Answer given by Ms Malmström on behalf of the Commission
The draft EU‑US PNR agreement covers PNR data transfers by air carriers operating passenger flights between the EU and the US regardless of where the data are stored.
The agreement corresponds to DHS requirements, as it provides for structural and automatic transfers of PNR on all flights with a US nexus. It also foresees a possibility for ad-hoc requests in emergency situations. DHS receives all PNR data elements that are crucial for law enforcement, including sensitive data. During the last joint review DHS, confirmed that they had not used or needed access to categories of PNR beyond those permitted. In this context, specific subpoenas or National Security Letters appear redundant. The US authorities receive the data needed on the basis of the EU‑US PNR agreement.
National Security Letters may be issued on the basis of the US Patriot Act. This Act indeed provides for a possibility to collect different types of data, including PNR data. However, with regard to PNR it is implemented through detailed regulations which are made in line with any EU‑US PNR agreement in force.
According to information received by the Commission following the question posed by the Honourable Member, Amadeus keeps logs of all transfers of PNR to the US authorities for specific periods of time, which vary depending on the type of transfer. Therefore, it is possible to trace back what data were transferred and when. The US office of Amadeus cannot access and transfer PNR data to the US authorities without involving the head office of Amadeus in the EU.
The Commission is aware of the existence in the US territory of some Computer Reservation Systems containing PNR data. As long as these data concern flights between the EU and the US, they are covered by the EU‑US PNR agreement.