EXCLUSIVE: US algorithms judging EU travellers not fully excluded in draft data deal | Euractiv

US authorities would not be explicitly prohibited from making important decisions about European travelers solely on the basis of automatically processing data about them, per a draft deal seen by Euractiv.

The agreement, meant to preserve visa-free travel from the EU to the US, could allow automated decision-making if authorised under domestic laws.

EU countries are preparing to allow the US to access national biometric databases – holding sensitive personal data like fingerprints and facial scans – to maintain visa-free travel to the US. The draft document relates to a framework agreement that’s being prepared at the EU level. 

The document states that “decisions producing significant adverse effects on the relevant interests of individuals” must not be taken solely through automated processes unless authorised under domestic law. In such cases, “appropriate safeguards” must be in place, including the right for individuals to seek human intervention, the draft also reads.

It is still unclear how the new system would work under the existing complex array of EU data protection rules, including the General Data Protection Regulation (GDPR), which has an extraterritorial effect. The draft deal does however state that it “supplements and supersedes” existing agreements between EU countries and the US concerning data protection.

In 2022, the US introduced a new requirement for visa-free travel, asking EU member states to conclude individual agreements with the Department of Homeland Security (DHS), known as Enhanced Border Security Partnerships (EBSPs).

EU countries tasked the European Commission with leading talks on an initial deal late last year, and a first round of negotiations took place late in January. A debriefing on the discussions is scheduled for early next month, two diplomats said.   

Both the EU and the US must first approve the framework agreement, after which individual member states will launch bilateral talks with the Trump administration to determine which national databases will be covered.

Sensitive data in scope

Under the proposed EU-US EBSP framework, the DHS would gain access to national biometric databases for the purposes of immigration screening and vetting. 

The US government department is under increased scrutiny after a number of violent incidents and fatal shootings of American citizens by ICE, a federal immigration enforcement agency that operates under the DHS.

Washington set the deadline for concluding bilateral data access agreements with EU countries at the end of 2026. Countries that fail to reach a deal with the US by then risk suspension from its visa-waiver program. 

The draft agreement seen by Euractiv also allows for the transfer of “special categories” of personal data – for example on political opinions, trade union memberships, information about a person’s sex life or their biometric data.

This information should only be transmitted with “appropriate safeguards”, the text states, stipulating that they “may include” restricting who can access it or requiring supervisory approval to do so. 

Disputes out of court 

Another notable detail in the draft agreement is that any problems arising out of an EU–US deal, under which American authorities gain access to Europeans’ sensitive data, would have to be resolved out of court. 

The document includes a clause that keeps disputes firmly out of court – requiring that any disagreement over the interpretation or implementation of an EBSP must be resolved through talks held by a “Joint Committee”, and “shall not be referred to any national or international tribunal or third party for settlement”. 

The draft agreement states that this committee would be made up of representatives of the US and the EU, without specifying any names, ranks, or institutions of those involved. 

Limits on re-sharing

The draft agreement seeks to address earlier concerns by restricting onward transfers of traveller data. US authorities would only be allowed to share EU-supplied information with third parties if the originating EU body gives explicit consent.

When granting that consent, bodies should take into account whether the receiving authority “ensures an appropriate level of protection for the personal information,” the document also reads. 

EU capitals had earlier been ready to allow US bodies to forward their citizens’ data without having any say on it, if the information was deemed necessary to prevent a “serious and imminent threat to public security”.

More talks to follow

The document is only an initial draft and is likely to change in the course of EU negotiations.

The Parliament’s civil liberties committee is set to hold a closed-door meeting to discuss the data access talks on 24 February, according to a recent committee agenda. 

(nl, cs)