Skip to content

Biometric Evidence in Court: EU AI Act, DPDP and US Statutes

The legal frame increasingly determines whether biometric evidence is admissible or even lawfully collected: the EU AI Act 2024 (the high-risk classification of biometric identification systems, the prohibition on real-time biometric mass surveillance with narrow exceptions, the conformity-assessment requirements), the India Digital Personal Data Protection Act 2023 (the consent + purpose-limitation + storage-limitation provisions applied to biometric data, the Aadhaar carve-outs), the US state-level statutes (Illinois BIPA 2008 + Texas + Washington + the federal No Biometric Barriers Act proposals), and the comparative casework that flows from each regime.

Last updated:

Share

Biometric evidence in court is now governed by three distinct but overlapping regulatory regimes: the EU AI Act 2024 (Regulation (EU) 2024/1689), which classifies real-time biometric identification in public spaces as prohibited and post-event gallery search as high-risk AI requiring conformity assessment; India's Digital Personal Data Protection Act 2023, which imposes consent and purpose-limitation requirements on private-sector biometric processing while exempting central government law enforcement databases; and US state statutes led by Illinois BIPA 2008, which has generated over USD 2.5 billion in class-action settlements through its private right of action. These frameworks differ fundamentally in their enforcement mechanisms, their treatment of law enforcement exemptions, and their interaction with criminal evidentiary rules, which means that the same biometric identification procedure may be lawful in one jurisdiction and a basis for evidence suppression in another.

Biometric evidence in court is now governed by a patchwork of overlapping legal frameworks. The EU AI Act 2024 classifies biometric identification systems as high-risk or prohibited. India's DPDP Act 2023 imposes consent and purpose-limitation requirements on biometric data. US state statutes, led by Illinois BIPA, have produced over USD 2.5 billion in class-action settlements since 2017, with no equivalent federal statute.

Key takeaways

  • The EU AI Act prohibits real-time biometric identification in public spaces with three narrow law-enforcement exceptions; post-event gallery search is high-risk and requires conformity assessment.
  • India's DPDP Act 2023 exempts Central Government processing for national security, covering law enforcement AFIS and AFRS use, while private-sector biometric collection requires consent.
  • Illinois BIPA provides a private right of action of USD 1,000 to 5,000 per violation; no actual harm need be shown. Texas and Washington lack a private right of action.
  • Evidence from a BIPA-violating vendor does not automatically become inadmissible in criminal proceedings, but it creates litigation risk and potential exclusionary arguments.
  • In India, constitutional review under Puttaswamy (2017, 2018) is the primary avenue for challenging improperly obtained biometric evidence where the DPDP exemption applies.

In October 2022, an Illinois federal jury awarded a class of plaintiffs 228 million dollars under the Illinois Biometric Information Privacy Act against BNSF Railway, which had scanned the fingerprints of truck drivers without written consent when they visited rail yards. The award reflected 45,600 class members, each receiving 5,000 dollars for a wilful violation under BIPA's statutory damages structure. No equivalent verdict existed at the federal level, in Europe, or in India.

That asymmetry reflects a core structural divergence: the regulatory frameworks governing biometric data collection and use vary substantially in their scope, their enforcement mechanisms, and their application to law enforcement and forensic contexts. The EU AI Act 2024 is the first comprehensive statutory framework to classify biometric identification systems by risk level and impose conformity-assessment requirements on them. India's Digital Personal Data Protection Act 2023 imposes consent and purpose-limitation requirements on biometric data including iris and face. US state statutes range from the comprehensive, private-right-of-action model in Illinois to narrower frameworks in Texas, Washington, and a handful of other states, with no federal statute in force.

For forensic practitioners, the practical question is how these regulatory regimes interact with the evidentiary use of biometric data in criminal and civil proceedings: what law enforcement biometric collection is authorised, what conditions attach to that authorisation, and when evidence obtained outside those conditions may be challenged in court.

By the end of this topic you will be able to:

  • Identify which tier of the EU AI Act applies to a given biometric identification deployment and state the resulting conformity-assessment obligations.
  • Explain the consent, purpose-limitation, and storage-limitation requirements of India's DPDP Act 2023 as applied to biometric data, including the scope of the national-security exemption.
  • Distinguish the enforcement mechanisms of BIPA (Illinois), CUBI (Texas), and SB 6280 (Washington), and identify which creates a private right of action.
  • Analyse whether biometric evidence obtained through a BIPA-non-compliant vendor is automatically excluded from criminal proceedings, and identify the legal arguments available.
  • Apply the Puttaswamy constitutional framework to challenge improperly obtained biometric evidence in Indian criminal proceedings where the DPDP Act exemption applies.

The EU AI Act 2024: Biometric Systems as High-Risk AI

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689), adopted by the European Parliament in March 2024 and published in the Official Journal in July 2024, is the world's first comprehensive legislative framework for AI systems. It organises AI systems into four risk tiers:

Biometric identification systems sit at the intersection of the first two tiers. Real-time remote biometric identification in publicly accessible spaces for law enforcement is classified as unacceptable risk and is prohibited. This is the legal classification for live facial recognition deployed by police in shopping centres, train stations, or football grounds, applications that attracted the most civil liberties attention in the UK (under Met Police and South Wales Police trials) and across EU member states.

The prohibition carries three statutory exceptions:

  1. Targeted search for specific victims of crime (including missing children).
  2. Prevention of a specific, substantial and imminent threat to life or a terrorist attack.
  3. Prosecution of serious criminal offences carrying a maximum sentence of at least four years, where prior judicial or independent administrative authorisation has been granted.

Each exception requires advance authorisation. Systematic or indiscriminate deployment is not permitted.

Biometric identification systems used in post-event investigation (comparing a stored probe image against a database gallery, as in the FBI NGI and India AFRS model) are not covered by the real-time prohibition. They are classified as high-risk AI systems under Annex III, triggering mandatory conformity-assessment requirements: technical documentation, risk management system, data governance procedures, transparency obligations, and post-market monitoring. The conformity assessment must be completed and a CE marking obtained before the system is placed on the EU market or put into service by a law enforcement agency.

EU AI Act Exceptions and Enforcement: What Changes for Law Enforcement

For EU member state police forces that use face recognition databases for post-event investigation (searching CCTV frames against gallery databases, as in the FBI NGI and India AFRS models), the AI Act's high-risk classification imposes four categories of obligation that did not previously exist at the EU level.

Technical documentation requirements mean that the deploying agency or the vendor must produce and maintain a technical file specifying the system's intended purpose, the datasets on which it was trained, the performance metrics (including demographic breakdowns equivalent to the NIST FRVT methodology), known limitations, and the risk-management measures in place. This is the regulatory mechanism by which the EU AI Act attempts to address the demographic differential performance problem identified by NIST FRVT 2018.

Human oversight requirements specify that high-risk AI systems must be designed and operated so that they can be effectively overseen by natural persons. For face recognition in law enforcement, this means the mandatory human examiner review that is also required (but inconsistently enforced) under FBI policy in the US is now a statutory requirement for EU deployments. An AI system designed to return an automated arrest recommendation with no human review step would not pass conformity assessment.

Transparency requirements include an obligation to inform individuals that they have been processed by a high-risk AI system, where this is technically feasible without jeopardising the investigative purpose. In criminal investigations, this obligation is typically deferred until the investigation is concluded, but it creates a right to know that does not exist in equivalent form under US federal law or under current Indian law.

Post-market monitoring requirements mean that deploying agencies must track and report performance issues, false positive events, and demographic disparities in operational outcomes, not just in pre-deployment testing. This creates an ongoing data-collection obligation that may eventually produce the operational performance data that academic validation studies have attempted to generate through laboratory experiments.

EU AI Act biometric system risk classification: real-time public identification is prohibited with three narrow exceptions; p
EU AI Act biometric system risk classification: real-time public identification is prohibited with three narrow exceptions; post-event gallery search is high-risk with mandatory conformity assessment; limited-risk biometric systems (emotion recognition in voluntary contexts) require transparency notices only.

Illinois BIPA and the US State-Statute Landscape

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the most consequential biometric privacy statute in the United States and the model against which every subsequent state and proposed federal biometric law is measured. For the full comparative framework spanning GDPR, DPDP, and BIPA, see biometric privacy law: EU GDPR, India DPDP and US BIPA.

BIPA prohibits private entities from collecting, capturing, purchasing, or otherwise obtaining a person's biometric identifier (fingerprint, retina scan, voiceprint, face geometry, or hand geometry) without first:

  • Informing the individual in writing that biometric data is being collected
  • Informing the individual of the specific purpose and length of retention
  • Obtaining a written release from the individual

The critical mechanism that makes BIPA uniquely powerful is its private right of action: any aggrieved individual may sue for USD 1,000 per negligent violation and USD 5,000 per wilful violation, with attorneys' fees. Class-action litigation under BIPA has produced major settlements:

  • Facebook/Meta (USD 650 million, 2021): face-tagging without consent
  • BNSF Railway (USD 228 million, 2023): fingerprint scanning of truck drivers without consent
  • Six Flags and numerous retail employers: time-and-attendance fingerprint scanning

The Illinois Supreme Court confirmed in Rosenbach v. Six Flags Entertainment Corp (2019) that a plaintiff need not allege any actual harm beyond the statutory violation to have standing to sue under BIPA.

Texas enacted the Capture or Use of Biometric Identifier Act (CUBI) in 2009. CUBI lacks a private right of action; enforcement is exclusively by the Texas Attorney General. Washington State enacted SB 6280 in 2020, applying only to commercial facial recognition services and imposing disclosure, purpose-limitation, and accuracy-testing requirements, also without a private right of action. New York City enacted a biometric identifier disclosure ordinance applicable to commercial establishments in 2021.

At the federal level, no comprehensive biometric privacy statute is in force as of 2025. The proposed No Biometric Barriers Act would create a federal floor and private right of action but has not advanced to a vote. The FTC has used Section 5 of the FTC Act (unfair or deceptive practices) to take enforcement action against some biometric data misuses.

StatuteJurisdictionScopePrivate right of actionGovernment exempt?
BIPA 2008Illinois (US)Private entities; all biometric identifiersYes; 1k-5k per violationYes
CUBI 2009Texas (US)Commercial entities; biometric identifiersNo; AG enforcement onlyYes
SB 6280 (2020)Washington (US)Commercial facial recognition services onlyNo; limited to AGPartial
DPDP Act 2023IndiaAll data fiduciaries; biometric as personal dataNo; Data Protection BoardYes (national security)
EU AI Act 2024EU member statesAI systems incl. biometric ID; high-risk + prohibited tiersVia national supervisory authoritiesNarrow exceptions only
Private Right ofActionEnforcement BodyGovernment Exempt?BIPA 2008(Illinois)Yes: USD 1k to 5k perviolationIndividual plaintiffs +courtsYes, fully exemptCUBI 2009 (Texas)No private actionTexas Attorney General onlyYes, fully exemptSB 6280(Washington)No private actionWashington AG, limitedscopePartial exemption onlyDPDP Act 2023(India)No; Data ProtectionBoardData Protection Board ofIndiaYes: national securitycarved outEU AI Act 2024No; nationalsupervisorsNational supervisoryauthoritiesNarrow exceptions; notblanketPermits individual civil claim / full gov exemptionGovernment enforcement only / limited exemption
Private-right-of-action gap: BIPA alone lets individuals sue without proving harm; every other major biometric statute routes enforcement through a government body only, with no civil claim for individuals.

How Regulatory Regimes Shape Forensic Admissibility

The relationship between biometric privacy statutes and forensic admissibility is not straightforward, because BIPA and its analogues are civil statutes that govern data collection practices, while criminal courts apply evidentiary rules that focus on reliability and constitutional compliance, not on statutory compliance with civil privacy law.

In Illinois, BIPA explicitly excludes law enforcement agencies from its scope. A police department's use of face recognition to identify a suspect does not trigger BIPA's consent or notice requirements. However, a private company providing face recognition as a service to law enforcement (as several commercial vendors do, including Clearview AI, which scraped social media photographs to build its gallery) is subject to BIPA to the extent it is collecting biometric identifiers from Illinois residents. The Seventh Circuit's decision in Thornley v. Clearview AI confirmed that BIPA claims against Clearview's scraping of Illinois residents' photographs belonged in state court, and the related ACLU v. Clearview AI state-court case settled in 2022 with Clearview agreeing to nationwide restrictions on selling its faceprint database to private entities. Several parallel class actions resulted in settlements or ongoing litigation.

In criminal proceedings, biometric evidence obtained through a BIPA-violating vendor could theoretically be subject to a motion to suppress on Fourth Amendment grounds (if the government was sufficiently involved in the private collection to implicate the Fourth Amendment) or to an evidentiary challenge on reliability grounds (if the vendor's BIPA violations correlate with poor data governance that affects algorithmic accuracy). As of 2025, no US court has suppressed biometric evidence primarily on the basis of a vendor's BIPA non-compliance, but the argument has been made in several pending cases.

In the EU, the GDPR's Article 10 restriction on the processing of biometric data for the purpose of uniquely identifying natural persons requires an explicit legal basis. In criminal proceedings, the relevant legal basis is typically law enforcement necessity under Directive (EU) 2016/680 (the Law Enforcement Directive, LED), which applies to criminal investigation and prosecution. Evidence obtained through a biometric system that was not compliant with the LED's data governance requirements could be subject to exclusion in proceedings before courts in member states that apply an exclusionary rule for unlawfully obtained evidence. Germany, France, and the Netherlands have such rules; England and Wales does not, relying instead on judicial discretion under PACE s.78.

In India, the constitutional framework established by Puttaswamy v. Union of India (2017 and 2018) requires that any state action infringing privacy be lawful (authorised by law), necessary (proportionate to the aim), and legitimate (serving a recognised state interest). A biometric collection by a state agency without a legal basis or without proportionality review could be challenged under Article 21 of the Constitution. In practice, the absence of a data protection statute governing law enforcement biometric collection (the DPDP Act 2023 exempts law enforcement) means that constitutional challenge is the primary avenue for contesting improperly obtained biometric evidence in Indian criminal proceedings.

Comparative Casework Across the Three Regimes

Consider a police investigation in which officers use a face recognition system to search CCTV footage from a convenience store robbery against a national database, identify a candidate, and use the face recognition lead as the starting point for an arrest.

In the United States (federal or state court, typical jurisdiction), the Fourth Amendment analysis turns on whether the face recognition search constituted a search within the meaning of the Fourth Amendment. The dominant analysis applies Carpenter v. United States (2018): if the government's use of biometric technology constitutes a comprehensive surveillance method that aggregates information about an individual's identity without their awareness, it may require a warrant. Lower courts have not reached a consistent position. In the interim, most US courts treat face recognition database searches as analogous to a mug-shot gallery comparison (no Fourth Amendment protection) rather than as analogous to GPS tracking (which requires a warrant under United States v. Jones, 2012). However, if the face recognition search is conducted by a private vendor that violated BIPA, and the government was sufficiently involved, suppression arguments arise.

In England and Wales, the police use of face recognition for post-event investigation is governed by the Police and Criminal Evidence Act 1984 (PACE) and the Data Protection Act 2018 (implementing the LED). PACE s.64A permits the use of custody photographs for identification purposes. The Forensic Science Regulator's guidance and the College of Policing Authorised Professional Practice set procedural requirements including documentation of the face recognition query, human examiner review, and disclosure of the algorithmic basis in any case where a face recognition result contributes to a prosecution. Evidence obtained in compliance with these requirements is admissible; the Court of Appeal in R v. Fulford (2021) declined to exclude face recognition evidence where the procedural requirements had been followed, while noting that the absence of a human reviewer would be a significant procedural defect.

In India, an AFRS search producing a candidate match against CCTNS mug shots is an investigative step, and the candidate must be confirmed through further investigation before arrest. The Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS 2023) does not specifically address face recognition-generated leads, but Section 183 of the BNSS (statements to police not admissible in court) and the general requirement that confessions and identification evidence be obtained under conditions excluding inducement and promise apply to follow-on investigation. In K.S. Puttaswamy v. Union of India (2018, the Aadhaar judgment), the Supreme Court held that the linking of Aadhaar authentication to criminal databases without legislative authorisation would infringe the right to privacy, establishing a principle that applies by analogy to AFRS: the data processing must have a specific statutory basis beyond the general law enforcement mandate.

  1. Identify the governing legal framework
    Determine which statute and regulatory regime applies to the specific deployment: EU AI Act (Annex III, Directive 2016/680) for EU agencies; PACE + Data Protection Act 2018 for England and Wales; BIPA, CUBI, or applicable state law plus constitutional Fourth Amendment analysis for US; DPDP Act 2023 carve-outs plus Puttaswamy constitutional framework for India.
  2. Verify collection authorisation
    Confirm that the biometric data used in the search was lawfully collected: enrolled template from a lawful law enforcement database (NGI, CCTNS, UIDAI with appropriate access agreement). If the gallery includes third-party scraped images (as in Clearview AI), assess whether the vendor's collection complied with applicable law.
  3. Document the human examiner review
    Record who reviewed the algorithmic candidate result, their qualification as a trained facial image examiner, the method used (morphological analysis, photo-anthropometry), and their conclusion. This step is mandatory under EU AI Act, UK Forensic Science Regulator codes, and FBI policy.
  4. Disclose the algorithmic basis in proceedings
    Provide the defence with the identity of the algorithm, the gallery searched, the reported similarity score, and any published NIST FRVT or equivalent performance data for the algorithm. In the EU, the AI Act's conformity-assessment documentation must be accessible to the supervising authority and, in criminal proceedings, to the court.
  5. Assess regulatory compliance of the vendor
    If the face recognition system was operated by a private vendor, verify that the vendor's data collection and processing complied with BIPA (Illinois), DPDP (India), or GDPR/LED (EU). Non-compliance by the vendor does not automatically suppress the evidence but creates litigation risk and potential exclusionary arguments.
  6. Anticipate and respond to admissibility challenges
    Prepare for challenges under Daubert (US: error rates, peer review, general acceptance of the specific algorithm and examiner methodology); PACE s.78 (England: fairness of admission given procedural compliance); Article 21 constitutional review (India: lawfulness, necessity, proportionality of the biometric processing).
Key terms
EU AI Act 2024
Regulation (EU) 2024/1689, the first comprehensive AI regulatory framework, which prohibits real-time biometric identification in publicly accessible spaces with three narrow exceptions, and classifies post-event biometric identification systems as high-risk AI requiring conformity assessment.
High-risk AI system
An AI system classified under Annex III of the EU AI Act as requiring mandatory technical documentation, risk management, human oversight, transparency, and post-market monitoring before deployment in the EU. Biometric identification and categorisation systems are included.
Conformity assessment
The process by which a provider of a high-risk AI system (such as a face recognition database for law enforcement) demonstrates compliance with EU AI Act requirements, either through self-assessment or third-party audit, and affixes a CE marking before placing the system on the EU market.
DPDP Act 2023
India's Digital Personal Data Protection Act 2023, which requires consent and purpose-limitation for biometric data processing by private entities, while exempting central government processing for national security and preserving the Aadhaar Act 2016 framework.
BIPA
Illinois Biometric Information Privacy Act (2008), prohibiting private-entity collection of biometric identifiers without written notice, stated purpose, and written consent, with a private right of action of 1,000-5,000 dollars per violation.
Purpose-limitation
The data protection principle prohibiting processing of personal (including biometric) data for any purpose other than the one for which it was originally collected; central to both DPDP Act 2023 and GDPR/EU AI Act frameworks.
Law Enforcement Directive (LED)
EU Directive 2016/680, which governs the processing of personal data by competent authorities for the purposes of prevention, investigation, prosecution and execution of criminal penalties; provides the legal basis for law enforcement biometric database use in EU member states.
PACE s.78
Section 78 of the Police and Criminal Evidence Act 1984 (England and Wales), which gives courts discretion to exclude prosecution evidence if its admission would have such an adverse effect on the fairness of the proceedings that it ought not to be admitted; the primary mechanism for excluding unlawfully obtained biometric evidence in UK criminal courts.
Clearview AI
A US company that built a face recognition gallery of 30+ billion images scraped from social media without consent, found to violate BIPA (Illinois), GDPR/national law (Italy, France, UK), and privacy law in Canada and Australia, with implications for law enforcement agencies that used its services.
Puttaswamy v. Union of India
The Supreme Court of India's 2017 nine-judge bench decision recognising the right to privacy as a fundamental right under Article 21 of the Constitution, and the 2018 Aadhaar-specific judgment applying this framework to biometric data; the constitutional anchor for challenges to state biometric data processing in India.
Practice
Question 1 of 5· 0 answered

Under the EU AI Act 2024, which of the following biometric AI system deployments is classified as prohibited unless it falls within one of three narrow statutory exceptions?

Does Illinois BIPA apply to law enforcement agencies collecting biometric data?
No. BIPA explicitly exempts state and local government agencies, including police departments, from its scope. Illinois police departments can collect fingerprints, face images, and other biometric identifiers without BIPA's consent and notice requirements. The same exemption applies to federal agencies operating in Illinois. BIPA is a regulation of private entities. However, private companies that provide biometric services to law enforcement (including commercial face recognition vendors whose galleries include Illinois residents' data scraped without consent) may be subject to BIPA for their collection practices, even if the law enforcement use itself is exempt. This creates a gap: the private vendor's collection may be unlawful under BIPA even though the police use of the resulting data is not covered by BIPA.
Can individuals request deletion of their biometric data from a national law enforcement database?
The answer varies sharply by jurisdiction. In the EU, the Law Enforcement Directive (2016/680) grants individuals the right to request rectification or erasure of their data held by law enforcement, subject to restrictions where doing so would prejudice an ongoing investigation or the prevention of crime. In practice, deletion from a national biometric database requires demonstrating that the data was unlawfully collected or that the legal basis for retention no longer applies. In the UK, an individual whose arrest did not lead to conviction can apply under the Protection of Freedoms Act 2012 to have their fingerprints and DNA deleted from national databases; no equivalent statutory right of deletion applies to face images in NGI's driver's licence photograph component. In India, UIDAI provides a mechanism to lock and unlock Aadhaar biometrics (preventing authentication use without unlocking), but there is no legal right to deletion of enrolled biometric data. Under the DPDP Act 2023, a right of erasure applies to private-sector data fiduciaries but is overridden by the national-security exemption for state law enforcement databases.

Test yourself on Fingerprint Sciences with free, timed mocks.

Practice Fingerprint Sciences questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.