EU weighs biometric data access deal with US as price of visa-free travel

Europe is preparing to open its national biometric databases to U.S. border authorities, moving decisively toward a collective legal framework that would allow Washington to query fingerprints and identity records held by EU member states.

The shift, now formalized in draft negotiating directives and internal council documents, reflects a calculation by European governments that resisting U.S. demands risks the loss of visa-free travel to America.

Rather than allow each capital to strike its own bilateral deal with Washington, EU governments have agreed to pursue a single EU-U.S. framework agreement that would govern how Enhanced Border Security Partnerships (EBSP) operate across the bloc.

The framework, endorsed politically in December and now backed by detailed negotiating instructions from the European Commission, is intended to provide what the documents repeatedly describe as “a legal structure for member states’ bilateral information exchange” with U.S. authorities under the Enhanced Border Security Partnership requirement.

It would not itself exchange data, but it would authorize and regulate the bilateral mechanisms through which data flows would occur.

The urgency behind this move lies in a U.S. demand first communicated in February 2022. According to EU Council material summarizing the U.S. position, Washington informed all Visa Waiver Program (VWP) nations that continued visa-free travel would be conditioned on concluding an Enhanced Border Security Partnership with the Department of Homeland Security (DHS).

According to a Council of the European Union negotiating note on EBSP, the U.S. expects these arrangements to be operational by December 31, 2026, after which DHS will assess compliance as part of ongoing VWP reviews. Countries that do not meet U.S. expectations risk suspension or limitation of their citizens’ ability to travel to the U.S. without a visa.

The commission’s negotiating directives leave little ambiguity about what Washington is seeking.

The framework would authorize the exchange of information on travelers crossing external borders “to support the screening and verification of identity of travelers necessary to determine if their entry or stay would pose any risk to public security or public order,” and, crucially, “to support the competent authorities in the prevention, detection, investigation and prosecution of crimes and terrorist offences.”

Border screening and criminal enforcement are thus deliberately fused within a single legal instrument.

At the core of the proposed exchange is biometric data. The European Commission’s negotiating directives annex states explicitly that information sharing “should be based on the exchange of the identity information included in the travel document, and the fingerprints of a traveler.”

Where deemed relevant, and subject to safeguards, the parties would also be able to exchange “supplementary information relevant to the given individual.” This language confirms that biometric querying is not a peripheral feature of the arrangement, but its central operational mechanism.

EU negotiators are acutely aware of how sweeping such access could become. The same document stresses that the framework must contain “clear and precise rules and procedures for triggering a query on a traveler, to preclude a systematic, generalized and non-targeted processing of data for all travelers.”

The phrasing amounts to an acknowledgment that, without legal constraints, the system could slide toward indiscriminate biometric surveillance of everyone crossing a border.

Although U.S. officials have often framed Enhanced Border Security Partnerships as focused on foreign nationals, EU documents make clear that citizens are not categorically excluded. The exchange of information “may include exchanges on citizens and their family members, as well as permanent residents,” where such transfers are deemed strictly necessary and proportionate for combating serious crime or terrorism and where reciprocity is ensured.

In other words, EU citizens’ biometric data could be shared with U.S. authorities under defined circumstances, a politically sensitive point that has remained largely absent from public discussion.

The framework is carefully designed to rely on national databases rather than centralized EU systems.

The directives repeatedly emphasize that information exchange would concern data stored in member states’ own repositories, with each country deciding which databases and categories of data fall within scope.

Access to EU-level systems such as Eurodac or the forthcoming entry/exit system is described as legally and technically infeasible in the current timeframe, though the documents leave open the possibility that future legal changes could alter that assessment.

To counter anticipated legal challenges, the commission has embedded an unusually detailed catalogue of safeguards into its negotiating position.

The framework would impose strict purpose limitation, storage and deletion rules, accuracy requirements, and limits on onward transfers. It would require enforceable rights for individuals, including access, rectification, and erasure, as well as judicial and administrative redress.

The directives also address automation directly, stating that the agreement “should provide for safeguards in respect of automated processing of personal data, including profiling, and should prohibit decisions based solely on the automated processing of personal data without human involvement.”

Perhaps most striking is the commission’s explicit acknowledgment that the framework may permit transfers of the most sensitive categories of personal data.

The directives state that the transfer of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, and “biometric data for the purpose of uniquely identifying a natural person” may be allowed, but “only where strictly necessary and proportionate” and subject to additional safeguards.

The inclusion of this language signals that EU negotiators are preparing a legal pathway for exceptionally intrusive data exchanges, even as they attempt to circumscribe their use.

Visa-free travel functions as the enforcement mechanism underlying all of this. The framework is required to spell out “the consequences of suspension of membership from the VWP, or limitation of the Electronic System for Travel Authorization validity, on information exchange.”

In effect, mobility rights are being used as leverage to normalize routine, automated biometric data sharing between sovereign states.

ESTA is a DHS-run pre-travel authorization system operated by U.S. Customs and Border Protection that determines whether citizens of VWP countries are eligible to travel to the U.S. for tourism or business.

Privacy regulators have warned that the implications extend far beyond travel convenience. European Data Protection Supervisor Wojciech Wiewiórowski described the prospective agreement as “the first EU-level agreement that would allow for large-scale transfers of personal data to another country’s border authorities.”

While Wiewiórowski has supported an EU-wide framework as preferable to uncoordinated bilateral deals, he has argued that data sharing should be as narrowly confined as possible and limited, in principle, to people traveling to the U.S.

The negotiations are unfolding under a Trump administration that has aggressively expanded biometric screening across immigration, travel, and law enforcement systems.

DHS has worked to link airline passenger data, border biometrics, asylum processing systems, and foreign government records into an increasingly interoperable architecture designed to identify, assess, and sort individuals long before they reach U.S. territory.

Enhanced Border Security Partnerships extend that architecture outward, effectively integrating foreign biometric databases into U.S. screening workflows and enlarging what critics describe as a global biometric surveillance net.

Read together, the EU documents show that European governments are not unaware of what they are building. They explicitly anticipate the risks of generalized data processing, acknowledge the sensitivity of the data involved, and devote pages to legal safeguards.

Yet, they also accept, as a practical matter, that refusing U.S. demands could mean the suspension of visa-free travel. The result is a framework that seeks to manage, rather than halt, the expansion of cross-border biometric surveillance.

As negotiations with Washington move forward, the EU-U.S. Enhanced Border Security Partnership framework is emerging as a test case for how democratic governments reconcile mobility, security, and fundamental rights.

What is being constructed is not merely a technical arrangement, but a durable legal architecture that embeds biometric identity checks and data exchange at the heart of international travel, and ties participation to the ability to cross borders.

Article Topics

biometric data  |  biometrics  |  border security  |  cross-border data sharing  |  data sharing  |  DHS  |  Enhanced Border Security Partnership (EBSP)  |  EU  |  U.S. Government  |  United States