EU mandate enables US access to European biometric databases

Brussels (Brussels Morning Newspaper) – 12 January 2026 – EU member states authorised the European Commission to negotiate with the United States on sharing biometric and sensitive personal data from European citizens under Enhanced Border Security Partnerships. The arrangement links data exchanges to maintaining visa-free travel privileges, potentially covering information on political views, health conditions, and sexual orientation alongside biometrics. Legal experts highlight a lack of public clarity on limitations and safeguards in the negotiation mandate adopted last month.

The Council granted the Commission its mandate in December 2025 under Denmark’s presidency, just before Cyprus assumed the rotating EU leadership on 7 January 2026. Negotiations aim to establish an EU-wide framework, followed by bilateral agreements between individual member states and Washington specifying accessible databases and data categories. Two Council officials stated the unpublished mandate limits exchanges to travellers’ information only.

Observatory highlights growing expert warnings, Digital Watch Observatory (@DigWatchWorld) said in X post,

“Concerns grow over planned EU-US biometrics deal Experts warn unclear safeguards could broaden access to sensitive personal data.”

Concerns grow over planned EU-US biometrics deal

Experts warn unclear safeguards could broaden access to sensitive personal data.https://t.co/wRBDnK8CGL#dwobservatory #dwnews #digwatch

— Digital Watch Observatory (@DigWatchWorld) January 12, 2026

The Commission’s draft directives reference data exchanges for traveller identity verification and assistance to competent authorities in preventing crime and terrorism. This broad phrasing prompts questions about coverage extent.

Expert Critique of Negotiation Mandate Clarity

Niovi Vavoula, associate professor in cyber policy at the University of Luxembourg, identified gaps in public understanding of the proposal’s parameters. She stressed the need for defined scope, stating, “There needs to be at least an understanding of what we’re talking about.” Vavoula noted uncertainty over affected individuals, warning, “There doesn’t seem to be any limitation as to who is going to be covered.”

The expert raised additional queries about the Council’s final mandate, adopted before Cyprus took over. Vavoula remarked, “There are a lot of questions.”

Privacy analyst flags visa linkage implications, Kohei Kurihara – Privacy for all together (@kuriharan) said in X post,

“Check it. EU weighs biometric data access deal with US as price of visa-free travel.”

Check it. EU weighs biometric data access deal with US as price of visa-free travel https://t.co/SPFO2AjRYV via @BiometricUpdate #tech #digital #privacy #crypto #ai

— Kohei Kurihara – Privacy for all together 🌍 (@kuriharan) January 12, 2026

Data Categories Under Consideration for Exchange

Potential transfers include biometrics such as fingerprints and facial scans, alongside sensitive attributes like ethnic origins, political opinions, religious beliefs, genetic data, health conditions, and sexual orientation. Washington conditioned visa-waiver programme continuity on such access several years ago. Exchanges target national databases rather than central EU systems.

Member states determine specific databases and categories during bilateral phases. The framework sets overarching terms for these arrangements.

US Demands Tied to Visa Waiver Programme Maintenance

The United States requires data-sharing commitments from all 41 Visa Waiver Programme participants, including 24 EU states excluding Bulgaria, Cyprus, and Romania. Denmark and Ireland operate under special EU protocols. Enhanced Border Security Partnerships formalise reciprocal exchanges for immigration screening and vetting.

US Customs and Border Protection seeks operational capability by year-end 2026, aligning with EU Entry/Exit System rollout.

Council Negotiation Mandate Confidentiality Practices

EU Councils withhold mandates from publication to maintain negotiating leverage. Outsiders cannot independently verify traveller-only restrictions claimed by officials. Cyprus Presidency coordinates during its January 7 to June 30, term. The approach follows precedents in transatlantic pacts like PNR agreements.

European Commission Statements on Data Safeguards

A Commission spokesperson affirmed that the mandate incorporates “clear and robust safeguards on data protection.” Scope, content, technical modalities, and biometric exchanges remain under negotiation, with purpose limitations required. Final agreements mandate GDPR compliance, data retention limits, and proportionality.

Bilateral Agreement Phase Following EU Framework

Post-framework adoption, capitals negotiate directly with Washington. Each specifies shared data from domestic repositories. Arrangements accommodate national legal frameworks and sensitivities. Denmark’s presidency document outlined this structure, prioritising national over EU databases initially.

Cypriot Presidency Position on Negotiation Parameters

Cypriot officials reiterated that biometric specifics emerge through dialogue with defined safeguards. Purpose limitations restrict uses to verified objectives. The presidency emphasises EU data protection standards throughout. Statements align with Commission positions on robustness.

European Data Protection Supervisor Recommendations

The European Data Protection Supervisor endorses the framework with conditions for narrow data definitions limited to actual US travellers. Comprehensive safeguards address privacy interferences from biometric transfers. GDPR, Law Enforcement Directive, and Charter of Fundamental Rights apply fully.

Connection to Broader EU Border Management Systems

Negotiations coincide with Entry/Exit System phased rollout from late 2025 to April 2026, capturing non-EU traveller biometrics. ETIAS pre-travel screening complements data flows. US plans expand biometric collections via mobile applications. Trends reflect intensified traveller data gathering across jurisdictions.

Precedents in EU-US Data-Sharing Arrangements

Privacy Shield successors and PNR pacts established cooperation models. Biometrics escalate into physical identifiers beyond textual data. Statewatch documented ministerial approval of the mandate. Watchdog analysis highlights sensitive traveller data expansion.

Academic Perspectives on Transatlantic Data Flows

Vavoula’s University of Luxembourg research informs cyber policy debates. Similar concerns arose during ETIAS implementation. Scholarship tracks GDPR-third country reconciliation challenges. Questions centre on retention, access controls, and redress mechanisms.

Operational Timelines for Framework Implementation

Commission-US talks commence immediately post-mandate. Bilateral phases follow consensus. Ratification varies by member state procedures. US targets end-2026 functionality amid EES alignment.

Technical Standards and Transmission Protocols

Agreements specify secure channels for biometric transfers. AI Act considerations apply to processing. Deletion protocols activate post-screening. Proportionality governs data volume and duration.

Exclusions from Visa Waiver Data Commitments

Bulgaria, Cyprus, and Romania face separate US arrangements outside the framework. Denmark and Ireland maintain opt-out statuses per treaties. Core 24 EU states anchor the initiative.

Public and Stakeholder Consultation Precedents

Mandate development incorporated member state inputs pre-adoption. Transparency limitations persist during active negotiations. Post-agreement parliamentary scrutiny applies.