An EU-US accord is under consideration that would significantly alter the way personal data about millions of travelers and migrants could be shared.
The US authorities want direct access to European Union (EU) databases for automatic screening of travelers—a request expected to fuel controversy over privacy concerns and legal questions under EU law.
US pushes for stronger border security partnership
According to a report by Statewatch, the US is proposing a new arrangement called the Enhanced Border Security Partnership (EBSP). Under this accord, the Department of Homeland Security (DHS) would be provided access to biometric records housed in EU national databases.
The US has argued that access is necessary for immigration screening, vetting activities, and authenticating travelers’ identities, including in asylum applications.
Such a proposal has been rejected as it would extend beyond the objectives of data sharing already in place through agreements between the EU and the US.
At the moment, the EU and the US share data under several treaties and arrangements such as the EU-US Umbrella Agreement, but none of them allow for the kind of systematic data exchange with the US that is now being proposed.
The EBSP will become mandatory for VWP countries by 2027. Almost all EU countries form part of the US Visa Waiver Program, allowing visa-free entry to the US.
A document from the Belgian Presidency of the Council of the EU, dated June 2024, stated concerns for the draft deal.
The presidency suspects that the envisaged data exchange would not even be legal according to the laws of the EU and raised questions about how, this way, the EU would manage to fulfill US demands without at the same time violating European privacy regulations.
Privacy advocates also raise an alarm over the possible transfer of sensitive biometric data to the US.
Lack of legal precedent raises concerns
At the heart of the argument, however, is whether or not such an EBSP agreement, if entered into, would be in compliance with existing EU law.
Existing law emphasizes data protection and, unless the conditions for severe securities are upheld, severely curtails the freedom of individual member states to export personal data outside the jurisdiction of the EU.
The General Data Protection Regulation (GDPR) is very granular in terms of the rules surrounding data and how data can be processed, and an EBSP would likely fall afoul of these rules under that framework.
The note from the Belgian Presidency has pointed out that obligations already entered into, such as under the EU-US Umbrella Agreement, could not address what the US is asking for.
The Umbrella Agreement, through which data flows for law enforcement purposes are facilitated, has a narrow scope and cannot be used as a justification for systematic data sharing in relation to routine traveler screening.
The presidency also noted that the current proposal could require the EU to adjust its laws to fit such a deal, something that many inside the EU are loath to think about.
Even more uncertain is the question of which governance level is competent to negotiate the agreement: whether this is a task of the whole EU or one that devolves upon the individual member states.
Some countries in the EU think that the negotiation should remain under national competence, while others say it falls under the jurisdiction of EU institutions.
This disagreement holds up the development of a coherent EU response to the US.
(Image courtesy of cookieone via Pixabay)
EU fears privacy breaches during talks
The idea in itself is raising alarm bells in most EU countries about the very idea of sharing vast personal data with a foreign government.
The main concern is about privacy; in fact, previous data-sharing agreements between the EU and the US have been dismissed by the European Court of Justice.
More specifically, US privacy protections were found not to reach the level required by the EU, and the EU-US Privacy Shield was invalidated in 2020 as a consequence.
Although the US has passed measures like the Judicial Redress Act that would extend at least minimal privacy protection to EU citizens, critics claim it is still far from enough under EU law.
The current proposal on the EBSP touches on those concerns as well, with privacy advocates already warning of mass surveillance and misuse of data.
This tension between national security and privacy rights is hardly novel, but the EBSP represents a ratcheting up of the issue.
Without precedent in its ambit, the real-time access of US demands to biometric data in EU databases has critics fearing that government surveillance will go awry.
Privacy concerns for travelers
The implication of the agreement has profound effects on travelers and the migrants to the EU.
In the short run, the implementation of the agreement may prompt the involved countries to carry out more stringent screening of their travelers when in transit between the EU and the US.
The screening is likely to result in stretching the travel times by the traveling individuals as well as increased private information submitted to the respective authorities. This is further complicated for migrants in the longer term.
The US has asked for access to biometric data not only to be used for screening travelers but also for immigration and asylum purposes.
However, their details will be shared between EU and US authorities in ways that are not yet fully transparent to them.
At issue is the time that these negotiations are taking place. This is because they occur just before the European Travel Information and Authorization System (ETIAS), is implemented. This creates a prerequisite for the non-European Union travelers seeking access to enter the Schengen Zone.
The information would be personal, but under the EBSP proposed agreement, it may entail sharing of the said data with the US.
This has raised concerns over how that data will be protected and whether it could be used for other purposes, other than the one relating to travel authorization.
(Image courtesy of jcomp via Freepik)
Agreement sparks immigration policy concerns
The potential scope of the proposed data sharing agreement, far from affecting travelers only, may extend to restructuring EU immigration policy. Undergoing a spate of increasing immigration, the EBSP might make things even more complex for the EU.
For example, should EU member states be required to share their biometric data with the US, it might have the effect of resulting in the introduction of tighter immigration controls within the EU itself.
Furthermore, the EU governments may come under pressure to standardize their data sharing, eventually resulting in a law that would require systematic sharing of personal data between the EU member states.
It is this issue that the Belgian Presidency flagged up when commenting that the EBSP would “stimulate the formulation of new EU regulations in the area of data exchange.”
The changes could make it easier for EU governments to track and monitor migrants, raising concerns with regard to privacy.
There also arises from this the prospect of third-country data sharing through the two countries into bilateral agreements within the ESPD, which in turn brings further legal and ethical considerations.
At this point, it is not clear whether such a mechanism would be legally permissible according to EU law, but there are already emerging controversies around the proposal.
What comes next
It is yet not clear if the EU would yield to the demands put forth by the US while the negotiations continue. The Belgian Presidency has proposed developing a checklist of concerns, which member states can discuss during their bilateral negotiations with the US.
However, it is still uncertain how it will move forward.
Meanwhile, the EU looks divided on this issue since there are member states who want a common framework and another section that wants individual agreements.
The implications of such talks between the EU and the US are likely to touch upon various stakeholders well beyond just travelers, as broader immigration policies and data protection laws are at stake.
The challenge will therefore lie for the EU in getting this balance right—retaining its strong privacy protections while meeting the demands of the US when it comes to security.
A crossroads for privacy and security
The proposed EU-US data sharing agreement represents a critical moment for both privacy rights and international security.
The agreement could significantly alter how personal data is handled, with major implications for travelers, migrants, and EU immigration policies.
As both sides continue to negotiate, the outcome will likely set a precedent for future agreements on data exchange and could reshape the landscape of privacy law in Europe.