The European Union and the United States are negotiating a border-security agreement that would give U.S. authorities access to information stored in EU member states’ national databases, including biometric databases, as part of continued participation in the U.S. Visa Waiver Program.
The European Parliamentary Research Service says the agreement would need approval from both the Parliament and the Council. The proposed agreement sits under the U.S. Enhanced Border Security Partnership program (EBSP).
A condition for visa-free travel
The European Data Protection Supervisor (EDPS) said the United States made an EBSP agreement with the Department of Homeland Security a condition for admission to, and continued participation in, the Visa Waiver Program, which lets participating countries’ citizens travel to the U.S. visa-free for up to 90 days for tourism or business.
Adding pressure, the EDPS said the United States has set Dec. 31, 2026, for Visa Waiver Program countries to conclude EBSP agreements. A Council note says DHS is expected to assess compliance with the EBSP requirement as part of continued participation in the program.
Australian records released under freedom of information show the requirement is not confined to Europe. A February 2026 briefing said DHS introduced EBSP for Visa Waiver Program countries in 2022 and sought access to partner-country biometric records by Dec. 31, 2026.
The scope of data exchange
The EU negotiating directives describe a system based on travel-document identity information and fingerprints. They also allow supplementary information under safeguards, and say exchanges may include citizens, family members and permanent residents where strictly necessary and proportionate for crime or terrorism cases.
The Commission’s annex says the agreement should identify the databases and types of data that would be subject to access, while also requiring purpose limitation, storage limits, accuracy rules, breach safeguards and oversight.
Strict limits on sensitive categories
The same annex allows transfer of special categories of personal data only where strictly necessary and proportionate in individual cases. Those categories include biometric identifiers, genetic data, health and sexuality data, and data revealing race, ethnicity, political opinions, religion or trade-union membership.
The proposed safeguards also prohibit fully automated decisions without human involvement, restrict onward transfers to other U.S. authorities and bar onward transfers to third countries or international organizations.
Where the legal risk sits
The EDPS called the proposed agreement a first for the EU: large-scale sharing of personal data, including biometric data, for border and immigration control by a third country. The EDPS also noted that the Commission recommendation was not accompanied by an impact assessment, despite the expected effect on privacy and data-protection rights.
The EDPS backed a common EU-U.S. structure in principle because it could create Union-level safeguards, but its opinion narrowed the unresolved issues. It urged the Commission and Council to define the personal scope and data categories as tightly as possible, conduct a fundamental rights impact assessment and treat the seriousness of the data sharing as comparable to law-enforcement exchanges.
The EDPS also warned that the directives do not make clear whether supplementary information would be requested in all matches or only in law-enforcement cases.