EUROPEAN COMMISSION
Brussels, 23.7.2025
COM(2025) 447 final
Recommendation for a
COUNCIL DECISION
authorising the opening of negotiations on a framework agreement between the European Union and the United States of America on the exchange of information for security screenings and identity verifications relating to border procedures and applications for visa
EXPLANATORY MEMORANDUM
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
In 2022, the United States of America (US) introduced a new requirement for all countries that have been admitted to or aspire to join the U.S. Visa Waiver Program (VWP). This program enables citizens of participating countries to travel to the US visa-free for a maximum of 90 days for the purposes of tourism or business. The new requirement entails the conclusion of an “Enhanced Border Security Partnership” (EBSP) with the US Department of Homeland Security (DHS) as a condition for admission to, and further participation in, the VWP, as a component of the already existing traveller information exchange requirement.
The VWP partnerships are at the forefront of the US international cooperation on border and immigration security. One of their objectives is to establish robust bilateral exchanges of information to enable authorities to authenticate effectively the identity of travellers from partner countries and determine whether they represent a threat to US security.
As part of its VWP partnerships, the U.S. concluded bilateral agreements with EU Member States, such as the Agreements on Enhancing Cooperation in Preventing and Combating Serious Crime (PCSC Agreements). These agreements established information exchange, including biometric data, on individuals who are suspected or convicted of terrorist offences or serious crime.
Under the EBSP, the US intends to establish an information exchange on:
·travellers to the US who may have a connection to the VWP partner country;
·applicants for immigration benefits or humanitarian protection in the US;
·individuals encountered by DHS law enforcement in a border and immigration context in the US.
Such exchanges would concern information, including biometric data, stored in national databases of Member States.
The EBSP agreements are expected to be concluded by 31 December 2026. After this deadline, the DHS will assess each country’s compliance with the EBSP requirement during evaluations for initial and continued participation in the VWP.
Considering the link with the Union’s exclusive competence on the common visa policy, on 12 June 2024, the Member States’ Permanent Representatives in the Committee of the Council of the European Union (Coreper) confirmed Member States’ broad support for a common EU-U.S. framework for information exchange in the context of the EBSP. They also called on the Commission to put forward a proposal for a mandate to negotiate such a framework on behalf of the Union.
The objective of the proposed recommendation is to provide the negotiating directives to the Commission to negotiate a framework agreement that will set out the legal structure and conditions for the exchange of information between the competent authorities of the EU Member States and of the U.S., based on which the Member States would be empowered to establish bilateral agreements for an exchange of information with the U.S. from their national information technology (IT) systems.
One of the key objectives of the framework agreement is to ensure reciprocity in the exchange of information with the US, which would also help to enhance border protection and security of the Union as a whole.
The scope of the exchange of information – categories and type of data, type of persons, and type of offences – will be established during the negotiations to ensure a balanced and reciprocal exchange of information. As a minimum, the negotiations should aim to set an adequate level of information exchange, which should not exceed the level of information that the Member States share among themselves.
Based on the framework for the exchange of information set in the framework agreement, Member States would be able to negotiate and conclude bilateral arrangements operationalising the information exchange with the US.
Such bilateral arrangements would provide details on the exchange of information with competent U.S. authorities considering national legal requirements, the set-up of national databases, and other technical requirements or limitations.
The framework agreement would set safeguards to ensure the consistency with Member States’ capacities, building on the existing set up of national databases.
The framework agreement would apply to those Member States which enjoy a visa free status with the U.S. or who wish to join the VWP. The Member States would be allowed to halt information exchange as provided for in the framework agreement in case their status in the VWP changes.
On the Union’s competence to conclude an international agreement
Union’s common visa policy
The Union has developed a common visa policy for short stays (up to 90 days in any 180-day period) based on Regulation 2018/1806 (hereafter the ‘Visa Regulation’) 1 . The Visa Regulation lists the third countries whose nationals must be in possession of visa when crossing the external borders and those whose nationals are exempt from that requirement. Currently, US nationals enjoy visa-free status in the Schengen area. In parallel, the Union has concluded visa waiver and visa facilitation agreements with several third countries 2 .
The principle of reciprocity is one of the foundations of the Union’s visa policy with third countries. Reciprocity means that where the Union has granted to citizens of a third country visa-free access to visit the Schengen area, it expects the third country to reciprocate by allowing Union citizens to travel to that third country without the need for a visa as well. The Union aims to achieve full visa reciprocity with third countries whose nationals are exempted from the visa requirement to enter the Schengen area. Full reciprocity has indeed been achieved with all visa-free third countries, except the U.S. With the exception of Bulgaria, Cyprus and Romania, all Member States participate in the U.S. Visa Waiver Program. Achieving full reciprocity with the U.S. remains a political objective actively pursued by the Union.
The proposed framework agreement would ensure a consistent approach for all Member States participating in the VWP in relation to the EBSP requirement, including the necessary and appropriate data protection safeguards for such information exchange.
Under Article 3(2) of the Treaty on the Functioning of the European Union Union (TFEU), the Union has exclusive competence for the conclusion of an international agreement in so far as its conclusion may affect common rules or alter their scope.
The issuance of visas and the mechanism for determining visa reciprocity fall under the Union’s exclusive competence . This is also the case for the Union’s data protection rules.
Consequently, the conclusion of a framework agreement with the US on the information exchange as set out in the requirements of the US Visa Waiver Program, namely for the Member States to establish an EBSP information exchange, falls within the scope of the Union’s exclusive competence.
Union’s data protection framework
The exchange of information envisaged under an EBSP differs from the exchange under the established PCSC agreements. Where the objective of an exchange of information under a PCSC agreement is to fight terrorism and serious crime, the purpose of the exchange of information under the EBSP is potentially broader as it also concerns the areas of border management and visa policy.
The processing of personal data by Member States is governed by Regulation (EU) 2016/679 3 (the ‘GDPR’), except for the processing of data by criminal law enforcement authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties which is covered by Directive (EU) 2016/680 4 . Chapter V of the GDPR and Directive (EU) 2016/680 include strict conditions for the transfer of personal data to third countries. Such transfer must be based on a transfer instrument, such as an adequacy decision with the said third country, an instrument ensuring appropriate safeguards (e.g. an international agreement) or, under Directive (EU) 2016/680, an assessment by the competent law enforcement authority that such safeguards are ensured in the third country, or, failing the above, one of the statutory grounds for data transfers (or derogations) available in specific cases, and not for the systematic sharing of personal data.
For data transfers between criminal law enforcement authorities for the prevention, investigation, detection or prosecution of criminal offenses, including terrorism, the EU-U.S. ‘Umbrella Agreement’ provides for an international agreement ensuring appropriate safeguards within the meaning of Article 37(1)(a) of Directive (EU) 2016/680 5 .
Given the broader scope and purpose of the information exchange intended by the EBSP, and to the extent authorities other than criminal law enforcement would be involved in the transfer, the EU-US ‘Umbrella Agreement’ is not entirely applicable to all the types of transfers envisaged by the US under the EBSP, reinforcing the need for Union action to conclude an additional international agreement.
The framework agreement would define the categories of personal data that could be shared and the specific purposes for which they could be shared, considering in particular the level of reciprocity.
The framework agreement should contain provisions on onward transfers of personal data.
On the relationship with existing or future Member States’ bilateral arrangements
While the conclusion of this framework agreement with the U.S. falls within the Union’s exclusive competence, the framework agreement would include a clause authorising Member States to conclude supplementary bilateral agreements or arrangements.
As regards bilateral agreements or arrangements already concluded by Member States with the U.S. prior to the entry into force of this framework agreement, the framework agreement could include the conditions under which such agreements or arrangements would remain applicable, notably as regards the bilateral agreements or arrangements concluded by Member States which are not yet part of the VWP.
With this proposal for a Council recommendation, the Commission recommends that the Council:
(a)adopts a decision authorising the Commission, the opening of negotiations for a framework agreement between the Union and the United States of America,
(b)nominates the Commission as the Union negotiator of the framework agreement,
(c)sets out directives to the Negotiator, and
(d)designates a special committee in consultation with which the negotiations must be conducted.
2.LEGAL BASIS, NECESSITY AND PROPORTIONALITY
The legal bases for this recommendation are Article 16(2), Article 77(2) and Article 218(3) and (4) of the Treaty on the Functioning of the European Union (TFEU).
The Union is competent to conclude this framework agreement with the US on the exchange of information in relation to the crossing of the external borders between the EU and the US, including on border procedures and applications for visa.
The framework agreement should set an adequate level of information exchange between the EU and the US, which should not exceed the level of information sharing among the Member States in a bilateral or EU context, subject also to the principles of proportionality and necessity.
The framework agreement should specify the conditions triggering a query on a traveller. These conditions should prevent queries on persons in all cases, without any previous suspicion. A routine and systemic query concerning all persons travelling between the EU and the US should be excluded.
The framework agreement with the US is required to ensure the common visa policy objective for visa reciprocity and the application of the EU’s data protection framework. Hence the negotiating directives annexed to this recommendation to open negotiations with the US on a framework agreement are based on the requirements of the applicable EU legal framework on data protection (namely Regulation (EU) 2016/679 and Directive (EU) 2016/680).
The envisaged framework agreement does not go beyond what is necessary to achieve the objectives at stake since these cannot be achieved by the Member States alone.
•Choice of the instrument
Article 218(3) TFEU provides that the Commission or the High Representative of the Union for Foreign Affairs and Security Policy shall submit recommendations to the Council, which shall adopt a decision authorising the opening of negotiations. Given the subject matter of the envisaged agreement, it is for the Commission to submit a recommendation to that effect.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
[As this will be a new agreement, no evaluation or fitness checks of existing instruments could be carried out. No impact assessment is required for the negotiation of this framework agreement.]
4.IMPLEMENTATION PLANS AND MONITORING, EVALUATION AND REPORTING ARRANGEMENTS
The Commission will ensure that the implementation of the framework agreement is monitored properly.
5.OTHER ELEMENTS
•The choice of the negotiator
Given that the envisaged agreement exclusively covers maters other than the Common Foreign and Security Policy, the Commission must be designated as the negotiator pursuant to Article 218(3) TFEU.
Recommendation for a
COUNCIL DECISION
authorising the opening of negotiations on a framework agreement between the European Union and the United States of America on the exchange of information for security screenings and identity verifications relating to border procedures and applications for visa
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2), Article 77(2) and Article 218(3) and (4) thereof,
Having regard to the recommendation from the European Commission,
Whereas:
(1)The United States of America have introduced a new requirement for admission to and further participation in the U.S. Visa Waiver Program, which enables citizens of participating countries to travel to the United States visa-free for maximum 90 days for the purpose of tourism or business. The new requirement entails the conclusion of an ‘Enhanced Border Security Partnership’ (EBSP) with the U.S. Department of Homeland Security. There is a need for a common framework for information exchange in the context of the EBSP. Negotiations should therefore be opened with a view to concluding a framework agreement between the Union and the United States of America on the exchange of information for the screening and identity verification of certain travellers crossing the external borders of the Member States.
(2)The framework agreement should respect fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the Union, in particular the right to liberty and security recognised by Article 6 of the Charter, the right to private and family life recognised in Article 7 of the Charter, the right to the protection of personal data recognised in Article 8 of the Charter, and the right to effective remedy and fair trial recognised in Article 47 of the Charter. The framework agreement should be applied in accordance with those rights and principles and having due regard to the principle of proportionality in accordance with Article 52(1) of the Charter.
(3)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on [XX].
(4)The framework agreement should allow for the conclusion of bilateral arrangements between the United States of America and the Member States on matters covered by it, provided that the provisions of such bilateral arrangements are compatible with those of the framework agreement and with Union law.
(5)The Commission should be nominated as the Union negotiator.
(6)In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the Treaty on European Union and to the TFEU, Denmark is not taking part in the adoption of this Recommendation and is not bound by it or subject to its application.
(7)This Recommendation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (8); Ireland is therefore not taking part in its adoption and is not bound by it or subject to its application.
HAS ADOPTED THIS DECISION:
Article 1
The Commission is hereby authorised to negotiate, on behalf of the Union, a framework agreement between the Union and the United States of America on the exchange of information for security screenings and identity verifications relating to border procedures and applications for visa.
Article 2
The negotiating directives are set out in the Annex.
Article 3
The negotiations should be conducted in consultation with [the name of the special committee to be inserted by the Council].
Article 4
This Decision is addressed to the Commission.
Done at Brussels,
For the Council
The President
EUROPEAN COMMISSION
Brussels, 23.7.2025
COM(2025) 447 final
ANNEX
to the
Recommendation for a Council Decision
authorising the opening of negotiations on a Framework Agreement between the European Union and the United States of America on the exchange of information for security screenings and identity verifications relating to border procedures and applications for visa
ANNEX
DIRECTIVES FOR THE NEGOTIATION OF A FRAMEWORK AGREEMENT BETWEEN
the European Union and the United States of America on the exchange of information for security screening and identity verification relating to border procedures and applications for visa
In the course of the negotiations, the Commission should aim to achieve the objectives set out in detail below.
I. PURPOSE AND SCOPE OF THE FRAMEWORK AGREEMENT
1.The purpose of the framework agreement is to provide for a legal structure for Member States’ bilateral information exchange between their competent authorities and the competent authorities of the United States of America (U.S.) in the context of the U.S. Enhanced Border Security Partnership (EBSP).
2.The framework agreement should provide clear and precise rules on the exchange of information between the Member States and the U.S. on travellers crossing their respective external borders to support the screening and verification of identity of travellers necessary to determine if their entry or stay would pose any risk to public security or public order, and to support the competent authorities in the prevention, detection, investigation and prosecution of crimes and terrorist offences.
3.The objective of the framework agreement is to provide the legal basis and the conditions for the transfer and exchange of personal data between the competent authorities of the Member States and of the U.S. respectively. In particular, the framework agreement should provide clear and precise rules and procedures for triggering a query on a traveller, to preclude a systematic, generalised and non-targeted processing of data for all travellers.
4.The framework agreement should contain definitions of key terms, in particular a definition of personal data.
5.The exchange of information under this framework agreement should be guided by the principle of reciprocity.
6.The exchange of information under the framework agreement should be based on the exchange of the identity information included in the travel document, and the fingerprints of a traveller. Where relevant and under appropriate safeguards, the Parties should also be able to exchange supplementary information relevant to the given individual.
7.The exchange of information under the framework agreement should include third-country nationals in relation to the crossing of the external borders of the Member States and of the U.S., and in the context of the prevention, detection, investigation and prosecution of crimes and terrorist offences.
8.The exchange of information may include exchanges on citizens and their family members, as well as permanent residents, in cases where such exchange of information would be strictly necessary and proportionate for the prevention, detection, investigation and prosecution of crimes and terrorist offences and to the extent that such exchange of information is reciprocal.
II. CONTENT OF THE FRAMEWORK AGREEMENT
SPECIFIC ISSUES
9.The framework agreement should establish definitions of key terms, including a definition of personal data that is compliant with the definitions in Regulations (EU) 2016/679 and 2018/1725 1 , and in Directive (EU) 2016/680 2 ;
10.The framework agreement should identify the types of databases and the type(s) of data falling within the scope of the that will be subject to access in the context of the EBSP.
11.The framework agreement should spell out clearly and precisely the safeguards and guarantees needed with regard to the protection of personal data as well as fundamental rights and freedoms of individuals, irrespective of their nationality and place of residence, in the exchange of personal data with the U.S. in the context of the EBSP. In particular, the following shall apply:
(a)The purposes of processing personal data in the context of the framework agreement should be spelt out clearly and precisely by the Parties. Any processing of personal data should be limited to what is necessary and proportionate in individual cases to identify risks to public security or public order, and contribute to prevention, detection, investigation and prosecution of criminal and terrorist offences.
(b)Personal data transferred to the U.S. by the Member States should be processed fairly, on a legitimate basis and only for the purposes for which they have been transferred. Any further data processing incompatible with the initial purpose should be prohibited (purpose limitation). The framework agreement should be accompanied by an annex containing an exhaustive list of the competent authorities in the U.S. to which the Member States may transfer personal data as well as a short description of their competences.
(c)Transferred personal data should be adequate, relevant and limited to what is necessary for the purpose for which it has been transferred. It should be accurate and kept up to date. It should not be retained for longer than is necessary for the purpose for which it has been transferred but, in any event, the framework agreement should lay down rules on storage, including storage limitation, review, correction and deletion of personal data. In particular, the framework agreement should limit the retention of travellers’ personal data, after their departure from the jurisdiction to that of travellers in respect of whom there is objective evidence from which it may be inferred that there is a continuing risk to public security or public order and a need to retain data to contribute to prevention, detection, investigation and prosecution of crimes and terrorist offences.
(d)The framework agreement should specify the criteria on the basis of which the reliability of the source and accuracy of the data shall be indicated.
(e)The transfer of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning a person's health and sex life or sexual orientation, should be allowed only where strictly necessary and proportionate in individual cases for preventing or combating criminal and terrorist offences as referred to in the framework agreement, and subject to appropriate safeguards addressing the specific risks of processing the data. The framework agreement should contain specific safeguards governing the transfer of personal data on minors and on victims of criminal offences, witnesses or other persons who can provide information concerning criminal offences.
(f)The framework agreement should lay down rules on the information to be made available to individuals and should ensure enforceable rights of individuals whose personal data are processed, in the form of rules on the right to information, access, rectification and erasure, including the specific grounds that may allow for any necessary and proportionate restrictions to those rights. The framework agreement should also ensure enforceable rights of administrative and judicial redress for any person whose data are processed under the framework agreement and should guarantee effective remedies.
(g)The framework agreement should lay down rules on keeping records for the purposes of logging and documentation as well as on information to be made available to individuals.
(h)The framework agreement should provide for safeguards in respect of automated processing of personal data, including profiling, and should prohibit decisions based solely on the automated processing of personal data without human involvement.
(i)The framework agreement should include the obligation to ensure security of personal data through appropriate technical and organisational measures, including by allowing only authorised persons to have access to personal data. It should also include the obligation to notify the competent authorities and, wherever necessary and possible, data subjects, in the event of a personal data breach affecting data transferred under the framework agreement. The framework agreement should also include the obligation to implement measures for data protection by default and by design, to implement data protection principles in an effective manner.
(j)Onward transfers of personal data from the competent authorities of the U.S., to other authorities in the U.S., should only be allowed for the purposes of the framework agreement, should be made subject to appropriate conditions, including the explicit authorisation of the provider of the information, and should be allowed only with respect to authorities ensuring an essentially equivalent level of protection of personal data as ensured under the framework agreement, unless the onward transfer is necessary for the prevention and investigation of a serious and imminent threat to public security or to protect the vital interests of any natural person. Onward transfers of personal data to third countries or international organisations should be prohibited.
(k)The framework agreement should ensure a system of oversight over the use of personal data by one or more independent bodies responsible for data protection in the U.S. with effective powers of investigation and intervention. In particular, the body or bodies should have powers to hear complaints from individuals about the use of their personal data. The framework agreement should provide for a duty of cooperation between such oversight bodies, on the one hand, and the relevant Union supervisory authorities, on the other hand.
framework for the exchange of information
12.The framework agreement should outline the general conditions, criteria, databases and categories of data in scope of the exchange of information between the competent authorities of the Member States and of the U.S. as part of bilateral arrangements. Such information exchange should consist of confirmation of identity information or fingerprints, and additional information associated with the individual under the query and should be limited to what is strictly necessary and proportionate to achieve the required result.
13.Under the framework agreement, the Parties should ensure that the technical limitations of the Parties with regard to exchange of information would be respected.
14.The framework agreement should outline the consequences of suspension of membership from the VWP, or limitation of the ESTA validity, on information exchange under the framework agreement.
15.The framework agreement should provide for a layered query response model, which distinguishes between information retrieved automatically upon performing a query and additional information which could be shared with the requesting Party only upon the explicit authorisation of that Party.
16.The framework agreement should include a clause authorising Member States to conclude bilateral agreements or arrangements to implement the information exchange under the EBSP as a requirement under the Visa Waiver Program (VWP). The framework agreement should specify the elements to be contained in the bilateral agreements or arrangements operationalising the information exchange and the procedural and substantial conditions with which the bilateral agreements or arrangements are to comply with.
17.The framework agreement should set out the circumstances under which Member States could maintain the bilateral agreements or arrangements concluded with the U.S. prior to the entry into force of the framework agreement.
institutional provisions
18.The framework agreement should establish a governing body responsible for managing and supervising the implementation and operation of the agreement, facilitating the resolution of disputes.
19.The framework agreement should provide for an effective dispute settlement mechanism with respect to its interpretation and application to ensure that the Parties observe mutually agreed rules.
20.The framework agreement should include provisions on the monitoring and periodic evaluation of the framework agreement.
21.The framework agreement should include a provision on the entry into force and validity of the agreement and a provision whereby a Party may terminate or suspend it, in particular where the U.S. no longer effectively ensures the level of protection of fundamental rights and freedoms required under the framework agreement. In the case of termination or suspension, the framework agreement should also specify whether personal data falling within its scope and transferred prior to its suspension or termination may continue to be processed. Continued processing of personal data, if permitted, should in any case be in accordance with the provisions of the framework agreement as applicable at the time of the suspension or termination.
22.The framework agreement may include a clause addressing its territorial application, if necessary.
23.The framework agreement should provide for a mechanism whereby future relevant developments of Union law would, where necessary, be reflected by way of adaptations to the framework agreement. The framework agreement should also include a provision whereby the framework agreement would be terminated by the Union in case such adaptations are not carried out.
24.The framework agreement should provide for a mechanism to evaluate its implementation.
25.The framework agreement should be equally authentic in all official languages of the Union and should include a language clause to that effect.