29 August 2024
US authorities are demanding direct access to EU member state databases for “routine traveller screening” in return for ongoing visa-free travel to the US. The demands fall outside the scope of existing EU-US agreements on the exchange of personal data. The Belgian Presidency of the Council of the EU suggested a new international treaty may be needed to facilitate the transfers – but also questioned whether the data exchange proposed by the US “is even possible under the EU-legislation.”
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Image: Alex Proimos, CC BY-NC 2.0
Border security partnership
For at least the last two years, US authorities have been touting new “Enhanced Border Security Partnership” (EBSP) agreements, that would give the Department of Homeland Security (DHS) access to:
“…biometric records in national databases through real-time information sharing for the purpose of immigration screening and vetting activities, in order to authenticate travellers’ identities, including in the context of applications for asylum in the U.S.”
As of 2027, signature of an EBSP agreement will be a requirement for continued participation in the Visa Waiver Programme (VWP), under which citizens of participating states do not need to apply for a visa to travel to the US. Almost all EU member states are covered by the VWP.
According to a document (pdf) circulated by the Belgian Council Presidency in June, these demands are likely to require a new EU-US treaty, as existing agreements do not cover the data exchanges proposed – but the former Presidency’s paper also questions whether the US proposals would be possible at all under EU law.
Whether they are deemed legal or not, the prospect of a new agreement for the systematic exchange of data on people travelling from the EU to the US is likely to prove controversial amongst privacy and data protection advocates.
“Way forward”
The document, sent to the Permanent Representatives Committee (made up of EU member states’ ambassadors), begins by giving an overview of the last two years of discussions on the EBSP proposals.
In meetings of the Council’s information exchange working party (IXIM) in 2022 and 2023, “delegations regularly exchanged information on their bilateral contacts with the US on EBSP,” says the document.
“This gave a better picture of the US’ data exchange requirements, which were not identical for all Member States,” it goes on to note, with the US adapting its requirements “to their national situation”.
At the same time, the Commission was engaged in a “proof of concept” exercise with the DHS, which the Belgian Presidency’s note says was “intended to serve as a basis for discussions among the European Union (EU), its Member States and the US authorities to determine the opportunities and limitation in relation to the intended information sharing.”
A request to the Commission from Statewatch for documents on the proof of concept was denied on the grounds that their release would undermine public security and international relations.
Whatever the outcome of the exercise, the Belgian Presidency’s note suggests that the EU and its member states were still left in the dark about the US’ intentions.
“Despite attempts over the last two years to gain insight into the situation, including interventions by the Council Legal Service and the Commission during IXIM-meetings on different aspects, no further concrete steps were identified.”
Competence competition
The question of whether the proposed agreements are an EU or member state competence also appears to have come up repeatedly, with “some delegations considering the agreements with the US a national competence, whereas other delegations consider the EBSP to fall under EU competence.”
Despite analysis by the Council Legal Service and the Commission, it appears that this question has still not been resolved.
The note points out that in February, the Council Legal Service told the Council’s IXIM working party that “an exhaustive and meaningful assessment of the respective competences of the Commission and Member States could only take place at the moment that the Commission would request a mandate for negotiations” – although this does of course presume that the EU has at least some competence for the issues at hand.
Existing agreements
The Belgian Presidency’s note also summarises existing agreements that facilitate transfers of personal data between the EU and the US: adequacy decisions; “appropriate safeguards,” such as “a legally binding and enforceable instrument between public authorities or bodies”; or the EU-US Umbrella Agreement on data exchange for law enforcement purposes, which entered into force in 2017.
None of these would apply to an EBSP agreement, the note says, with the Umbrella Agreement ruled out due to “the broader scope of ‘routine traveller screening’ intended by the EBSP requirements, and the likeliness that other than criminal law enforcement authorities will be involved in the transfer.”
Indeed, the note highlights that “the Commission emphasised that the Umbrella Agreement does not cover other purposes of data transfer, such as those related to visa processing or immigration,” and underscores that there is no way the Umbrella Agreement could be seen to cover the “generalised and systematic data exchange of all travellers”.
Agreements covering commercial data transfers are not mentioned in the note, though these have repeatedly been struck down by the Court of Justice of the EU due to the insufficient privacy safeguards in the US for EU citizens. The Umbrella Agreement was only approved by the European Parliament due to the passing of the Judicial Redress Act in the US, which supposedly offers privacy protections to EU citizens – though critics argue that this is far from the case.
What’s next?
The note concludes with possible next steps, suggesting that “the Commission could for example develop an annotated checklist of concerns that could be used by Member States for negotiations at the bilateral level,” with regard to topics such as data protection or the reciprocity of information exchange.
This would also help, the Belgian Presidency noted, with member states “aligning their messages,” which would “strengthen their position vis-à-vis the US. The IXIM Working Party can play a role in developing a common strategy and discourse”.
However, the note also highlights the “fundamental question” at hand:
“…whether the exchange of data as intended by the US (a systematic data exchange for multiple purposes at the same time) is even possible under the EU-legislation. We must carefully assess the appropriateness of the proposed data transfers, particularly in comparison to the possibilities of information exchange between EU Member States.”
This is the second time this issue is raised in the note, with the Belgian Presidency stating elsewhere that under bilateral ESBP agreements with the US, member states might exchange “information with a third country in a more systematic fashion than they do with each other.” This raises the question of whether a new agreement with the US might spark off a fresh round of law-making in the EU designed to ensure more rapid and systematic data-sharing across member states borders.
Regardless of whether the type of information exchange envisaged would be possible under EU law, it seems the direction of travel is towards a new international agreement.
The note asks member states’ ambassadors in the Permanent Representatives Committee (Coreper): “Would you agree that negotiating a common EU-U.S. framework for the exchange of data would be the appropriate way forward?”
It would appear that Coreper agrees: a Council spokesperson told Statewatch that at its meeting on 12 June, the committee “discussed possible data protection implications as well as the necessity of a common EU negotiation framework,” and noted that “Coreper may revert to the issue under the Hungarian presidency.” The topic is not currently listed on any forthcoming Coreper agendas.
Documentation
The US wants to vet travellers through direct access to foreign databases, including those of EU member states. Bilateral discussions are ongoing and are at different stages in different states, but it remains unclear whether the agreements are an EU or national competence. The US is organising an “informal information meeting” for EU member states and institutions, after which the Presidency wants to develop a “common vision”.
Norwegian government officials have met with their US counterparts to discuss the US' demands for direct access to biometric, identity and criminal record databases as part of its new “border security” plan, according to a report in the newspaper Bergens Tidende. The Norwegian police have apparently described the proposals as “challenging,” given existing legal requirements.
The USA’s proposed Enhanced Border Security Partnerships would entail “systematic and continuous” exchanges of sensitive personal data between participating states. The European Commission has indicated that its working group with the USA has stopped operating, and that plans are instead being negotiated bilaterally between member states and the USA.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.