Dáil Éireann debate -
Tuesday, 25 Apr 2023

I move:

That Dáil Éireann approves the exercise by the State of the option or discretion under Protocol No. 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, to take part in the adoption and application of the following proposed measure:

Proposal for a Regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818,

a copy of which was laid before Dáil Éireann on 13th January, 2023.

I seek Dáil approval to opt in to a proposal for a regulation of the European Parliament and of the Council on the collection and transfer of advance passenger information, API, for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. This proposed regulation, as it relates to law enforcement, is a key part of cooperation with other member states in the area of information exchange for the purposes of detection, prevention, investigation and prosecution of terrorist offences and serious crime. The proposed regulation aims to build on and improve the existing rules in terms of the collection and transfer of API data. This motion follows on from the publication in December 2022 by the European Commission of two proposals for regulations, both regarding the collection and processing of API data relating to air travel.

To provide some background, advance passenger information refers to information contained in the machine-readable zone of a passenger's passport or travel document. This includes name, date of birth, gender, nationality and document or passport number. API also includes flight information such as flight number and arrival and departure times. Before a passenger boards a plane, this data is available to the airline and can be transmitted to the relevant authority in the destination country. The processing of API data provides an effective tool for advance checks of air travellers. Border checks for bona fide travellers are therefore expedited upon arrival, while more resources and time can be spent on identifying travellers who need further scrutiny. Consequently, API enables a risk-based, data-driven approach to border security for the purposes of law enforcement. The first of the two proposed regulations is better-known as the API border management regulation. This proposal relates to the processing of API data for border management-related purposes. However, Ireland does not need to opt in to this proposal, as it is a Schengen-building measure in which Ireland will automatically participate.

The second proposal is known as the API law enforcement regulation, which is the subject of today's motion. It relates to the processing of API data as part of the passenger name record, PNR, data set for the purposes of the detection, prevention, investigation and prosecution of terrorist offences and serious crime. As the API law enforcement regulation has a Title V legal basis, Ireland has until 6 May 2023 to notify the Presidency of the Council of the intention to opt in to this measure under Article 3 of Protocol 21.

To provide some contextual background to Deputies, the Irish Passenger Information Unit, IPIU, was established as a unit of the Department of Justice by the Minister for Justice under the European Union (Passenger Name Record Data) Regulations 2018, SI 177/18. The regulations were in turn made for the purpose of giving effect to EU Directive 2016/681, commonly known as the PNR directive. The IPIU is responsible for the collection and processing of passenger name record data for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or serious crime and for transferring the data to designated competent authorities.

Schedule 3 of SI 177/18 provides that a number of competent authorities are entitled to receive the results of the processing of PNR data. The competent authorities are An Garda Síochána, the Office of the Revenue Commissioners, the Permanent Defence Force, the Department of Social Protection and the Department of Justice. Passenger name record data is information collected by air carriers for commercial purposes during the flight reservation process. Advance passenger information contains biometric information about a passenger such as name, date of birth and passport number. This information must be included as a data set of the PNR data when it is available from the carrier.

As mentioned, the two recent Commission proposals in this area are interrelated. The proposed sister regulation, the API border management regulation, establishes and legislates for a central router which will be established, operated and maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice, known as eu-LISA, and will transfer the data gathered in pursuance of the API law enforcement regulation to each member state. Under the proposed API law enforcement regulation, air carriers will be mandated to use this central router to transfer API data to the passenger information unit of each member state. Mandating air carriers to transmit API data to a central router within the EU will streamline the overall process and reduce the costs on airlines as a central router will reduce significantly the number of separate connections to be maintained. A central router will replace the current system comprised of multiple connections between air carriers and national authorities.

The fact that data will be collected and transmitted via automated means will only improve the accuracy of data collected and enhance data protection measures. It will also increase the reliability of the data analysis carried out by competent authorities. The combined use of API data and PNR data enables the competent national authorities to confirm the identity of passengers and significantly enhances national security measures.

In summary, both API proposals aim to harmonise the requirements for the collection of API data by setting a mandatory list of API data elements to be collected by air carriers. The proposals will cover all air travellers on all flights into the European Union and certain "intra-EU" flights for the proposal regarding the prevention and detection of terrorist offences and serious crime. Furthermore, the central router to be established will be hosted and maintained by the relevant European agency for the benefit of all member states involved. The proposed API law enforcement regulation is also aligned with the applicable rules for the processing of PNR data by relevant authorities, as established in the PNR directive and recent European Court of Justice, ECJ, rulings. Once adopted, the rules in the proposed regulation will be directly applicable across participating states in the European Union. These new rules are expected to be applied in full as of 2028. Once the central router is developed, which is expected to be by 2026, public authorities and air carriers will have two years to adjust to the new requirements and to test the router before it becomes mandatory.

I commend this proposal to the House in the context of exercising Ireland's opt-in to the measure, and I thank the Deputies for their consideration of the matter.

I thank the Minister of State for his presentation. As he said, this proposal is for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The 2004 directive is to be repealed and replaced by two different regulations. There is, as was outlined in the briefing document, a close connection between this regulation and the regulation on collection and transfer of API data for facilitating external border controls. As the Minister of State outlined, because Oireachtas approval is required, that has to be done prior to, I think, 6 May.

It is important to note that the regulation aims to lay down better rules for the collection of the data and to ensure that compliance is, as can be seen, carefully limited in scope and contains strict personal data limits and safeguards. It is important also that it must be selective and cannot be systematic unless justified by genuine and present or foreseeable terrorist threat. While there are always civil liberties concerns about these databases, their use is important in combating the work of transnational gangs. The breakup of the so-called super cartel is ongoing and very important. Co-operation of multiple countries to combat this entity, which does not function in a manner that can be understood as a strict hierarchy, has been crucial. I note that Europol said recently that 49 suspects were arrested during Operation Desert Light, with a series of raids which took place across Europe and the UAE between 8 November and 9 November last. Those arrests were a culmination of parallel investigations in a number of countries with co-operation from An Garda Síochána also. Europol said that forces involved in the operation targeted both the command-and-control centre and the logistical drugs trafficking infrastructure in Europe. Thirty tonnes of drugs were seized by officers. If I may quote Europol:

The scale of cocaine importation into Europe under the suspects' control and command was massive and over 30 tonnes ... were seized by law enforcement over the course of the investigations.

The use of encrypted phones was a feature of this case also, demonstrating the technological sophistication of many of these gangs. The usual caveats of ongoing investigations must be repeated, but it is interesting that media reports indicate that the search for a safe haven by some leaders of this super cartel is getting increasingly desperate. Being able to move and conduct their business is absolutely critical to these gangs, and it is interesting that today the Commissioner, speaking at the conference of the Garda Representative Association, GRA, issued a warning. He has our support in the Garda's pursuit of criminal gangs.

It is worthwhile to note the need for this revised proposal, which replaces the previous EU measures. The PNR directive, which was adopted in 2016, allowed police and justice officials to access passenger data on flights to and from the EU in order to combat serious crimes and maintain security within the EU. Then there was a case taken in the Belgian courts by human rights groups challenging the data recorded under the previous Council directive. According to Reuters, the Belgian courts referred the matter to the Court of Justice of the European Union. "The Court considers", it said, "that respect for fundamental rights requires that the powers provided for by the PNR Directive be limited to what is strictly necessary." The court held that the PNR must be limited to terrorist offences and serious crime having an objective link, even if only indirect, with the carriage of passengers in the air. The court said that the extension of the PNR to intra-EU flights should be allowed only if it is strictly necessary and open to review by a court or independent administrative body. Again, to quote from the decision:

In the absence of a genuine and present or foreseeable terrorist threat to a Member State, EU law precludes national legislation providing for the transfer and processing of the ... data of intra-EU flights and transport operations carried out by other means within the European Union.

The court also said that artificial intelligence technology and self-learning systems may not be used in collecting airline passenger data. This is an important aspect of the decision, and we need to proceed with extreme caution when it comes to the application of AI, machine learning and other technological innovations. There are, of course, a number of risks inherent with some of those tools. The first is the risk to our civil liberties and of overreach. One former officer, when commenting on the PRISM revelations by Edward Snowden, was quick to point out that it was far more invasive than what they had managed to maintain. Databases that collect information must be carefully supervised and dispose of data within a set timeframe, and their use must be proportionate to their purpose. The decision of the court recognises this, and it is important that that case law is respected. The second risk is the impact on policing work, whereby the use of these tools can distort how cases are looked into and resolved. There can be such a thing as too much information, and training in investigative techniques needs to keep pace with technology. The third risk which needs to be mitigated is the need for legal certainty. Where poor laws are passed, there is an opportunity for some to challenge those cases when the law is unconstitutional or in breach of fundamental rights.

Finally, I wish to speak to some of the details of the proposal. The fact that the proposal is carefully limited and contains strict personal data protection limits and safeguards is a positive. I trust we will not see overreach as a result. Air carriers are being given clear direction on what to maintain and, as the Minister of State outlined, there is a proposed central router that will act as the single point of reception and onward distribution, replacing the current system comprised of multiple connections between the air carriers and national authorities.

Overall, we support this motion and hope that the important work of co-operation against crime will continue.

On the face of it, this is a perfectly acceptable proposal to opt into a regulation on the collection and transfer of advance passenger information. As the Minister of State set out in his presentation, that is information on a passenger's passport, such as date of birth, gender and citizenship, together with flight details. Again it is a justice regulation that comes before the House. We have until 6 May to opt in. We are always just in time with regulations coming here, although I note that the European Commission's publication on the two proposals for the regulations occurred only last December.

I suppose it is swift enough by normal justice standards. We need to ensure that we have as much data as we can get, consistent with the safeguards that have been set out both in the Minister of State's speech and in the previous Deputy's contribution. It is important for Irish authorities to know in advance who is arriving at our airports. Streamlining the requirements in a transparent, open and understandable way is an important advance, particularly as previous regulations have been tested in various European courts, as was suggested already, to ensure that data are secured.

I have a few questions I would like to put to the Minister of State. Prima facie, it looks like some of it is an improvement on the existing situation and something that is desirable. On the existing statutory instrument, in terms of the organisations that can have access to the data, SI 177 of 2018, the Minister of State lists the competent authorities in his speech. Is that a comprehensive list? Would it require a further statutory instrument to expand that list? Is the Minister capable of amending it without formulating a new statutory instrument and laying it before the Houses, should some other agency of the State require it, such as the Criminal Assets Bureau or other agency?

In terms of the role of our own Garda National Immigration Bureau, clearly it must remain a matter for ourselves who can come into this State and who cannot. I have one concern about this advance presentation of data. It often can put pressure on an airline when a passenger presents themselves with a particular passport. They may have a fear of being fined if that passenger ultimately is refused entry into Ireland. I would be concerned that it would be a matter for our competent authorities, the Garda National Immigration Bureau, to make that determination in accordance with our norms and Irish law. I would hope that the collection of this data would not have a chilling effect on airlines, or cause people who in normal circumstances would be perfectly entitled to come here to be refused access onto an aircraft. It is about the provision of ultra-cautiousness if they had a fear that they would be fined for such passengers. I would be interested in having the Minister of State address that.

My third question relates to the issue of the UK post-Brexit. Obviously, they are not part of the European Union, therefore this regulation does not apply. How does it apply to passengers originating from the UK or transiting the UK in respect of the onward transmission to our authorities of passenger data? Is there some arrangement with the United Kingdom that they will be part of this common European system? Those three questions I pose by way of seeking further clarity and hopefully the Minister of State can provide it. On the face of it, this seems like an eminently sensible proposal.

Of paramount importance to me would be the protection of privacy of data. We have seen different situations in the past where concerns have been raised over issues to do with the protection of data. On the benefits, for instance for air carriers, the new rules will apply for air carriers to transfer advance passenger information, API, data on passengers only to one single point of reception, namely the router that will distribute the data to the national authorities. The router will ensure that each relevant authority in member states receives the data. Considering situations we have had in the past, for instance HSE data being hacked and concerns among the public on that issue, when we are collecting a lot of information and it is being transferred, we have to be sure that the protection of that information is sacrosanct.

Will there be obligations on other carriers? The proposals do not extend the obligation to collect API data from transport modes other than air transport. I would like a bit of information on that. When will the new rules be fully applicable? Is financial support available to member states to implement these changes? I would like a bit of detail on that. My understanding is that financial support will be available to member states through the international security fund, ISF, and the border management and visa instrument, BMVI. However, knowing that member states already have the systems in place to process API data, the financial part would be necessary to support only certain upgrades, namely to receive additional data.

Going back to the issue I started off with, how will data protection and privacy be guaranteed? I have read that the proposals update the data protection framework related to the collection of API data by air carriers. They contain all necessary restrictions and safeguards to ensure compliance with the Charter of Fundamental Rights of the European Union including as regards the security of processing of personal data, deletion and purpose limitation and the travellers' right of information. It is important that any processing of API data remains limited to what is necessary for and proportionate to achieving the objectives of border management and the fight against serious crime and terrorism. I believe the necessary safeguards include rules on independent supervision, logs on any processing of data and data protection rules such as purpose limitation and strict retention periods. It is also ensured that the API collected and transferred does not lead to any form of discrimination precluded by the charter.

The EU is currently engaged in bolstering the Union's overall security architecture, which aims to enhance EU citizens' protection as set out in the fifth security union progress report. The report highlights three years of ongoing work to implement the Union's security strategy. I recognise the excellent work that was carried out in that report. It was very detailed. A lot of effort and time went into it. At EU level, significant steps have been made in strengthening the protection of critical infrastructure from physical, cyber and hybrid attacks. That comes back to what we were talking about earlier with regard to the HSE event that we had. Significant steps have also been made in fighting terrorism and radicalisation as well as in the fight against organised crime. However, it is less clear as to what tangible steps have been taken by the Government here to protect Ireland from cyberattacks, as we well remember from the recent HSE cyberattack, and whether the telecommunications cables that connect this island are safe from other future attacks. Certainly, information on travellers has helped to improve border controls, reduce irregular migration and identify persons posing security risks. However, once again here in Ireland, due to incoherent Government immigration policies, our borders are seen as open doors for criminals and people-trafficking teams to attack.

I welcome the opportunity to say a few words on this proposal. It is important from a security point of view and it shows that we can use technology to increase security and streamline people's passage through airports. It can be very stressful for people to go through airports, given the security measures and so on. It is important that if this technology can be used to provide API, travellers will be able to pass through airport security in a more streamlined manner rather than having to queue up for hours to do so.

I wish to raise a matter with the Minister of State, who might be able to enlighten me. My constituency office gets many queries from people who need to go to the UK for a funeral or a family event, possibly at short notice, but do not have a passport. A passport should not be required because there is the common travel area covering Ireland and the UK. A person can travel from Ireland to Scotland, Wales, Northern Ireland or elsewhere in the UK without a passport. The person needs to have some form of identification to show the airline. Ryanair, however, insists on passengers having a passport. It is the only form of identification Ryanair will accept, whereas other airlines will accept other forms of identification, such as a public service card or a driver licence. A person travelling to the UK by ferry does not need a passport. This requirement is being foisted on people who book with Ryanair. They may realise they do not have a passport and be in a state of flux, especially if they are due to travel to attend a family funeral. This might affect older people whose brother or sister who was in England for a long time has passed away. It is very unfair that airlines are dictating the level of identity document they require. The identification required to go to the UK should be standardised. A photographic ID such as a public service card or a driver licence should be sufficient. If that is sufficient for some airlines, it should be sufficient for all airlines. Is this something that needs to be addressed with airline carriers? It creates a significant amount of stress and confusion and puts extreme pressure on the Department of Foreign Affairs and the Passport Service, which do their best, to get passports for people at short notice. I acknowledge the work they have done in recent years to tackle the backlog and ensure people get their passports on time. I have seen that work at first hand in recent years. Why is this happening with certain airlines but not with others? Ryanair will tell you how to run the country or your business or how to make a cup of tea, so it is no harm to ask it to get its house in order and accept something that is acceptable to every other airline in this country. I wish to bring this matter to the attention of the Government. It should be considered, although not in a brow-beating way, in order to make life a bit more comfortable for people in these situations. It is important that people who have to travel to a funeral in the UK, especially from the part of the west of Ireland where I live, can do so in a relaxed manner and know that they do not need a passport. They may book a flight and then realise a passport is needed but they do not have one. The airlines should make abundantly clear the identification they require. The standard should be that photographic ID such as a public service card or a driver licence is sufficient for travel within the common travel area. It is important for this issue to be raised. The Minister of State might bring it back to the Government to see how it can be addressed in order to bring about standardisation.

I welcome the provisions in the regulation before the House in terms of the use of technology to suppress international and other crime. That is important.

I thank the Deputies for their contributions. I agree with Deputy Daly. The regulation is proportionate. There are essential safeguards in place. I agree that we have to ensure there is no over-reach but I think there are sufficient safeguards in place in that regard. I welcome the support for the opt-in.

On the matters raised by Deputy Howlin, it is a comprehensive list and any additionality to that list would require a further statutory instrument. As regards the Garda National Immigration Bureau and the potential fear of airlines that a passenger may be refused entry, this proposal is focused on terrorism and serious criminal activity rather than on immigration issues. Of course, a person may be refused entry having been flagged via API but this is not meant to be an immigration tool, if one likes. It is focused on terrorist financing and serious criminal activity, so it should not have that chilling effect in this area. Obviously, the Garda has the power to fine airlines for allowing on board people who should not have been allowed to board. The airlines may defend those fines in court if they believe it necessary.

The United Kingdom is not part of this statutory instrument as it is now external to the European Union. Ireland does not currently collect API data for flights from the UK. UK flights came within the scope of the 2011 API regulations from January 2021 when it became a third country. The 2011 regulations provide that the Minister may require a carrier to provide API, rather than providing that he or she shall do so. The text of the current proposal, combined with the borders proposal, mandates API collection for all flights into the EU and that would apply to flights from the UK to Ireland. From a law enforcement viewpoint, it is desirable to participate fully in these API proposals and to gather and exchange API data on fights between the UK and Ireland. However, both proposals are still at negotiation stage and, during that process, Ireland will consider further the possible effects of the proposals in the context of the agreement between Ireland and the UK on the common travel area.

As regards the points raised by Deputy Healy-Rae, the protection of private data is essential and the EU puts in essential safeguards to ensure that such data are properly protected. Other methods of transport are not included in the regulation; it only applies to air travel.

I note the concerns of Deputy Canney regarding the forms of identification required and I will bring them to the relevant Ministers.