The US seeks access to EU citizens’ biometrics and political data: Brussels is preparing an agreement and talks

Brussels is preparing talks with the United States on a data-sharing agreement that could give American border authorities access to EU citizens’ fingerprints, facial recognition images, and other sensitive personal information. Euractiv reports this.

As claimed, the condition for keeping visa-free travel to the US will be Washington’s implementation of the deal—meaning the US side sets the “rules of the game”.

What is known about the EBSP deal

The proposal concerns the Enhanced Border Security Partnership (EBSP)—a “partnership for enhanced border security”. Under this scheme, each EU member state is expected to sign a bilateral agreement with the US Department of Homeland Security (DHS).

EU countries are expected to open national biometric databases to American border officers, enabling them to verify travelers’ identities and make decisions at the border.

EU ministers approved a negotiating mandate in December 2025. According to information from published materials, there were no substantial objections in principle from governments: the Council’s decision was taken without a separate discussion.

What data could be shared

Under European Commission directives and a draft text obtained by Euractiv, data sharing under the EBSP would involve more than passport information.

The core of the proposal is fingerprints and face scanning. But the draft also includes categories that go far beyond basic identification—data that could indicate ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, as well as details about health or intimate life.

At the same time, the text uses the wording that such data transfer is possible if it is “strictly necessary and proportionate”. For less sensitive categories, exchange could be more automated, while the most sensitive ones would require additional justification—however, specific thresholds have not yet been set and are expected to be discussed during negotiations.

Adam Jukhniewicz, head of Bitcitizen, who previously worked in the US within the DHS and spent 12 years there, called this a “unacceptable logic”: in his view, visa-free travel should not require Europeans to “export” biometrics—an effectively irreversible identifier—into a system where GDPR rights are reduced to a formality.

A deadline that looks like an ultimatum

The US has set a timeline: it is assumed that EBSP agreements should be operational by 31 December 2026. After that date, DHS will assess countries’ readiness as part of reviews under the Visa Waiver Program (VWP).

If a state does not meet Washington’s expectations, citizens could see visa-free travel suspended and would again need visas.

At present, 24 EU countries participate in the VWP. Meanwhile, Bulgaria, Romania, and Cyprus have already been excluded. For the remaining 24 states, the logic—according to the reporting—comes down to a choice: either data sharing, or the risk of visa reintroduction.

The Commission’s mandate includes an approach under which the EU aims to establish a single negotiating framework, rather than leaving each capital to deal with DHS on its own.

As stated in the proposal, the agreement should set out a “legal structure and conditions for information exchange between the competent authorities of EU member states and the United States”.

Algorithms at the border: what could change

Beyond data sharing, the draft also addresses automated decision-making. In its current version, it does not explicitly state a ban on US authorities using algorithms to assess travelers from the EU.

However, decisions that lead to significantly negative consequences for a person should not be made solely through automation unless US domestic law provides another mechanism. In that case, appropriate safeguards would have to apply, including the right to request a human review.

How this will align with the GDPR, which limits automated decisions and extends the regulation beyond the EU, remains unclear in the draft.

Jukhniewicz is critical of these caveats: if an algorithm can “assess” a person and the exception is defined by US domestic law, he argues, then it is not protection—it is a “loophole dressed up as a guarantee”.

Clash with the GDPR and the reaction of oversight bodies

The European data protection watchdog points directly to the complexity of the situation. In a September 2025 opinion, the European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski described the draft as the first EU agreement that assumes large-scale personal data sharing—including biometrics—with a third country.

It is also noted that data processing under the agreement must not go beyond strictly necessary and proportionate limits.

Still, the question remains whether this standard will hold up during negotiations amid parallel US initiatives that involve collecting, in particular, five years of social media activity history for all VWP participants. In a separate proposal, CBP (the US Customs and Border Protection) public comments reportedly ended on 9 February 2026.

Jukhniewicz describes the overall model in blunt terms: “a classic American trade”—convenience now, responsibility later. In his view, “later” may in practice never arrive with the US side.

He also highlights asymmetry: the US, he says, would not agree to the reverse scenario where the EU would receive comparable access to data. In the end, he argues, Europe keeps the “boarding pass”, Washington keeps the data, and the traveler carries the risks.

Political pushback: for now, it’s quiet

MEP Raquel García Hermida-van der Wal of Renew Europe sent written questions to the Commission and to EU capitals. The questions concern why negotiations on sensitive data are starting at a time of heightened tensions on both sides of the Atlantic.

At the same time, according to Statewatch, resistance remains limited: no principled objections from member states have reportedly been raised. Some countries, however, have expressed concerns about timelines, the legal basis, and compliance with data protection requirements.

Why this could take years

Lawyer David Lesperance (Lesperance & Associates) urges not to treat EBSP as an inevitable reality. In his view, this is only an early stage: many legal and practical issues still need to be solved, including alignment with the GDPR and the implementation mechanics.

Lesperance notes that similar initiatives do not unfold quickly in practice. As an example, he cites the Western Hemisphere Travel Initiative, launched after 9/11: full implementation took around five years, and the final stage affected land and sea borders only in June 2009.

He also adds that it is unrealistic to assume DHS leadership will necessarily change by the time the system is rolled out—timelines for such projects often go beyond expectations.

Jukhniewicz, however, does not think the outcome becomes less risky even with long timelines. Based on his observation of how large data sets are handled in public institutions, the risk “spreads”: if DHS stores significant volumes of EU travelers’ data, real technical controls are needed, along with “hard” audit logs and effective rights-protection mechanisms. In his opinion, committee meetings cannot compensate for harm to those affected.

A broader trend: tougher cross-border data exchange

EBSP does not exist in a vacuum. It is part of parallel US steps to expand the amount of data collected about international travelers.

In proposals to reform the Electronic System for Travel Authorization (ESTA), social media disclosures could become mandatory. Additional fields are also planned relating to biometrics, family contacts, and email addresses—potentially collected for up to 10 years.

Several EU countries have already issued warnings to travelers going to the US, including Ireland, the Netherlands, Denmark, Germany, and Finland.

On the European side, its own biometric infrastructure is also developing. For example, the Entry/Exit System (EES) at Schengen borders records fingerprints and face scans for non-EU citizens. Phased implementation began in October 2025, with full rollout at all external borders planned for 10 April 2026.

A similar pre-screening system to ESTA—European Travel Information and Authorization System (ETIAS)—is expected to launch toward the end of 2026, with mandatory use planned from 2027. In this way, both sides are building databases on movement and identity data, and EBSP could become a “linking element” between some of them.

Our Telegram channel about various types of Greek residence permits, digital nomad programs, and the Greek Golden Visa: @digitalnomadgr