• Home /
• Analyses /
• 2026 /
• EU-US data exchange proposal in conflict with EU laws

EU-US data exchange proposal in conflict with EU laws

Topic

01 May 2026

Since December 2025, the European Union and the United States of America have been negotiating an agreement to exchange information for security screenings and identity verification related to border procedures and visa applications. The European Commission’s current proposal, published by Statewatch, manifestly violates EU law. It goes much further than their limited mandate for negotiation granted by the Council of the EU and against essential data protection safeguards set out by the European Data Protection Authorities. Anyone’s data exchanged under this proposed agreement could be used for a wide range of purposes. This includes preventing or arresting people travelling to the USA who have voiced opposition to US policies in Europe, or for automated discriminatory profiling of travellers, including EU citizens.

Belgium - Brussels - Schuman - Berlaymont - Seat of the European Commission <https://commons.wikimedia.org/w/index.php?curid=91781296>" by EmDee - Own work, CC BY-SA 4.0/

 

EU Commission under US pressure to negotiate access to EU citizens’ data

 

Statewatch obtained a EU-US data exchange proposal from the European Commission which would violate EU law should it go ahead.

The proposed agreement, is the product of a series of secret discussions between the Commission and the US dating back to 2022. These discussions centred around the idea of an Enhanced Border Security Partnership (EBSP) that would involve mutual “continuous and systematic” transfers of biometric data. In this case, biometric data is understood to include fingerprints, photographs and genetic data. Despite  the Court of Justice of the European Union (CJEU) ruling against similar agreements, the Commission kept the current discussion with the US secret.

In July 2025, the Commission requested authorisation from the Council of the EU to instigate negotiations on the agreement. It also asked the European Data Protection Supervisor (EDPS) for an opinion on the negotiating directives, in order to ensure respect for EU data protection and privacy rules. The Council granted the Commission’s request but issued a very limited mandate and expressly prohibited the exchange of information from EU databases.

In December 2025, Statewatch revealed that the US had issued a deadline for negotiations, and requested access to biometric data stored in Member States' databases by 31 December 2026. Failure to comply with the US’ demands, would result in the revocation of its visa waiver programme, which allows most EU countries (except Bulgaria, Cyprus and Romania) to travel to the US without a visa.

 

Background: EU vs US data regulations

 

Understandings of privacy and data protection differ hugely between the EU and US.

In the EU, personal data protection and privacy are understood as fundamental rights, based on harmonised legislation and principles laid out in the EU Charter (more on this topic in this data protection handbook published by Statewatch).

On the contrary, the US, as described by Steven Blaakman, a Member of the European Parliament Research Service,  “considers it rather a consumer protection issue, which is covered by a panoply of legislation at both federal and state level.” In March 2026, the US government proposed the SECURE Data Act, to introduce a federal approach to privacy. Eric Null, the Director of the Privacy & Data Project at the Center for Democracy & Technology, called the draft “a major step back in the privacy debate.” He argued that it “would fail to protect peoples’ privacy while giving companies a free pass to continue engaging in the same data practices consumers have grown to hate.”

The EU’s and the US’ different approaches to data exchange regulation has led to conflicts and several legal court battles.

The EU’s first data protection law, adopted in 1995, protected the data of EU citizens worldwide and precluded sending data to countries without matching data protection standards. The CJEU has, on two occasions, annulled agreements between the EU and the US to exchange data of EU citizens’ on the basis that the US could not provide sufficient safeguards and protections (Schrems I, Schrems II). The most recent EU–US Data Privacy Framework was referred to the CJEU by Philippe Latombe. Latombe’s challenge failed in the first instance to convince the Court that the agreement did not sufficiently protect EU citizens’ data protection rights. The applicant has appealed the decision.

 

Beyond personal data

 

In addition to this EU-US Data Privacy Framework (which governs companies' exchange of personal data across the Atlantic), the EU and the US have also concluded an agreement authorising the exchange of passenger name records (PNR) for counter-terrorism purposes.

The exchange of travel data is an international obligation for all UN members (see the Statewatch project Network of (In)security). But even in that case, the lawfulness of the exchange is doubtful.

In 2017, the CJEU issued an opinion on the exchange of passenger data between the EU and Canada which should have been “a benchmark for future agreements with other countries”. Nearly a year after the opinion was issued, however, the EU’s national data protection bodies told the Commission there had been no real change resulting from the opinion. The planned agreement with Canada had not been adjusted, nor had existing PNR agreements with Australia and US. While a new agreement with Canada was subsequently reached – eight years later – there have still been no changes to the other two.

A white paper of the International Air Transport Association (IATA), the principal lobby group for the world’s airlines, noted recurring conflict because of “an overlapping patchwork of data protection laws with different substantive requirements, each of which may interact with or conflict with the data protection and other laws of other states.”

The Trump administration has given rise to even more serious concerns about the fragile EU-US data exchange agreements by weakening the redress mechanisms available to EU citizens in the US. Last year, Politico reported that Trump fired the three Democratic-selected members of the authority responsible for overseeing and redressing data exchanges with the US, the Privacy and Civil Liberties Oversight Board. This move is part of a general attack on the rule of law in the US that saw the purge of immigration judges or the firing of 21 inspectors general in charge of audits and oversight.

A long-term conflict between the EU and the US has centred on the Foreign Intelligence Surveillance Act (FISA), which grants US intelligence services mass surveillance powers with no effective redress mechanism for non-US nationals. Section 702, concerning this surveillance, is currently up for renewal and being discussed by the US Congress. It drew opposition across political party lines for authorising the government access to US’ citizens communications when speaking with foreigners abroad. The act was opposed by Congress.

The proposed framework agreement, if concluded, would therefore set an important precedent, as it would be the first agreement concluded by the EU implying large-scale sharing of personal data, including biometric data, for the purpose of border and immigration control by a third country." para 7 of its opinion

The proposed agreement between the US government and the EU would be the first of its kind according to the EDPS, the authority in charge of supervising the respect for data protection laws and privacy by the EU. It would imply “the large-scale sharing of personal data, including biometric data, for the purpose of border and immigration control by a third country.” The EDPS warned that this would “therefore set an important precedent”.

On 10 March 2026, Anu Talus, the Chair of the European Data Protection Board (EDPB), addressed a letter to the EU Commission expressing concerns about the change of entry conditions to the US for EU citizens.She asked the Commission to: “ask US authorities on the possibility for EU data subjects to effectively exercise their rights under the US Privacy Act and on the duration of retention of that data.” The letter also addressed the framework agreement for “Enhanced Border Security Partnerships” saying that it could “significantly impact the protection of fundamental rights, in particular the right to protection of personal data”.

 

The Commission’s proposal: vague commitments and standards ripe for abuse 

 

It is clear from the Commission’s proposal that the EDPS guidelines for negotiation, drafted last September, have been ignored.

When reviewing the negotiating directives of the Commission, the EDPS warned about the lack of clarity in the scope. They stated that “the negotiating directives in the Recommendation make an important distinction between EU citizens, on the one hand, and third-country nationals, on the other hand.”

 

Scope of agreement (Article 3)

 

Article 3 of the proposed agreement concerns the scope of the Framework Agreement, and it informs of the parties’ intention “to exchange information on U.S. nationals, Union citizens, and third country nationals”. However, it omits essential protections for third-country nationals’ data. For example, if the parties are unable to exchange information about their respective citizens, nothing prevents them from continuing to exchange data on third-country nationals.

Furthermore, paragraph 3 of article 3 implies that whilst EU citizens enjoy the same data protection as US citizens (which means little, given the limited data protection in the US), there is no protection for third-country nationals whose data can be exchanged at will.

The EDPS has urged the Commission to “circumscribe very clearly in the framework agreement the purposes and the objectives of the envisaged data processing operations under the EBSP”.

The EDPS warned that EU law prohibits the use of data exchanged for law enforcement purposes from being used for any other purpose. It also noted, all too diplomatically, “possible divergent understanding in the EU and in the United States of the concepts of security and law enforcement.”

One example of these divergent understandings is the recent argument to criminalise the ‘antifa’ movement. In November, US Attorney General Pamela Bondi claimed : “Antifa is an existential threat to our nation”. Yet , the definition of an antifascist group is not clearly defined in this context. The positioning of it as a foreign terrorist organisation has been described by former Counsel for Domestic Terrorism in the Counterterrorism Section of the U.S. Department of Justice, Thomas E. Brzozowski, as: “weaponising counterterrorism authorities against domestic political movements”. 

 

Purposes of data processing (Article 6, 8 and 12)

 

Article 6 of the proposed agreement provides that the exchange of information is intended for the “verification of identity, and screening and vetting, of individuals needed to determine whether their entry or stay would pose a genuine risk to public security or public order.”  In comparison, the exchange of PNR data is allowed only to fight serious crime and terrorism.

The processing of data for public security or public order imposes a broad and vague standard. The consequences have been seen already, such as in the case of Dr Abu Sittah, a British Palestinian doctor, who was prevented by German authorities from speaking at a demonstration in Berlin in support of Palestine.

These sweeping qualifications would allow, for instance, US authorities to identify and profile people for protesting US policies such as the war in Iran or the genocide in Palestine, even if the individual was in Europe at the time., The automatic exchange of data on EU citizens and the consultation of national watchlists would open the floodgates to mass profiling of EU citizens and third-country nationals falling under the scope of this agreement. 

In many ways, this is already taking place. Several EU citizens have been denied entry and detained in the US and, in one case, after phone messages were found to be critical of Trump.

There is more. While article 6 states that the purpose for exchanging data is security, article 8 gives “immigration violations” as an example of what relevant factors about an individual would be indications of risks to generate a match. This could lead, as the EDPS  warned, to legal uncertainty regarding the applicable legal framework for data protection in Europe. On the one hand, GDPR regulates data processed for immigration purposes. On the other, the Law Enforcement Directive (LED) regulates data processed for law enforcement.

The data processed under this agreement may also be further processed, but only in ways compatible with the purposes for which it was transferred (article 12). In paragraph 3 of article 12, examples of compatible purposes could extend to “non-criminal and administrative proceedings where further processing is linked to the facts stemming from the assessment of the travel authorization application, visa application, or border checks.”

This kind of further processing is ripe for abuse and has been shown to lead to fundamental administrative errors and flawed decision-making. In the UK, the Home Office has used travel data to inform decisions on families’ welfare payments, but the data was “so flawed that almost half of the families initially flagged as having emigrated were still living in the UK.”

 

Exchange of information (Article 7,8, and 9)

 

The exchange of information described in the agreement is divided into two steps.

In the first step, under article 7, the Requesting Competent Authority submits an automated search for an individual for whom there is reason to believe that the entry or stay could pose a genuine risk to public security or public order. The request for information is shared with the other party, with information to identify the person, including information included in the application or in the travel document. In case of a match, with information held in its “information systems”, the requested authority shall transfer further identification information, including, where available, photographs.

The second step is described in the agreement at article 9. In it, the Requesting Competent Authority: “may request additional information” on the same individual. The amount of additional information that can be shared between the parties will depend on the agreement between the US and the member state.

The procedure to exchange information, as described, only mentions consulting national systems. It does not prohibit consulting Europe-wide systems, which will be accessible to national authorities via the shared biometric matching service launched last year by the Commission, which enables consultation of all large-scale EU databases.

This access, however, was one of the limits on the scope of the negotiating position approved by the Council of the EU in December. Other essential limits which have not been respected by the Commission is that the agreement should “respect EU’s standards of data protection and fundamental rights” and have “clear purpose limitation of exchanged data [..] to avoid a mass transfer of data.”

That is to say, the proposed agreement goes beyond what the Commission is legally allowed to offer.

 

Automated discriminatory profiling (Article 20 and 21)

 

The agreement requires, in article 7.2, that the competent authorities: “shall not arbitrarily and unjustifiably discriminate against persons, in particular, on the grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation.” This, however, falls short of EU non-discrimination standards as laid out in article 18 of the Treaty on the functioning of the European Union. Thisprohibits discrimination on grounds of nationality. The agreement also does not meet the standards set out in article 21 of the Charter of the EU, which prohibits, for instance, discrimination on the grounds of political or any other opinion.  

In other words, the bilateral agreement doesn’t comply with EU fundamental rights.

This omission is particularly concerning because article 21 of the agreement allows for automated decision-making. In its ruling on the PNR directive in 2022 the CJEU prohibited “the use of artificial intelligence technology inself-learning systems (‘machine learning’), capable of modifying without human intervention or review the assessment process and, in particular, the assessment criteria on which the result of the application of that process is based as well as the weighting of those criteria.” This agreement only “include(s) the possibility to obtain human intervention”, allowing for the possibility to use automated decision making in order to profile the political opinion of travellers or to target immigrants, an option that has already been embraced by US authorities. In a report published in January 2025, it was alleged that the US border agency ICE had nearly doubled its use of AI to track and identify, migrants. ICE has also expanded its repression of dissidents, according to the opinion published by Irna Landrum, a Minneapolis resident and senior campaigner on AI at Kairos Fellows.

The agreement also allows the processing of special categories of personal information, in article 20,  such as: “personal information revealing racial or ethnic origin, political opinions or religious or other beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or personal information concerning health or sexual life”. It limits its processing only “under appropriate safeguards in accordance with law.” This is, however, a far lower standard than the prohibition under article 9 of the General Data Protection Regulation, which only allows processing under specific exceptions, and leaves significant uncertainty as to its compliance with EU law.

The quality and integrity of the information shared between the parties are regulated under article 15 of the agreement. article 15 mandates only that competent authorities have safeguards in place for ensuring the quality and integrity of the data shared. Where there are significant doubts on the quality of the information shared, the competent authorities are under no obligation to warn the requesting party, but may do so where feasible. The assessment of what is feasible is left to the competent authority.

Another watered-down safeguard is the retention period provided for under article 19 of the agreement, which only requires that personal information not be retained for longer than is necessary and appropriate. It further asks for the parties to “provide procedures for periodic review of the retention period”, but does not indicate which authority will be in charge of doing so or if independent oversight will be involved in the process.

 

Redress and oversight mechanisms (Article 24)

 

Maybe the most alarming aspect of this agreement is the uncertainty regarding redress and oversight mechanisms. This has been a key concern both for the EDPS and the EDPB. The EDPS, in its opinion, clearly said that it “is specifically concerned about the availability of judicial redress in the United States for all data subjects, irrespective of their citizenship and of the purpose of the data sharing.”

Already in its preamble, the agreement announced that “It is for each party to determine the remedies available and that it is not required that each type of remedy be available at each instance.” It states later in article 13 that the parties should “promote accountability for processing personal information within the scope of the Framework Agreement by their Competent Authorities, and any of their authorities to which personal information has been transferred”.

This is far from assuring that they will guarantee such accountability.

According to article 3.3. EU citizens should have comparable remedies and redress as US citizens. Third-country nationals concerned by this agreement are excluded, leaving them with no redress and arguably no protection either. This is particularly concerning given the vast amount of data that EU member states store on third-country nationals, either in their national databases or in European databases.

Article 24 defines the role of administrative and judicial redress in this agreement. It requires the parties to have “in place effective administrative and judicial remedies to provide redress for individuals whose personal information has been processed and used in a manner inconsistent” with the data protection standards laid out in the agreement.  This approach seems more consistent with a US view of redress for data protection violations, which is often “triggered only when harm occurs”. By contrast, in the EU, individuals can request that the Court examine whether their data protection rights have been violated, including by requiring authorities to provide access to data and to review how the authorities have managed the individual rights to data protection.

 

US pressure might affect the adoption of the agreement

 

The agreement has been sent to the Council and should also be sent to the European Parliament for approval. The latest negotiations on international data exchange agreements have led to prolonged legal disputes and two referrals for an opinion to the Court of Justice of the European Union.

But the context has changed in Brussels. The Commission is leading the charge in a simplification of EU data protection regulation. The digital rights organisation EDRi denounced this as a push to water down regulation “that could very well create a race to the bottom in corporate accountability, leaving people and collectives even more exposed to exploitation and discrimination.”

The EU parliament has been vocal in the past in defending data protection regulation, but a new right-wing alliance has, in this current parliamentary mandate, consistently supported every law proposed to curb migration and support law enforcement, even when the measures proposed are far from EU standards.

The US administration has also exacerbated tensions by bullying its opponents with sanctions and travel bans. Former Commissioner Thierry Breton, who championed EU digital law impacting US businesses, has been prevented from travelling to the US. Even more concerning, judges of the International Criminal Court have been added to the US sanctions list. These judges have described the effect on them and their family members as “living in constant uncertainty” as banks automatically act on sanctioned individuals. It is not improbable then that the US would seek to target judges of the EU court if they dared to express a negative opinion on the agreement.

 

Framework Agreement between the European Union and the United States of America on the reciprocal exchange of information for identity verification, and screening and vetting, relating to border procedures and applications for travel authorizations and vi (Council doc, WK 5183/2026 INIT, LIMITE, 16 April 2026, pdf)

 

Further reading