Behind closed doors, negotiations are under way on an agreement that could fundamentally reshape transatlantic co-operation in internal security. At its core is access for US authorities to European fingerprints and other biometric data.
What at first glance sounds technical and dry touches central questions of freedom, privacy and state power. The United States is seeking direct access to national databases of European states under its so-called Enhanced Border Security Partnerships (EBSP). The programme is run by the US Department of Homeland Security (DHS) and is designed, through bilateral or multilateral agreements, to encourage closer co-operation on border security and counter-terrorism.
The data in question include fingerprints, facial images and other identifying features. The European Union (EU) granted a mandate for negotiations only at the end of 2025. If concluded, the agreement would be the first to allow a third country broad access to the personal data of European citizens.
The United States is exerting significant political pressure during the talks. Participation in the Visa Waiver Program, which allows visa-free travel to the US, is in practice being linked to the proposed co-operation. The arrangements are expected to be finalised by the end of 2026, with citizens of European states facing the loss of a key travel privilege if they are not agreed.
Fingerprints and data scale
At the centre of the proposal lies a technical procedure that may appear harmless at first sight. US authorities would send biometric data about a person to the country of origin and, in the event of a match, receive additional information in return. With millions of travellers, this would inevitably create a system of constant queries. It requires little imagination to see how such a structure could evolve into comprehensive surveillance.
The scope of the data adds to the concern. Beyond fingerprints and photographs, draft texts under discussion also cover sensitive information, including political views, trade union membership or details of private life. Such data enjoy particularly strong protection under European law. Their transfer to a third country is regarded as exceptional and would require strict justification.
In this context, a fundamental difference emerges between Europe and the United States. In the European Union, the General Data Protection Regulation (GDPR) provides a comprehensive framework binding the processing of personal data to clear principles. These include purpose limitation, data minimisation and the right of access and erasure.
Data may be collected only for a justified purpose and limited to what is strictly necessary, for example to conclude a transaction. Citizens of EU member states have the right to obtain information about stored data and to request deletion when continued retention is no longer necessary. Within this framework, law enforcement access to collected data is far more tightly circumscribed and in most cases subject to judicial oversight.
No comparable US data protection framework
By contrast, the United States has no comparable single data protection regime. Security authorities operate with broader discretion, particularly in immigration and border control. Data may be used more widely and stored for longer. Legal protection for European citizens is limited, as there is no general right of access or erasure. In practice, effective correction or deletion of incorrect data is difficult to enforce.
The transatlantic gap shapes the negotiations. The EU is seeking guarantees, including human oversight of automated decisions and clear limits on onward data sharing. In the United States, AI applications can already support automated executive decisions. Reciprocity is also under discussion. European authorities would likewise gain access to US databases, although whether Washington is prepared to allow this remains unclear.
Alongside privacy, data security is moving into focus. The more systems are interconnected, the larger the attack surface becomes. A breach in one place can cause far-reaching damage. Biometric data are particularly sensitive. Unlike a password, fingerprints cannot be changed. If they fall into the wrong hands, the consequences are permanent.
The issue extends far beyond state systems. Fingerprints already serve as access keys for smartphones, online banking and digital identities. If such data are compromised or wrongly assigned, the result may not only be travel difficulties but also financial harm. Both identity theft and manipulation can have serious consequences. Crimes committed under a false identity may carry existential repercussions for innocent citizens.
Risks from data aggregation
The aggregation of data creates further risks. Systems originally designed for border control could later be used for entirely different purposes. Draft proposals already indicate that data use would not be limited strictly to individual cases. Automated analysis and algorithmic assessments would also be possible. Participants in a demonstration, for example, could be identified through comparison with biometric databases.
US Customs and Border Protection (CBP) works with Clearview, a controversial American biometric company known for scraping billions of images from the open internet – a process that automatically extracts images from websites. Combined with EU data, those of European citizens could then be linked to identities and political views.
Another critical issue is the lack of transparency. Negotiations are proceeding largely without public debate. National parliaments and the European public have so far received only fragmentary information about what data might flow in future.
The development reflects a broader global trend. Security policy and data policy are increasingly merging. States are building ever larger data environments and seeking to connect them internationally. For citizens, this means growing invisibility of state intervention in private life, with intrusions expanding and potentially reaching into every sphere.
Whether the planned agreement will ultimately be concluded remains open. It would recalibrate the balance between freedom and security in an international context. With the GDPR, Europe created an extensive data-protection regime – one that such an agreement could undermine. The question now facing Europe is how much of its data-protection principles it is willing to concede in the name of transatlantic co-operation.