• Home /
• News /
• 2025 /
• November /
• US searching for “security threats” in European data: not a problem for EU member states

US searching for “security threats” in European data: not a problem for EU member states

Topic

Country/Region

12 November 2025

US law enforcement authorities want direct access to EU member state police and immigration databases to identify people considered “a threat to US security.” They may also be seeking access to EU databases. Some member states have concerns over timing, the legal basis and data protection requirements, according to a document obtained by Statewatch – but none have any fundamental problems with the proposal.

Image: Mobilus in Mobili, CC BY-SA 2.0

---

US access to European databases

European Union member states have no fundamental problem with United States law enforcement authorities accessing their national databases to look for “security threats,” a document obtained by Statewatch shows.

The US wants the Department of Homeland Security and other agencies wants these new powers to identify people travelling to the US who might pose “a threat to US security.”

In July, the European Commission quietly published a proposal for such an agreement.

It would establish a framework for bilateral accords between EU member states and US authorities.

These bilateral agreements would govern the details of access to national systems by US authorities, as part of what the US calls an ‘Enhanced Border Security Partnership’.

A US government document (pdf) indicates that this would let US authorities "compare the fingerprints of travelers seeking entry or immigration status… against their appropriate criminal, terrorist, and identity records."

Comments from member states in the document obtained by Statewatch, which was circulated in mid-September, indicate that the US is also interested in access to both national and EU databases.

Access to EU databases would be unprecedented. No ‘third state’ currently has the ability to directly search the systems.

That type of access would require a different agreement altogether than the one foreseen by the Commission’s proposal.

No fundamental concerns

Some member states have concerns over specific issues in the Commission’s proposal – for example, the legal basis used, the timetable for negotiations with the US, or data protection requirements.

None question the need for such an agreement.

There is a strong incentive for the EU and its member states to sign up.

The US is demanding access to databases controlled by all states that participate in the Visa Waiver Program (VWP), which allows visa-free travel to the US for citizens of participating countries.

All EU member states, aside from Bulgaria, Cyprus and Romania, participate in the VWP, and Cyprus may soon become a member.

Other members include Australia, Israel, New Zealand, Singapore and the UK.

If the EU and its member states do not meet US demands, Washington may withdraw this visa privilege.

The EU is, incidentally, considering using its own visa policies as both carrot and stick to get cooperation from third countries on its deportation agenda.

US access to EU databases

Austrian authorities expressed the view that “the US is rather interested in data stored in European information systems… rather than in national databases.”

The comment refers specifically to three large-scale EU databases: the Visa Information System (VIS), shared Biometric Matching System (sBMS) and Common Identity Repository (CIR).

“Austria is open to explore ways of international data exchange based on the European information systems,” the comment goes on to say.

Ambiguous terminology

The Commission’s proposal says that information exchange should “support the screening and verification of identity of travellers necessary to determine if their entry or stay would pose any risk to public security or public order”.

The Lithuanian delegation noted that “public security and public order” are “ambiguous” terms, and would need to be defined: “The agreement should at least name the characteristics of the unlawful conduct which shall determine it to be considered a crime or a terrorist offence.”

Likewise, the Belgian authorities argued “it should be made clear what a risk to public security or public order entails.”

Legal basis

There is some disagreement among member states about which treaty articles to use as the legal basis for the Commission’s proposal:

• Article 16(2): on establishing rules to protect personal data
• Article 77(2): common policy on visas and border controls
• Article 218(3) and (4): EU competences for negotiating international agreements

“France does not agree with the Commission that the negotiation of an EBSP framework agreement is an exclusive EU competence,” says one comment.

French authorities say some of the issues covered by the proposed agreement are member state competences, and want close involvement of member state officials in the negotiating process.

A similar concern is shared by the Irish authorities, who consider that:

…the Recommendation and Annex do not accurately reflect the shared competence of Member States in this area generally, and particularly for Ireland, by focusing on the common visa policy aspect as opposed to the law enforcement and counter-terrorism aspect.

Irish authorities are also concerned about being excluded from negotiations altogether, given the proposal is labelled as relating to the Schengen area, which Ireland is not part of.

This “precludes Ireland from engaging effectively with the Council negotiation of a Framework agreement,” despite the fact that the country is part of the Visa Waiver Programme.

Nevertheless, “Ireland is supportive of the aims set out.”

Tight deadlines

The US is demanding that all relevant agreements be in place by the end of 2026.

The Estonian delegation said that “these expectations are not realistic to achieve,” in light of “current developments.”

There is no further explanation of what “developments” these might be.

Similarly, the Dutch delegation expressed:

…concerns regarding this tight timeline, as negotiations will not be easy, the European Parliament needs to provide its consent and bilateral agreements need to be negotiated and concluded as well (in some cases even prior to the entry into force of the framework agreement). Any bilateral agreement needs to be approved by the Dutch parliament.

Data protection

Other member states have called for upholding EU data protection standards.

Dutch authorities do not want the level of information exchange between the US and EU member states, and potentially the EU as a whole, to “go beyond the level of information exchange between EU Member States.”

For the Dutch authorities, this means that:

...information exchange should be based on a hit/no hit basis [i.e. a search which shows whether or not information exists, but not the information itself] after which in case of a hit possible additional information can be shared if agreed upon by designated competent authorities through the appropriate channels.

Furthermore, the Dutch argued:

The negotiating directives should clearly state in which cases the US will have automated access to EU databases and for which purposes this information will be used. In case of automated information exchange, this should not be followed by continued automated access to additional information. This does not respect the data protection rules nor the principle of purpose limitation and goes beyond the level of information exchange between EU Member States.

The Austrian authorities raised a similar point:

…the automated comparison of biometric data with national databases, as demanded by the US, followed by the automated transmission of the associated personal data and background data of these individuals in the event of a match, without human review, continues to be strictly rejected from a data protection perspective.

French authorities also expressed explicit opposition to automated data transfers.

The Italian government raised a similar point, noting that there should not be “direct access, as the US wish.”

Instead:

...conditions should prevent the execution of queries on individuals in all cases, without any prior suspicion. They should therefore exclude systematic and routine queries on all individuals between the EU and the United States.

Not everyone is of the same mind, however: the Czech delegation expressed support for an agreement that allows automated decision-making.

The comments indicate that Prague appears to be keen on as broad an agreement as possible with the US.

Discussions ongoing

Discussions on the proposal continue.

On 22 October, the Council’s information exchange working party held an “exchange of views”.

On the same day, a second draft compromise text from the Danish Council presidency was circulated.

What it says remains, for the time being, secret.

Documentation

• Commission recommendation for a Council Decision authorising the opening of negotiations on a framework agreement between the European Union and the United States of America on the exchange of information for security screenings and identity verifications relating to border procedures and applications for visa: comments and text suggestions (Council doc. WK 11360/2025 INIT, LIMITE, 18 September 2025, pdf)

Further reading