Negotiating an EU-US biometric information-sharing agreement
Bottom lines up front
- The US and EU are negotiating a biometric data-sharing agreement to allow DHS access to EU member states’ fingerprint and other biometric databases.
- The EU has never before agreed to provide a non-EU country large-scale access to Europeans’ personal data for purposes of the foreign country’s border security.
- The EU aims to secure limits on bulk data collection, human oversight of automated decisions, and reciprocal access to US databases.
The Trump administration has taken adversarial and unconventional approaches with European allies on subjects ranging from trade to content moderation, but in another important area the United States is proceeding more traditionally. The subject is politically controversial: biometric information sharing for purposes of border security. In late January, European Union officials flew to Washington to start low-key formal talks with the Department of Homeland Security (DHS) aimed at an international agreement. Despite the sensitive nature of the endeavor, EU member states and the European Data Protection Supervisor have endorsed it.
Why is the United States taking a consensual approach with Europe on border security information sharing, and why is the European Union so far willing to accommodate? Why is this agreement on a fast track in Washington and Brussels when law enforcement initiatives such as the projected EU-US CLOUD Agreement have been paused by the Trump administration? Is the border security information-sharing effort a one-off or could it be a harbinger of a return to traditional transatlantic legal diplomacy?
DHS seeks enhanced border security partnerships
DHS operates an international biometric information-sharing program to assist in “assessing the eligibility or public security risk of individuals seeking an immigration benefit or encountered in the context of a border encounter or law enforcement investigation related to immigration or border security issues,” according to the department’s privacy impact assessment (PIA). The program entails “automatic comparison of the fingerprints collected by DHS or a foreign partner on international travelers, suspected criminals, asylum seekers, irregular migrants, refugees, [and] applicants for visa and/or immigration benefits,” the PIA states. Biometric identifiers potentially include facial and iris scans and DNA, as well as traditional fingerprints.
In 2022, DHS decided that all forty-three countries that benefit from visa-free entry to the United States through the Visa Waiver Program (VWP) must conclude agreements, dubbed enhanced border security partnerships (EBSP), enabling DHS to screen their biometric records for immigration or border security purposes. When DHS queries a name against a foreign state’s identity records and it yields a match, DHS automatically receives the responsive biometric data. Other identity information also could be conveyed by the foreign state. In the absence of a match in the foreign database, no fingerprints or other biometric information would be supplied to DHS.
Shared competence: EU and member-state roles
Twenty-four of the EU’s twenty-seven member states (all but Bulgaria, Cyprus, and Romania) participate in the VWP; they comprise more than half of all VWP members globally. Each EU state maintains its own national biometric information records for border purposes. Thus, DHS could take an important step toward fulfilling the overall EBSP goal by reaching biometric information-sharing agreements with these EU countries.
The EU, for its part, also has two relevant responsibilities: setting rules protecting personal data transferred outside its territory, per Article 16(2) of the Treaty on the Functioning of the European Union (TFEU); and setting common policy on visas and external border checks, per Article 77(2) TFEU.
As popular sentiment for stricter border controls has swelled across Europe in recent years, the EU’s policymaking role in this area has become more prominent. In the past year, it has finalized a Pact on Migration and Asylum, a new set of rules on managing migration and asylum applications. In addition, new systems for tracking the entry and exit of foreign travelers and collecting the personal data of those entering EU territory on a visa-free basis are being put in place. These new systems show the EU moving in a similar direction as the United States in collecting information on foreign visitors.
DHS’s demand for biometric information-sharing agreements with EU member states thus touches on an area of “mixed” competence, i.e., one shared between the EU and its member states. In such a situation, the EU and its member states had to decide who would be responsible for negotiating with the United States.
The question took time to resolve. Only in 2024 did the Council of the European Union—which comprises the member states’ national ministers—invite the European Commission to develop a mandate for an international agreement at the EU level. Member states reportedly were eager to bring the collective negotiating strength of the EU to the table with the United States, rather than facing Washington individually.
A year passed before the Commission presented its draft negotiating mandate. It did so based on the understanding that the agreement sought by the United States related to the VWP and thus fell within the EU’s visa policy competence. Negotiations between the Council and Commission on the final contours of the mandate ensued during the second half of 2025.
Finally, in December 2025, the Council adopted a decision authoring the negotiation of an EU-level “framework” agreement with the United States. The framework would provide an overall legal structure for EU member states to conduct bilateral information exchange with DHS, setting the general conditions under which EU member states could provide biometric information to the US border agency. Each eligible member state subsequently would conclude an implementing agreement or arrangement with DHS identifying its relevant databases and operationalizing the data transfers.
Other relevant EU-US agreements
Over the past two decades, the EU has entered into a series of law enforcement and security information-sharing agreements with the United States—ranging from airline passenger name records (PNR) data to financial messaging data (via SWIFT) to mutual legal assistance in criminal matters. DHS is the principal beneficiary of PNR data sharing; the US Department of the Treasury receives SWIFT data used in tracking terrorist finance; and the Department of Justice manages information exchanged for criminal investigations and prosecutions. The United States and the EU also have concluded an agreement elaborating the data protection safeguards that must accompany transfers for law enforcement purposes, the so-called Umbrella Agreement.
In addition, DHS already enjoys access to foreign biometric and biographic data for purposes of preventing and combating serious crime (referred to as PCSC agreements), under a separate negotiating program that commenced in 2009. This earlier generation of agreements assists DHS in border encounters with persons suspected of terrorism and other serious offenses, but they do not apply to all foreign persons seeking to enter the United States.
The EU at that time had also sought to negotiate a PCSC agreement collectively on behalf of its member states, but DHS rebuffed Brussels and instead chose to negotiate individually with each EU member, believing the agency would have better leverage that way. The first two PCSC accords were concluded with Greece and Italy, and eventually all the European participants in the VWP program reached agreements as well.
An EU-level agreement on broad-scale border security information-sharing cooperation with the United States would represent a novel departure for Brussels. “It would be the first agreement concluded by the EU implying large-scale sharing of personal data, including biometric data, for the purpose of border and immigration control by a third country,” the European Data Protection supervisor has observed.
This time, DHS appears to have appreciated the relative speed and efficiency that comes from negotiating one uniform set of access conditions that will apply to all EU VWP participants. The EU and its member states, meanwhile, seem to have reached a sensible division of labor that respects member states’ prerogatives for controlling their own biometric information databases and for managing technical interactions with DHS.
EU negotiating goals
One major EU ambition in setting the rules and procedures governing DHS queries is to preclude generalized processing of all travelers’ data. A Commission press spokesman emphasized the “non-systematic nature of the information exchange and that the exchange is limited to what is strictly necessary to achieve the objectives of this cooperation.”
The EU mandate further stresses that the EU seeks an agreement that would be reciprocal in nature, enabling member states’ border authorities to query corresponding DHS databases. A leaked Council presidency working paper suggested that a monitoring mechanism should ensure reciprocity in implementation: “Information on member states’ citizens should be exchanged under the framework only if the U.S. exchanges information on American citizens.”
It is not clear that the United States and the EU are entering into these negotiations with entirely congruent views on the scope of the framework agreement. DHS envisages checking the biometric databases of travelers from VWP countries on a routine basis. However, the European Commission, as noted above, views the information exchange as “non-systematic.”
In addition, the US international biometric information-sharing program envisages access to foreign databases “in the context of a border encounter or law enforcement investigation related to immigration or border security issues,” according to the DHS Privacy Impact Assessment (italics added). The EU mandate, by contrast, concentrates on security screening and identity verification at the border, with subsequent law enforcement data access to be exclusively governed by other bilateral agreements.
The EU’s data protection rules are its main tool in ensuring that information conveyed to DHS pursuant to the EBSP agreement remains targeted. For example, the negotiating directive insists that processing of personal data be limited to what is “necessary and proportionate in individual cases.” Necessity and proportionality is a key concept in EU data protection law, including in the Schrems jurisprudence of the European Court of Justice, albeit one that is hard to define a priori.
The EU also seeks to include other traditional data protection safeguards in the EBSP agreement with the United States, according to press reports. One reported provision would require human involvement in decisions having significant adverse effects on individuals, rather than permitting entirely automated decision-making. Another would allow for the transfer of “special categories” of personal data—such as sensitive data regarding political opinions, religion, and sexual orientation—only when necessary and proportionate to prevent criminal or terrorist offenses, and with additional protections that limit the universe of individuals who may access it and the duration of retention. Onward transfers of foreign-supplied biometric data to third countries would require the explicit consent of the country from which the data originated.
According to the European Commission version of the negotiating mandate, the EU also seeks to limit DHS retention of transferred personal data to cases of “travelers in respect of whom there is objective evidence from which it may be inferred that there is a continuing risk to public security or public order.” In other words, DHS would not be permitted to store fingerprint data supplied by EU VWP countries on a generalized basis; it could do so only if it has reason to believe that the person would continue to be a threat—a difficult prediction for a security agency to make at the time of the initial border encounter.
The European Data Protection supervisor stated in his opinion that he “largely supports” the proposed approach with the United States. At the same time, he pointed to certain information-sharing constraints the EU would face. Two important EU data repositories prohibit sharing of information with third countries: Eurodac, which contains biometric information on persons who have applied for refugee status in an EU member state or otherwise have migrated irregularly, and ECRIS, which links together member-state records of third country nationals with criminal convictions within the EU. However, the member states themselves regard the exclusive focus of negotiations with the United States on national databases as “without prejudice to any further reflections on the possibility for information exchange with selected third countries from EU databases,” the leaked Council presidency document suggested.
Finally, the EU mandate also seeks the right to an “effective remedy” for persons whose information has been transferred to DHS. This principle, enshrined in the EU Charter of Fundamental Rights, consistently has proven very difficult to resolve in past EU information-sharing agreements with the United States.
Major issues and possible solutions
The existing web of EU-US information-sharing agreements offer valuable precedents for the latest negotiation on access to biometric data for border security purposes. The PCSC agreements, for example, can provide a template for structuring technical interaction between DHS and EU member-state databases. Equally, the types of data protection provisions contained in the law enforcement Umbrella Agreement could be mirrored in the EBSP agreement, even if the former cannot directly be applied to the border security context.
Remedies for misuse of information likely will prove more difficult to resolve. The Data Privacy Framework (DPF), which offers safeguards against illegal US intelligence agency access to personal data transferred from Europe in the commercial context, provides redress in the form of a special tribunal established within the US Department of Justice. Europeans may not petition an ordinary US court if they believe a US intelligence agency has improperly used their data, however. The Court of Justice of the European Union has yet to decide if this specialized form of recourse meets EU fundamental rights standards.
By contrast, the EU did secure US judicial redress for EU citizens whose information is exchanged for law enforcement purposes, under the terms of the EU-US Umbrella Agreement. It took a US statutory change, through the adoption of the Judicial Redress Act, to extend such a right to foreign persons. (The US Privacy Act otherwise limits the right of judicial redress only to US individuals.) Extending this right to Europeans’ whose biometric data is transferred to DHS for the purposes of border security—as opposed to law enforcement—likely would require a further US statutory amendment. Persuading Congress of the necessity of such a change would be challenging.
The necessity and proportionality concept in EU fundamental rights law serves as a legal technique for balancing data protection rights with legitimate public order and public security interests. In the DPF, the United States accepted explicit reference to the EU’s necessity and proportionality standard—in a sensitive context dealing with potential intelligence agency access to personal data. Incorporating this concept in the border biometric information-sharing setting could similarly assure the EU and its member states that DHS is not engaged in mass data collection.
Legal and political dynamics
DHS faces a complex legal situation in pursuing negotiations involving both the EU and its member states. It is consistently difficult for a US government negotiator to be certain where a particular responsibility lies within the EU’s confederal system. In this case, the task is complicated by the cumbersome division of competences for visa and border policy.
In addition, since DHS seeks information for not just border security but also related law enforcement purposes, it must engage with two separate and varying sources of EU data protection law. Data protection rules for immigration control and visa policy are governed by the General Data Protection Regulation, while the rules for protecting law enforcement data fall under a separate directive.
Political factors in Europe also could slow completion of the agreements with the United States. Some members of the European Parliament who belong to the liberal Renew parliamentary group wrote to the European Commission in January, stating: “Looking at the current geopolitical context, we consider it undesirable for the European Commission to start or continue such negotiations.” Although the European Parliament does not have the power to stop the negotiations, it must approve any international agreement that the EU reaches with the United States.
The Trump administration’s removal of Democratic members serving on the Privacy and Civil Liberties Oversight Board (PLCOB) and on the Federal Trade Commission (FTC) have undermined confidence in European privacy circles in US institutions charged with privacy protection. Moreover, DHS’s proposed rule requiring visitors to the United States to supply five years of details on their social media activity has generated widespread outrage abroad. Although this initiative is formally separate from the VWP program, the European public might well conflate the social media and biometric information demands of the United States.
DHS’s goal of wrapping up both the EU framework agreement and, subsequently, the twenty-four implementing agreements with EU member states by the end of 2026, as has been reported, will likely prove overly ambitious. A more achievable ambition would be to complete the EU framework by that date, with the necessary member states implementing agreements afterward. (The leaked Council presidency document sternly states that it considers “Member States’ commitment to refrain from bilateral negotiations with the US while material discussions on the framework are ongoing to be of critical strategic importance.”)
Nevertheless, there is reason for optimism that the US-EU engagement on border security biometric information sharing will yield success. Both sides appear to have entered talks pragmatically, the EU and its member states by agreeing on a sensible division of labor between themselves, and the United States by accepting the practical benefits of negotiating with both Brussels and member-state capitals. Each is impelled by a desire to have greater control of its borders and sees reciprocal information sharing as a promising approach. However, flexibility on both sides will be indispensable to overcoming divergent positions on issues such as remedies.
Further, by winning support in principle for the framework agreement from the EU’s data protection supervisor, the EU already has shown its commitment to achieving a broadly acceptable agreement. Europe’s collective approach to these negotiations also reflects a sober appreciation of power realities. EU citizens value the ease of visa-free travel to the United States, so member states ultimately will do what is necessary to retain VWP status, within the confines of fundamental rights.
Finally, the EU’s decision to take a leading role in the EBSP negotiations reflects its increased institutional maturity and importance in the field of border security. DHS’s willingness to pursue a framework agreement with the EU may show a corresponding recognition of Brussels’ growing role in this area. As popular sentiment has converged in Europe and America on more tightly controlling borders, there is now an opportunity to achieve a balanced transatlantic agreement on sharing information to that end.
about the author
Kenneth Propp is a nonresident senior fellow with the Atlantic Council’s Europe Center, an adjunct professor of European Union law at the Georgetown University Law Center, and a senior fellow with the Cross-Border Data Forum. His prior experience includes serving as legal counselor at the US Mission to the European Union in Brussels and in the Office of the Legal Adviser at the US Department of State.
related content
explore the program
The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.
Image: The departures board at Fiumicino Airport in Rome on March 28, 2024. (Photo by Jakub Porzycki/NurPhoto via Reuters Connect)