US Travel Proposal Raises Data Protection Concerns for UK Tourists

UK tourists planning a trip to the United States may soon face new and far-reaching data collection requirements. A proposal published by US authorities suggests that visitors from visa waiver countries, including the UK, could be required to provide up to five years of social media history as part of the ESTA application process.

While the proposal is framed as a security measure, it raises important questions about privacy, digital rights, and proportionality. For UK individuals and organisations, it also highlights the growing tension between border security and personal data protection.

Why This Matters Now

The proposal comes as the US prepares for a major increase in international visitors. The country will host the men’s football World Cup in 2026 and the Olympic Games in Los Angeles in 2028.

Since returning to office in January, President Trump has placed renewed focus on border control and national security. Expanded data collection has become a key part of that approach.

For UK travellers, this could mark a significant change. Social media profiles often reveal political opinions, beliefs, associations, and details of private life. Requiring years of online activity for short-term travel raises questions about fairness and necessity.

Under UK GDPR principles, collecting this volume of personal data would require strong justification. Transparency and proportionality would be essential.

What the Proposal Includes

The proposal was submitted by the US Department of Homeland Security and Customs and Border Protection. It was published in the Federal Register and is now open for public consultation.

If implemented, ESTA applicants could be asked to provide:

• Social media information covering the last five years
• Telephone numbers used during the last five years
• Email addresses used over the last ten years
• Additional information about family members

The proposal does not explain how social media content would be assessed. It also does not clarify which platforms would be included or how long the data would be stored.

US authorities have stated that this is not a final rule. Public feedback will be accepted for 60 days.

Privacy and Digital Rights Risks

Digital rights organisations have warned that mandatory social media disclosure could cause significant civil liberties concerns. Social media content is rarely clear or objective. Posts are often informal, emotional, or taken out of context.

There is also a risk of profiling. Applicants could face delays or refusals based on lawful expression or misunderstood online activity.

From a data protection perspective, the key concerns include:

• Limited transparency around decision-making
• Unclear data retention and sharing practices
• The impact on third parties named or shown in posts
• Pressure on individuals to self-censor online

These risks reflect earlier criticism of social media vetting for student and work visas.

International Data Transfers and UK GDPR

UK GDPR does not apply directly to US border authorities. However, the proposal still has implications for UK organisations.

Employees travelling to the US may share information connected to their professional lives. Personal social media accounts often overlap with work networks and communications.

This reinforces the importance of data minimisation. UK GDPR requires organisations to collect only what is necessary. Reviewing five years of social media for short-term tourism would likely face strong scrutiny in the UK.

What UK Travellers Should Consider

The proposal is still under consultation. However, travellers should stay informed and cautious.

• Review privacy settings on social media platforms
• Avoid sharing unnecessary personal information publicly
• Follow official guidance before submitting extra data
• Be alert to scams using the proposal as a pretext

Any request for information should come only through official US government channels.

What This Means for Organisations

UK organisations with staff travelling to the US should take note. Increased scrutiny of online activity can expose business-related information.

Organisations should consider:

• Reviewing travel and data protection policies
• Providing staff guidance on digital footprints
• Assessing how business information appears online
• Supporting staff who raise privacy concerns

Our Data Protection Training and Data Protection Support services help organisations manage these evolving risks.

Our View

At Data Protection People, we see this proposal as part of a broader shift towards digital surveillance at borders. While security is important, broad data collection must remain fair, necessary, and proportionate.

Our Data Protection Consultant Manager, Catarina Santos, shares her view:

“As a data protection consultant, this proposal makes me uneasy – not for political reasons, but legal and rights-based ones.

Asking ordinary tourists for five years of social media activity feels like a significant shift from identity checks to judgement of expression and behaviour. Social media content is messy, contextual, and often misunderstood. Treating it as a reliable risk signal is questionable at best.

The concern isn’t whether states can protect their borders – they can and should – but whether collecting such broad personal data is necessary, fair, and proportionate for short-term visitors who have no real ability to challenge decisions or understand how their data is assessed.

Once governments normalise this level of digital scrutiny for travel, it’s hard to see where the line is drawn next.”

This development shows why strong data protection principles matter, even beyond UK and EU borders.

FAQs

Is this ESTA requirement confirmed?

No. The proposal is still under consultation and has not been approved.

Would UK travellers be affected?

Yes. UK citizens use ESTA, so any changes would apply to them.

Does UK GDPR protect travellers here?

UK GDPR does not apply to US authorities. It does, however, highlight how unusual this level of data collection would be in the UK.

What should organisations do now?

Organisations should monitor developments and review travel, privacy, and staff guidance.

Contact Us

If your organisation needs support managing international data risks or staff travel policies, our team is here to help. We provide Data Protection Support and Training to keep data protection clear and practical. Contact us today.

Source

BBC News, report on proposed changes to ESTA data collection requirements for tourists.