The International Civil Aviation Organization (ICAO) updated Annex 9 to the Convention on International Civil Aviation (CICA) in October 2017, requiring contracting territories to establish an Advance Passenger Information (API) system involving “the capture of a passenger’s or crew member’s biographic data and flight details” by an aircraft operator prior to departure.
Background: Convention on International Civil Aviation and API Systems
Under an API system, airlines are obliged to collect and transmit certain personal data to border control authorities before flight departure. These API systems have successfully been used by border control agencies in different markets. The EU, for instance, implemented its own API regulations in 2004.
To fulfil its obligations under the CICA, the Hong Kong SAR government in March 2023 gazetted the Immigration (Advance Passenger Information) Regulation regarding the future implementation of an API system. The Regulation will be enforced by the Hong Kong Security Bureau, which oversees the Immigration Department in its enforcement of effective immigration control.
Immigration (Advance Passenger Information) Regulation
The proposed Hong Kong regulation is scheduled (subject to any potential changes) to come into effect in late 2024 along with the Immigration Department’s new API system.
Under this new regulation, an airline operating a Hong Kong-inbound flight must supply a traveller’s API data (including their name, nationality, and type of travel document) to the Director of Immigration within 40 minutes of an aircraft’s departure. This is in line with current ICAO guidelines followed by most territories.
Using this information, the Director of Immigration has the power to give a ‘board’ or ‘no-board’ direction to the aircraft operator and order the airline to remove certain travellers from the Hong Kong-inbound aircraft.
Comparison between proposed HK regulation and current EU legislation
The proposed Hong Kong API regulation is similar to the EU’s current Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data (EU API Directive 2004). Both the proposed Hong Kong API regulation and EU API Directive 2004 oblige airlines to collect and transfer to the relevant border authority similar sets of traveller information, such as their full names, nationality and mode of transport. This is in line with IATA guidelines that call for “a very high degree of uniformity” in relation to the data requested by border authorities.
However, compared to the HKSAR’s proposal, the current EU API Directive 2004 has strict provisions regarding data deletion. Under the EU’s rules, Member States must oblige airlines to delete the personal data collected for border authorities within 24 hours after transmission to those authorities. The proposed HK regulations meanwhile contain no such provisions regarding the deletion of the API data, thereby taking a more relaxed approach to deletion than the EU API Directive 2004.
Additionally, the EU API Directive 2004 requires airlines to communicate personal data to border authorities ‘by the end of check-in.’ The proposed HK regulation arguably takes a slightly more relaxed timing as it requires airlines to transmit such data to the relevant authorities at the latest by 40 minutes before the time of the flight’s departure to Hong Kong.
The EU API Directive 2004 also outlines how Member States may impose sanctions on airlines that fail to properly transmit data. Offending airlines are liable to a fine of between EUR 3000-5000 (approx. USD 3300-5500, while serious non-compliance with the EU API Directive 2004 may lead to withdrawal of their operating licence. In contrast, an airline operator who violates the proposed HK regulation is simply liable on conviction to a maximum fine of HKD 100,000 (approx. USD 13,000) with no mention of withdrawal of operating licences as a potential enforcement measure. Maybe unsurprising though, as this lighter-touch approach to enforcement is a feature common to data privacy and other legislation in the Chinese territory.
Comparison between proposed HK regulation and current US API System
The proposed Hong Kong regulations are arguably more relaxed compared to the United States’ Advance Passenger Information System in place since 2005. Under current US requirements, US-inbound aircraft operators must transmit to the Department of Homeland Security a set of Passenger Name Record (PNR) data in addition to API data found in a passport. Compared to the HK proposals, airlines must transmit much more personal data to US authorities, including contact information about a traveller, payment/billing information (e.g., credit card number) and travel itinerary.
In addition, the US requirements have more detailed provisions on timing as they require airlines to transmit a consolidated manifest of API data 30 minutes before departure, which is defined as “securing of the aircraft doors.” The proposed HK regulations in contrast contain no such provisions regarding the definition of ‘departure.’
Comparison between proposed HK regulation and PRC API System
The PRC has enforced its own API system since 2008 under the Measures for the Implementation of Advance Information of Personnel on Board of the International Flights. Current PRC regulations require airlines to collect the API data of passengers traveling on both inbound and outbound flights on behalf of the Ministry of Public Security.
As mentioned, in comparison, the proposed Hong Kong regulation only requires airlines to collect data for inbound flights. Therefore, Hong Kong regulations appear to take a narrow and less intrusive approach than their mainland counterparts, Hong Kong’s authorities seemingly focusing more on curtailing passage into the city of undesirable individuals.
Once it comes into force in the third quarter of 2024, the proposed HK Immigration (Advance Passenger Information) Regulation will arguably be more relaxed than the EU API Directive 2004 and its American and PRC counterparts. For those airlines which operate globally, it is unlikely that the proposed Hong Kong regulation will materially move the needle in relation to any existing processes which follow the EU API Directive 2004 or the American and PRC API systems.
That said, airlines which fly into Hong Kong should consider the final wording of the Hong Kong regulation to assess the differences between the Hong Kong regulation and any other API systems around the world. At a minimum, privacy and compliance teams will need to ensure that ticketing terms and conditions and crew employment contracts provide a broad enough scope for data sharing in the manner required where Hong Kong is a destination.
Depending on the origin of flights, some markets’ data protection regimes will have stricter rules for sharing of sensitive data such as biometrics – not to mention on a cross-border basis. For instance, will an airline with a presence in Vietnam now have to scramble to ensure that their impact assessments explicitly cover the Hong Kong API system? Can a Chinese carrier transfer data at all given the prohibition on sharing personal data with overseas regulatory authorities?
Given Hong Kong is a hub for many flight routes in and out of Asia, making these checks will be crucial for carriers serving passengers in mainland China, Thailand, Vietnam, Indonesia and elsewhere as their new and amended privacy regimes and cross-border transfer regimes take effect.
To allow time for over 100 airlines to connect to the API system and to ensure it is run smoothly, a transitional period of around 12 months will be adopted such that the offences, penalty and defence for non-compliance with the requirements under the regulation will only take effect after system's full implementation.