DHS wants more than biometrics in US-EU data sharing agreement

EU travelers to the U.S. could potentially find themselves at the mercy of algorithms. A new draft of the U.S.-EU Enhanced Border Security Partnership (EBSP) reveals that it does not explicitly ban the use of automated decision-making algorithms by border control authorities.

The U.S. and the EU have been negotiating the Enhanced Border Security Partnership (EBSP) since 2022. The framework would enable Europeans to travel to America visa-free, provided that EU states grant access to their biometric databases for screening and identity verification of travelers.

The U.S. Department of Homeland Security may, however, gain more than European citizens’ biometrics. European countries may be compelled to transfer other “special categories” of personal data to U.S. border authorities – including their citizens’ political opinions, trade union memberships and information on their sex life, the draft has shown.

Another controversial part of the proposed framework concerns seeking recourse. According to the document, EU states would have to resolve any issue through national and international courts, rather than seeking resolution through a “Joint Committee” composed of unspecified EU and U.S. representatives.

The first round of negotiations, led by the European Commission, took place in January, while a debriefing was expected at the beginning of March. Once an agreement on the framework is reached, it will be approved by the U.S. and EU, after which individual European states will start bilateral talks with Washington over access to national databases.

When exactly the agreement will be valid is still unknown, but the U.S. side has been pushing EU states to reach bilateral agreements before the end of 2026. Meanwhile, the framework agreement is still likely to change.

EU focuses on data rules

According to the current EBSP document, obtained by Euroactiv, all information should be transferred with appropriate safeguards, subject to possible restrictions on access. The agreement notes that U.S. authorities may not share EU-supplied information with third parties unless they obtain explicit consent. Even with consent, they will still be required to ensure an “appropriate level of protection” for the data.

The Commission has also previously introduced other data safeguards, including an explicit ban on large-scale data transfers and limiting automatic sharing to basic identity information. The transfer of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, and “biometric data for the purpose of uniquely identifying a natural person” may be allowed, but “only where strictly necessary and proportionate.”

The draft also introduces several protections related to automated decision-making. Border authorities will not be able to rely solely on automated processes when making “decisions producing significant adverse effects on the relevant interests of individuals.”

The decision to use automated decision-making must also be grounded in domestic law, meaning that the U.S. will have to introduce regulations and “appropriate safeguards,” including the right for the traveler applying for the visa to seek human intervention.

Strained relationships and CBP FRT

Currently, it is unclear how these proposals will interact with European data compliance rules, including the GDPR, which has an extraterritorial effect. The agreement also comes at a politically fraught time between the two countries, which could fuel even more suspicion towards sharing data with U.S. government agencies.

Last year, reports that the U.S. border authorities would require travelers to submit five years of social media history shocked Europeans. The rule was proposed by the U.S. Customs and Border Protection (CBP) and could be included in the Electronic System for Travel Authorization (ESTA) as part of the Visa Waiver Program, which includes some EU countries.

EU lawmakers have also been criticizing the crackdown on migrants performed by the CPB and the U.S. Immigration and Customs Enforcement (ICE). Both agencies have been relying on facial recognition tools in their work. CBP formally integrated Clearview AI’s facial recognition platform into its intelligence and targeting operations with a one-year contract signed earlier this month. The contract makes clear that Clearview’s facial recognition capability is intended to enhance CBP’s ability to identify, vet, and analyze individuals encountered in border and national security operations. Clearview is a controversial U.S. biometrics firm known for scraping billions of images from the open internet. Its database, which held more than 50 billion images in June 2024, is also one of two systems ICE is using to investigate protestors and alleged assaults on its officers, following a contract signed in September.

The U.S.-based tech firm is currently facing a criminal complaint in Austria for scraping billions of photos of Europeans. The firm has already faced fines from data protection agencies in France, Greece, Italy and the Netherlands.

The fact that the U.S. is actively integrating Clearview AI into its intelligence and border security operations, could create “practical and legal challenges for transatlantic intelligence cooperation and data-sharing agreements, as US agencies’ intelligence collection methods may be viewed as incompatible with EU privacy norms,” according to the Bloomsbury Intelligence and Security Institute (BISI) in London.

Article Topics

biometric data  |  biometrics  |  CBP  |  cross-border data sharing  |  data protection  |  DHS  |  digital travel  |  Enhanced Border Security Partnership (EBSP)  |  Europe  |  facial recognition  |  United States