Automating security? The redesign of air passenger data connectivity across Europe

Rocco Bellanova, Vrije Universiteit Brussel, Belgium
Matthias Leese, ETH Zurich, Switzerland
Rosamunde van Brakel, Vrije Universiteit Brussel, Belgium
Vanessa Ugolini, Vrije Universiteit Brussel, Belgium

PUBLISHED ON: 26 Feb 2025

Acknowledgements

Rocco Bellanova’s and Vanessa Ugolini’s work was funded by the European Research Council (ERC-2021-STG) under grant agreement no. 101043213 (DATAUNION). Matthias Leese’s contribution was funded by the Swiss State Secretariat for Education, Research, and Innovation (SERI) under grant no. MB22.00035 (ERC Starting Grant CURATE). Views and opinions expressed are those of the authors only and do not necessarily reflect those of the European Union or the European Research Council Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.

Background

In December 2024, European Union (EU) institutions adopted two new Advance Passenger Information (API) Regulations for external border checks (Reg. 2025/12) and for law enforcement and counterterrorism purposes (Reg. 2025/13). API datasets include biographic, travel, and flight information for each passenger and crew member. They are collected by air carriers and transmitted to border control, immigration, and law enforcement agencies before a flight arrives in or departs from an EU country. The two new regulations build and expand upon existing EU legislation, notably the 2004 API Directive and the 2016 PNR Directive. The former already foresees the transmission of API for border control purposes, while the latter concerns the processing of traveller information produced for commercial purposes (Passenger Name Records – PNR).

A new data connectivity architecture

While somewhat flying under the radar of public and scholarly attention, the new API Regulations mark a pivotal moment in the effort to harmonise and standardise how both air carriers and national authorities across Europe will process passenger information. This objective is achieved by means of radically redesigning the connectivity architecture. In concrete terms, the regulations foresee that there will be no more direct, bilateral channels for transmitting passenger data between private companies and national authorities, but instead a single router (Recital 23, Reg. 2025/12; Recital 16, Reg. 2025/13). This new infrastructure will be set up and operated at the European level by eu-LISA (the EU agency for the management of security related databases). It is through the router that air carriers and national authorities will be connected.

This router will not have analytical capacities and will not store any API data. Yet, it will be key for automating many of the data practices that make the algorithmic governance of European security possible in the first place. Concretely, automation is foreseen in terms of the processes and workflows that organise and steer the collection, curation, and dispatching of datasets. Both API Regulations foresee multiple forms of automated data processing that will range from how personal and travel data of air passengers will be collected by companies, to the transfer of API (and additionally PNR) records from air carriers to the router. Router capabilities will further concern the verification of the correctness, accuracy, and completeness of the data transferred to the router, as well as the transmission of API/PNR records from the router to competent authorities for border controls or Passenger Information Units (PIUs) for law enforcement and counterterrorism. Finally, the router is also foreseen to automatically delete passenger information as soon as transmission is completed.

Automation and European security

Taken together, these forms of automation re-organise what Marieke de Goede (2018) has dubbed the “chain of security” that loops together private and public sectors, travellers, and IT systems. We are witnessing, in other words, more than a mere technical “upgrade” of current legislation and IT systems. By seemingly taking some data-related processes out of the hands of humans, such redesign shapes how national and international security is organised and practised and may be regulated in the future. Furthermore, literature on automation has highlighted that automation tends to not iron out existing frictions but rather triggers new socio-technical and political constellations that bring about their own challenges and asymmetries (Munn, 2020). The API Regulations offer some pertinent insights in this respect.

First, automation intervenes in re-defining relations of power, such as between the public and private sector, in an already complex policy and legal environment. This results, for example, in a stronger mandate for eu-LISA, a once strictly bureaucratic agency that has been able to significantly expand its mandate already (Trauttmansdorff & Felt, 2023). With the new regulations the agency is tasked not only with technical maintenance of existing and future IT systems, but also with their design and development (Art. 11 Reg. 2025/12; and Art. 9 Reg. 2025/13). This calls for further research on how public, supranational authorities become “platform developers” (van Dijck, Poell, & de Waal, 2018, 160), and with which political and social implications.

Second, the introduction of automated means for collecting passenger data through for instance mobile apps or self-service kiosks (for example during the online check-in process or at the airport) can be expected to condition the behaviour of both prospective passengers and air carriers. It does not only entail the use of new digital technologies by travellers and companies, but also a redefinition of the everyday work of air carriers’ staff (Recital 15 Reg. 2025/12; and Recital 24 Reg. 2025/13). However, the kind of devices to be put in place for data verification remain to be further imagined and negotiated in practice (Art. 5(7) Reg. 2025/12; and Art. 4(12) Reg. 2025/13). These upcoming discussions will become a good testbed to better grasp what counts as ‘good data’ for European security.

Third, automation also signifies a shift in how accountability is produced. The API Regulations emphasise how the production and storage of logs will become a key element of accountability through documentation (Art. 17 of both regulations). This documentation itself is expected to be largely automated. In a policy field that has been traversed – since the first European debates about the processing of travellers’ information in the early 2000s – by the question of data protection, it will be important to unpack how automation is expected to facilitate oversight and data governance.

And finally, automation is accompanied by its own (infrastructural) anxieties. The API Regulations discuss at length how to handle a scenario in which the automated means endowed by the router would fail due to “technical impossibility” (Art. 16 of both regulations). Much critical literature on automation has put into question its “fantas[ies]” (Lisle and Bourne, 2019, 683) or its “myth[s]” (Munn, 2022, 6–7). The API Regulations offer the occasion to also explore how actors promoting automation verbalise their spectres of failure (and which ones), and how they attempt to exorcise them.

Conclusion

In sum, automation may be less alluring than AI and other hot topics. And yet, the API Regulations remind us that those scholars that are keen on studying the evolution of algorithmic ordering and its implications need to attend to the transformations affecting its underpinning infrastructures. Ultimately, automation is at the same time less, and much more, than profiling.