According to the draft framework agreement on a “border partnership” with the Trump administration, US authorities would be permitted to query not only facial images but also names, health data and sexual orientation from police databases in EU member states.

The European Commission has concluded its negotiations on a framework agreement with the United States on an “Enhanced Border Security Partnership” (EBSP) following the granting of its negotiating mandate last December. The draft has been published by the British civil liberties organisation Statewatch. According to the document, the planned agreement goes considerably further than the US demands that had previously been made public.

The US government had already demanded in 2022 that all participating states in the Visa Waiver Programme (VWP) conclude a EBSP — with a deadline of the end of 2026. The VWP allows nationals from 43 friendly countries to travel to the United States visa-free for short stays of up to 90 days — and vice versa.

Washington is now making continued participation in the programme conditional on the conclusion of the “border partnership”: the participating states are to open their police databases to US authorities. Any country that refuses will lose its visa-free status. The agreement is, according to the draft, to be based on the principle of reciprocity. EU member states would in turn receive access to US databases — provided the US government does not block this.

More than fingerprints and facial images

The draft framework agreement now also refers to using data queries to prevent “persons who pose a genuine risk to public safety or public order” from “remaining” in the United States. This means deportations are also in scope — the kind carried out in their thousands every month by the brutal US immigration enforcement agency ICE. Originally, it was stated that the “border partnership” would only apply to entries into the United States.

Furthermore, it had previously been understood that US border authorities would only seek access to fingerprints and photographs held in police databases of VWP countries. The draft negotiated by the EU Commission goes beyond this, stating that “alphanumeric data for identifying a person, such as first name, surname and date of birth” may also be queried.

Should a query produce a match, the requested authority — in Germany, for instance, the Federal Criminal Police Office (Bundeskriminalamt) — may in turn ask what triggered the interest in the person and request all “alphanumeric and contextual data available at the requesting competent authority relating to the same person.”

Data may be passed on to third countries

Under certain conditions, the draft also permits the transmission of particularly sensitive categories of personal data, including information on “racial or ethnic origin, political opinions or religious or other beliefs, trade union membership” as well as details relating to “health or sexual life.”

The draft even allows data received to be passed on to authorities in third countries or international organisations — albeit only with the prior consent of the transmitting authority. Which third countries might specifically be involved is left open. Candidates could include Interpol as well as close US allies such as the United Kingdom or other Commonwealth states, and Israel, which has concluded its own data-sharing agreement with the United States.

Millions of records affected in Germany

The published framework draft contains no details on which authorities would be entitled to make queries — on the US side, Customs and Border Protection (CBP) and ICE would be the most likely candidates. This is to be regulated in bilateral implementation agreements that each affected state must conclude separately with Washington.

In Germany, this would most likely affect the INPOL database of all federal and state police forces, which currently holds photographs and fingerprints of 5.4 million individuals — more than half of whom are asylum seekers. Even within the EU, there is as yet no mutual direct access to information systems of this scale held by individual member states — which makes the planned agreement with the United States particularly intrusive.

The framework agreement also covers the use of software to generate predictions from queried datasets. Whilst decisions with “significant adverse actions” are not to be taken in a purely automated fashion but must always involve “human participation,” fully automated decisions are permitted where this is “permissible under the respective legal framework of the contracting parties.” Within the EU, this would be ruled out under the AI Act; no comparable legislation exists in the United States.

Limited rights for those affected

The draft also sets out requirements for the logging of “audit activities” by, among others, data protection authorities. The agreement further provides that affected persons may request information about their stored data as well as its correction or deletion.

These rights are, however, subject to restrictions: access may be denied on grounds including national security, the protection of ongoing investigations, or the pursuit of criminal proceedings.

The EU interior and justice ministers will discuss the draft framework agreement at one of their forthcoming meetings. Under the current arrangements, Parliament will not be involved. The final decision on concluding the agreement will then be taken in the Council of the European Union by the 27 member states. Whether this will happen before the summer recess remains unclear. The US government must also give its approval to the draft. Should it do so in time, the agreement could enter into force before the deadline of 31 December 2026.

Image: Aleksey Smagin on Unsplash.