Image: Jonathan Cutrer, CC BY 2.0
Launch of negotiations approved “without discussion”
On Wednesday, EU ministers approved a decision to open negotiations with the US on an agreement that would grant US agencies access to biometric data stored in member state databases. The EU will seek similar access to data held by the US. The decision was taken “without discussion,” according to the Council of the EU.
A document obtained by Statewatch (pdf), drafted by the Danish Council presidency and sent to EU member state representatives in the run-up to the Wednesday meeting, outlines the EU’s approach to negotiations.
EU-US “framework agreement”
The EU and the US will negotiate a “framework agreement.” According to the Danish presidency, this should cover the exchange of “information, including biometric data” for “the screening and verification of identity of travellers necessary to determine if their entry or stay would pose a risk to public security or public order” (emphasis in original).
Information could then be used “to address irregular migration and to prevent, detect, and combat serious crime and terrorist offences, provided these efforts are taking place in the context of border management and border control.”
The framework agreement would not itself allow US authorities to search member state databases, or European authorities to search US systems. Rather, it would set the broad terms for bilateral agreements between EU member states and the US.
These bilateral agreements would set out “which data and databases to include in information exchange,” as well as other national legal and policy requirements, according to the presidency document.
National data first, EU data later?
The presidency note is clear that exchanges with the US should be of “information, including biometric data, stored in national databases of Member States.”
However, it also says that the “focus on national databases is without prejudice to any further reflections on the possibility for information exchange with selected third countries from EU databases.”
There is no further information on who those “selected third countries” might be. Previous documents published by Statewatch have indicated US interest in access to EU databases, and the UK has made specific requests on the topic which were declined by the EU. Other EU-UK plans have been mooted in the past, but seem to have been taken off the table for the time being.
According to the document, “the Presidency considers reflections on the possibility for information exchange with partners from EU databases worth pursuing in the longer term.”
Data protection law and rights
“The framework agreement should reflect the EU’s standards on data protection and fundamental rights,” the presidency says.
The note refers specifically to the EU Charter of Fundamental Rights, the General Data Protection Regulation (GDPR), the Law Enforcement Directive on data protection, as well as the Artificial Intelligence Act (AI Act).
The EU is currently in the process of watering down or eliminating a number of protections set out in the GDPR and the AI Act.
The note goes on to say that “there should be a clear purpose limitation of exchanged data, with very specific triggers for information exchange, as well as safeguards to avoid a mass transfer of data.”
Whether or not any such guarantees are included in the agreement, numerous experts have argued the US does not offer sufficient privacy and data protection safeguards for EU citizens.
A legal challenge against the current EU-US Data Protection Framework, brought by French politician Philippe Latombe, was rejected by the EU General Court in September. Latombe has said he will appeal to the Court of Justice of the EU.
The Trump administration’s attacks on the rule of law and the growing capture and use of personal data by agencies such as Immigration and Customs Enforcement (ICE) are likely to give further weight to arguments about the shortcomings of the US legal system, though these issues are not mentioned in the presidency note.
US ramps up data collection on travellers
The EU-US negotiations will come at the same time as US Customs and Border Protection plans to ramp up its collection of personal data in other ways.
As highlighted by Edward Hasbrouck, the agency is seeking approval from the US government to capture from all visitors to the US:
…a comprehensive set of biometric identifiers (“face, fingerprint, DNA, and iris”)… by installing and using a closed-source CBP smartphone app that requires permission to access Wi-Fi scanning and network data; take photos and video; access any fingerprint, iris scan, or other biometric sensors, and even turn on and off your flashlight.
This comes alongside demands for information from travellers on all social media accounts used in the last five years, as well as “high value data elements”, which include:
a. Telephone numbrers used in the last five years;
b. Email addresses used in the last ten years;
c. IP addresses and metadata from electronically submitted photos;
d. Family member names (parents, spouse, siblings, children);
e. Family member telephone numbers used in the last five years;
f. Family member dates of birth;
g. Family member places of birth;
h. Family member residencies;
i. Biometrics—face, fingerprint, DNA, and iris;
j. Business telephone numbers used in the last five years;
k. Business email addresses used in the last ten years.
Documentation
- Enhanced Border Security Partnership (EBSP) (Council doc. 16362/25, LIMITE, 5 December 2025, pdf)
- Commission recommendation for a Council Decision authorising the opening of negotiations on a framework agreement between the European Union and the United States of America on the exchange of information for security screenings and identity verifications relating to border procedures and applications for visa: third Presidency draft compromise text (Council doc. WK 15766/2025 INIT, 19 November 2025, pdf)
