Biometrics Deal: EU Council Paves Way for US Data Exchange

Behind closed doors and "without further debate," EU ministers on Wednesday at the General Affairs Council meeting made a far-reaching decision. They authorized the start of negotiations with the USA on a framework agreement in line with the "Enhanced Border Security Partnership" sought by Washington. The aim of this long-controversial Enhanced Border Security Partnership (EBSP) is to grant US authorities direct and far-reaching access to biometric data stored in the police databases of EU member states.

In return, the EU is now seeking comparable access to US datasets. A document drafted by the Danish Council Presidency, published by the British civil liberties organization Statewatch, outlines the corresponding strategic roadmap for this transatlantic data deal.

The planned agreement is intended to create the legal basis for the exchange of information that explicitly includes biometric characteristics. Officially, this serves to verify the identity of travelers. The aim is to ascertain, it is stated, whether their entry or stay poses a danger to public safety or order. The Danish Council Presidency emphasizes the fight against irregular migration as well as the prevention and detection of serious crimes and terrorist acts in the context of border management.

National Data First, EU Central Register Later?

The technical structure is important: According to the outline, the framework agreement itself does not yet allow US authorities direct access to European servers. It merely forms the legal umbrella under which individual EU states could conclude bilateral agreements with the USA. These fine-tuning details would then specify which specific databases are opened for exchange and which national legal requirements apply. In principle, the EU countries recently signaled: They have no fundamental problem with US law enforcement agencies accessing their national databases for threat prevention.

The long-term perspective opened up by the Danish document is noteworthy. Initially, the focus is on the national databases of the member states. However, the text leaves the door open for a later expansion. The Council Presidency considers it desirable to also examine data exchange from central EU databases with selected third countries in the future. Who these partners might be remains vague. However, the USA's interest in central European registers has been documented for a long time. The EU had previously rejected similar demands from Great Britain.

Regarding data protection, the negotiating mandate reads as strictly compliant. The agreement is intended to reflect EU standards, particularly the Charter of Fundamental Rights, the General Data Protection Regulation (GDPR), and the AI Act. The Council Presidency promises clear purpose limitations and safeguards against mass data transfer. Critics, however, assess these assurances as hollow. They repeatedly point out that the level of data protection in the USA does not meet European standards.

Washington Demands Social Media Insights

According to Statewatch, the EU's argument is complicated by the fact that it is currently also weakening the protective provisions of the GDPR and the AI Regulation. Furthermore, legal challenges are looming: Lawsuits against the existing data protection framework between the EU and the USA are already occupying the courts. Concerns about politically motivated misuse of data by US agencies such as the Immigration and Customs Enforcement (ICE) are growing.

In parallel, Washington wants to create facts on the ground. The US Customs and Border Protection plans a massive expansion of data collection from travelers. According to US civil liberties advocate Edward Hasbrouck of the California Identity Project, a comprehensive set of biometric identifiers is to be collected, which could include iris scans and even DNA samples in addition to facial photos and fingerprints. A proprietary smartphone app is planned for implementation, which demands extensive access rights to the users' hardware.

This effort is flanked by demands for a complete digital history: Travelers are to disclose their social media activities of the past five years, among other things. In addition, according to the Trump administration's plan, phone numbers, email addresses, and metadata from photos are to be provided. Even the most intimate information about family members – from birth dates to places of residence – is on the wish list of US investigators. In this conflict between security policy willingness to cooperate and the protection of privacy, the emerging EBSP negotiations are likely to put the EU side to a severe test.

(kbe)