name, date of birth, gender, nationality and document or passport number. API also includes flight information such as flight number and arrival and departure times. Before a passenger boards a plane, this data is available to the airline and can be transmitted to the relevant authority in the destination country. The processing of API data provides an effective tool for advance checks of air travellers. Border checks for bona fide travellers are therefore expedited upon arrival, while more resources and time can be spent on identifying travellers who need further scrutiny. Consequently, API enables a risk-based, data-driven approach to border security for the purposes of law enforcement. The first of the two proposed regulations is better-known as the API border management regulation. This proposal relates to the processing of API data for border management-related purposes. However, Ireland does not need to opt in to this proposal, as it is a Schengen-building measure in which Ireland will automatically participate.

The second proposal is known as the API law enforcement regulation, which is the subject of today's motion. It relates to the processing of API data as part of the passenger name record, PNR, data set for the purposes of the detection, prevention, investigation and prosecution of terrorist offences and serious crime. As the API law enforcement regulation has a Title V legal basis, Ireland has until 6 May 2023 to notify the Presidency of the Council of the intention to opt in to this measure under Article 3 of Protocol 21.

To provide some contextual background to Deputies, the Irish Passenger Information Unit, IPIU, was established as a unit of the Department of Justice by the Minister for Justice under the European Union (Passenger Name Record Data) Regulations 2018, SI 177/18. The regulations were in turn made for the purpose of giving effect to EU Directive 2016/681, commonly known as the PNR directive. The IPIU is responsible for the collection and processing of passenger name record data for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or serious crime and for transferring the data to designated competent authorities.

Schedule 3 of SI 177/18 provides that a number of competent authorities are entitled to receive the results of the processing of PNR data. The competent authorities are An Garda Síochána, the Office of the Revenue Commissioners, the Permanent Defence Force, the Department of Social Protection and the Department of Justice. Passenger name record data is information collected by air carriers for commercial purposes during the flight reservation process. Advance passenger information contains biometric information about a passenger such as name, date of birth and passport number. This information must be included as a data set of the PNR data when it is available from the carrier.

As mentioned, the two recent Commission proposals in this area are interrelated. The proposed sister regulation, the API border management regulation, establishes and legislates for a central router which will be established, operated and maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice, known as eu-LISA, and will transfer the data gathered in pursuance of the API law enforcement regulation to each member state. Under the proposed API law enforcement regulation, air carriers will be mandated to use this central router to transfer API data to the passenger information unit of each member state. Mandating air carriers to transmit API data to a central router within the EU will streamline the overall process and reduce the costs on airlines as a central router will reduce significantly the number of separate connections to be maintained. A central router will replace the current system comprised of multiple connections between air carriers and national authorities.

The fact that data will be collected and transmitted via automated means will only improve the accuracy of data collected and enhance data protection measures. It will also increase the reliability of the data analysis carried out by competent authorities. The combined use of API data and PNR data enables the competent national authorities to confirm the identity of passengers and significantly enhances national security measures.

In summary, both API proposals aim to harmonise the requirements for the collection of API data by setting a mandatory list of API data elements to be collected by air carriers. The proposals will cover all air travellers on all flights into the European Union and certain "intra-EU" flights for the proposal regarding the prevention and detection of terrorist offences and serious crime. Furthermore, the central router to be established will be hosted and maintained by the relevant European agency for the benefit of all member states involved. The proposed API law enforcement regulation is also aligned with the applicable rules for the processing of PNR data by relevant authorities, as established in the PNR directive and recent European Court of Justice, ECJ, rulings. Once adopted, the rules in the proposed regulation will be directly applicable across participating states in the European Union. These new rules are expected to be applied in full as of 2028. Once the central router is developed, which is expected to be by 2026, public authorities and air carriers will have two years to adjust to the new requirements and to test the router before it becomes mandatory.

I commend this proposal to the House in the context of exercising Ireland's opt-in to the measure, and I thank the Deputies for their consideration of the matter.

See this speech in context