On February 2, 2023, the U.S. Customs and Border Protection (CBP) issued a Notice of Proposed Rulemaking (NPRM) designed to strengthen international air travel security by enhancing information that commercial aircraft operators (both U.S. and non-U.S.) must electronically transmit to CBP through CBP’s Advance Passenger Information System (APIS) prior to an aircraft’s departure to/from the United States. Of note, CBP proposes to:

1. augment documentation validation procedures for all flights to and from the United States, and
2. require that commercial aircraft operators transmit additional contact data for all passengers on commercial flights arriving in the United States, among other changes.

If adopted, these proposed changes may require changes to commercial aircraft operator tools used to communicate with CBP’s APIS system.

Documentation Validation Procedures

CBP regulations require commercial aircraft operators to transmit passenger information electronically to CBP using the APIS system prior to departure to or from the United States. After receiving an APIS transmission, CBP performs required security vetting by querying law enforcement databases and the terrorist watch list and notifies carriers whether each passenger may board based on the results of those inquiries.

To mitigate the risk posed by potential fraudulent or invalid travel documents, in 2013, CBP implemented the voluntary Document Validation Program (DVP), which enables CBP to use APIS to vet travel document validity. Under the DVP, after commercial aircraft operators transmit travel document information to CBP via APIS, CBP determines whether that information matches valid, existing travel documents in CBP’s databases and subsequently transmits response messages back to carriers confirming whether the travel documents have been validated. In this NPRM, CBP proposes to require that all commercial aircraft operators transporting passengers to or from the United States participate in the DVP program by receiving such document validation messages. If documents cannot be validated by CBP, commercial aircraft operators must contact CBP to address the issue.

If the NPRM is finalized as proposed, commercial aircraft operators would be required to receive two responses from CBP and to adjudicate any problematic responses. The first response from CBP would indicate the security status of each passenger, as required by current regulations. The second response would indicate whether each passenger’s travel documents have been validated under the DVP. According to CBP, in 2021, 40 commercial aircraft operators, including the “largest U.S. and foreign carriers,” participated in the DVP program on a voluntary basis, representing approximately 67% of commercial flights to and from the United States.

Additional Contact Data for Passengers

CBP also proposes to require that commercial aircraft operators transmit the following new additional contact information for all passengers on commercial flights arriving in the United States:

1. phone number with country code;
2. alternative phone number with country code;
3. email address; and
4. address while in the United States for all passengers.

Today, commercial aircraft operators are already required to provide the address of passengers while in the U.S. (along with 19 other specific data elements); however, this requirement does not currently apply to U.S. citizens, lawful permanent residents, or persons in transit to a location outside the U.S.

CBP is proposing to require the collection of such information from U.S. citizens and lawful permanent residents, leaving in place only the exclusion of passengers in transit. To justify this collection, CBP asserts that such data is required not only to help CBP “identify and locate individuals suspected of posing a risk to national security and safety and aviation security” but also to “enable CBP to further support the efforts of the Centers for Disease Control and Prevention (CDC), within the Department of Health and Human Services (HHS), to monitor and conduct contact tracing related to public health incidents.”

Observations

CBP touts the regulations as necessary changes to “enable CBP to determine whether each passenger is traveling with valid, authentic travel documents prior to boarding the aircraft,” as well as “support border operations and national security and safety.” While commercial aircraft operators have good reason to be supportive of regulatory measures that strengthen aviation security, it is important for carriers to evaluate the impact of the NPRM on operational, security, and passenger boarding needs and determine whether changes to the NPRM could mitigate any unintended impacts. Further, the requirement to collect additional passenger contact information could prove challenging for commercial aircraft operators that may not have systems that can store such information, as well as present added privacy concerns – along with new legal risks – that must be adjudicated by commercial aircraft operators.

Comments on the NPRM are due no later than April 3, 2023.