The Amadeus Computer Reservation System has its headquarters in Madrid (Spain) and its central database in Erding (Germany). Additionally, it has several offices outside the EU, including an office in Miami, within US jurisdiction. All Amadeus offices around the world have access to the PNR data base in Erding.
1. Is the Commission aware that the US authorities may retrieve PNR data stored in Europe (Erding) through the Amadeus office in the US, for example by using National Security Letters? Is the Commission aware that such retrievals are not being logged, and that Amadeus may be sworn to secrecy by the US authorities?
2. Does the Commission consider this would allow the US authorities to access PNR data, at least on an ad hoc basis, at any given moment? Does the Commission agree that this is not only equivalent to the ‘pull’ method, but that it even exceeds ‘pull’, as it allows for the retrieval of all PNR data, not just the fields specified in the EU‑US Agreement, without the obligation to log the retrievals? Does the Commission agree that this leaves the clauses on ‘push and pull’ and logging in the EU‑US agreement completely meaningless in practice?
3. Does the Commission agree that data retrieved by the authorities of a third country from an EU located data base would constitute a transfer of data to a third country? Is the Commission aware if Amadeus or similar CRS are keeping logs of such retrievals? If not, does the Commission consider that such retrievals are a violation of EU data protection rules?
4. If no logs are being kept of the retrievals described above, would the Commission agree that citizens would have no means to exercise their rights to verify and correct their data?
5. Can the Commission provide an overview of other computer reservation systems with a presence in the US that would be in the same position as Amadeus? Can the Commission provide an overview of PNR data stored in Europe by CRS that are thus available to third countries other than the US?