Biometric Evidence in Court: EU AI Act, DPDP and US Statutes
The legal frame increasingly determines whether biometric evidence is admissible or even lawfully collected: the EU AI Act 2024 (the high-risk classification of biometric identification systems, the prohibition on real-time biometric mass surveillance with narrow exceptions, the conformity-assessment requirements), the India Digital Personal Data Protection Act 2023 (the consent + purpose-limitation + storage-limitation provisions applied to biometric data, the Aadhaar carve-outs), the US state-level statutes (Illinois BIPA 2008 + Texas + Washington + the federal No Biometric Barriers Act proposals), and the comparative casework that flows from each regime.
Last updated:
Biometric evidence in court is now governed by three distinct but overlapping regulatory regimes: the EU AI Act 2024 (Regulation (EU) 2024/1689), which classifies real-time biometric identification in public spaces as prohibited and post-event gallery search as high-risk AI requiring conformity assessment; India's Digital Personal Data Protection Act 2023, which imposes consent and purpose-limitation requirements on private-sector biometric processing while exempting central government law enforcement databases; and US state statutes led by Illinois BIPA 2008, which has generated over USD 2.5 billion in class-action settlements through its private right of action. These frameworks differ fundamentally in their enforcement mechanisms, their treatment of law enforcement exemptions, and their interaction with criminal evidentiary rules, which means that the same biometric identification procedure may be lawful in one jurisdiction and a basis for evidence suppression in another.
Biometric evidence in court is now governed by a patchwork of overlapping legal frameworks. The EU AI Act 2024 classifies biometric identification systems as high-risk or prohibited. India's DPDP Act 2023 imposes consent and purpose-limitation requirements on biometric data. US state statutes, led by Illinois BIPA, have produced over USD 2.5 billion in class-action settlements since 2017, with no equivalent federal statute.
Key takeaways
- The EU AI Act prohibits real-time biometric identification in public spaces with three narrow law-enforcement exceptions; post-event gallery search is high-risk and requires conformity assessment.
- India's DPDP Act 2023 exempts Central Government processing for national security, covering law enforcement AFIS and AFRS use, while private-sector biometric collection requires consent.
- Illinois BIPA provides a private right of action of USD 1,000 to 5,000 per violation; no actual harm need be shown. Texas and Washington lack a private right of action.
- Evidence from a BIPA-violating vendor does not automatically become inadmissible in criminal proceedings, but it creates litigation risk and potential exclusionary arguments.
- In India, constitutional review under Puttaswamy (2017, 2018) is the primary avenue for challenging improperly obtained biometric evidence where the DPDP exemption applies.
In October 2022, an Illinois federal jury awarded a class of plaintiffs 228 million dollars under the Illinois Biometric Information Privacy Act against BNSF Railway, which had scanned the fingerprints of truck drivers without written consent when they visited rail yards. The award reflected 45,600 class members, each receiving 5,000 dollars for a wilful violation under BIPA's statutory damages structure. No equivalent verdict existed at the federal level, in Europe, or in India.
That asymmetry reflects a core structural divergence: the regulatory frameworks governing biometric data collection and use vary substantially in their scope, their enforcement mechanisms, and their application to law enforcement and forensic contexts. The EU AI Act 2024 is the first comprehensive statutory framework to classify biometric identification systems by risk level and impose conformity-assessment requirements on them. India's Digital Personal Data Protection Act 2023 imposes consent and purpose-limitation requirements on biometric data including iris and face. US state statutes range from the comprehensive, private-right-of-action model in Illinois to narrower frameworks in Texas, Washington, and a handful of other states, with no federal statute in force.
For forensic practitioners, the practical question is how these regulatory regimes interact with the evidentiary use of biometric data in criminal and civil proceedings: what law enforcement biometric collection is authorised, what conditions attach to that authorisation, and when evidence obtained outside those conditions may be challenged in court.
By the end of this topic you will be able to:
- Identify which tier of the EU AI Act applies to a given biometric identification deployment and state the resulting conformity-assessment obligations.
- Explain the consent, purpose-limitation, and storage-limitation requirements of India's DPDP Act 2023 as applied to biometric data, including the scope of the national-security exemption.
- Distinguish the enforcement mechanisms of BIPA (Illinois), CUBI (Texas), and SB 6280 (Washington), and identify which creates a private right of action.
- Analyse whether biometric evidence obtained through a BIPA-non-compliant vendor is automatically excluded from criminal proceedings, and identify the legal arguments available.
- Apply the Puttaswamy constitutional framework to challenge improperly obtained biometric evidence in Indian criminal proceedings where the DPDP Act exemption applies.
The EU AI Act 2024: Biometric Systems as High-Risk AI
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689), adopted by the European Parliament in March 2024 and published in the Official Journal in July 2024, is the world's first comprehensive legislative framework for AI systems. It organises AI systems into four risk tiers:
Biometric identification systems sit at the intersection of the first two tiers. Real-time remote biometric identification in publicly accessible spaces for law enforcement is classified as unacceptable risk and is prohibited. This is the legal classification for live facial recognition deployed by police in shopping centres, train stations, or football grounds, applications that attracted the most civil liberties attention in the UK (under Met Police and South Wales Police trials) and across EU member states.
The prohibition carries three statutory exceptions:
- Targeted search for specific victims of crime (including missing children).
- Prevention of a specific, substantial and imminent threat to life or a terrorist attack.
- Prosecution of serious criminal offences carrying a maximum sentence of at least four years, where prior judicial or independent administrative authorisation has been granted.
Each exception requires advance authorisation. Systematic or indiscriminate deployment is not permitted.
Biometric identification systems used in post-event investigation (comparing a stored probe image against a database gallery, as in the FBI NGI and India AFRS model) are not covered by the real-time prohibition. They are classified as high-risk AI systems under Annex III, triggering mandatory conformity-assessment requirements: technical documentation, risk management system, data governance procedures, transparency obligations, and post-market monitoring. The conformity assessment must be completed and a CE marking obtained before the system is placed on the EU market or put into service by a law enforcement agency.
EU AI Act Exceptions and Enforcement: What Changes for Law Enforcement
For EU member state police forces that use face recognition databases for post-event investigation (searching CCTV frames against gallery databases, as in the FBI NGI and India AFRS models), the AI Act's high-risk classification imposes four categories of obligation that did not previously exist at the EU level.
Technical documentation requirements mean that the deploying agency or the vendor must produce and maintain a technical file specifying the system's intended purpose, the datasets on which it was trained, the performance metrics (including demographic breakdowns equivalent to the NIST FRVT methodology), known limitations, and the risk-management measures in place. This is the regulatory mechanism by which the EU AI Act attempts to address the demographic differential performance problem identified by NIST FRVT 2018.
Human oversight requirements specify that high-risk AI systems must be designed and operated so that they can be effectively overseen by natural persons. For face recognition in law enforcement, this means the mandatory human examiner review that is also required (but inconsistently enforced) under FBI policy in the US is now a statutory requirement for EU deployments. An AI system designed to return an automated arrest recommendation with no human review step would not pass conformity assessment.
Transparency requirements include an obligation to inform individuals that they have been processed by a high-risk AI system, where this is technically feasible without jeopardising the investigative purpose. In criminal investigations, this obligation is typically deferred until the investigation is concluded, but it creates a right to know that does not exist in equivalent form under US federal law or under current Indian law.
Post-market monitoring requirements mean that deploying agencies must track and report performance issues, false positive events, and demographic disparities in operational outcomes, not just in pre-deployment testing. This creates an ongoing data-collection obligation that may eventually produce the operational performance data that academic validation studies have attempted to generate through laboratory experiments.

India's DPDP Act 2023: Consent, Purpose-Limitation and the Aadhaar Carve-Out
The Digital Personal Data Protection Act 2023 (DPDP Act 2023), enacted by the Indian Parliament and receiving Presidential assent in August 2023, is India's first comprehensive data protection statute. It applies to the processing of digital personal data of individuals located in India, whether by Indian or foreign entities. Biometric data (defined in the Act as facial images, iris scans, fingerprints, voice prints, and other body parameters that allow unique identification) falls within the definition of personal data and is processed under the same consent-and-purpose-limitation framework as other personal data, with certain exceptions.
The consent requirement means that a data fiduciary (the entity processing personal data, including a private employer collecting employee biometric data for attendance, or a bank collecting biometric data for KYC) must obtain free, specific, informed, and unambiguous consent before collecting biometric data. The consent must be linked to a specific purpose; processing for a different purpose requires fresh consent or falls within a statutory exemption. The purpose-limitation principle prohibits processing biometric data for any purpose other than that for which consent was given, or for which a statutory exemption applies.
The DPDP Act does not apply to personal data processed by the Central Government for national security, public order, or sovereignty purposes. This exemption covers law enforcement biometric collection (CCTNS, AFRS, border control databases) without requiring consent. The Act also preserves the Aadhaar Act 2016 framework: Aadhaar biometric data (collected under the mandatory identification programme) is not subject to the DPDP consent framework; it is governed by the Aadhaar Act's own security and access controls and by UIDAI regulations. The DPDP Act specifically excludes data notified as excluded under any other law enacted by Parliament, which preserves the Aadhaar Act 2016 carve-out.
Storage-limitation requirements in the DPDP Act require that personal data be retained only as long as the purpose for which it was collected remains in force, after which it must be erased. For private-sector biometric data (employer attendance systems, bank KYC databases), this creates a legal obligation to delete biometric templates when an employee leaves or a customer closes an account. For law enforcement databases, the storage-limitation obligation is overridden by the national-security exemption, but civil society organisations have argued that this creates an indefinite retention regime for AFRS and CCTNS data that lacks the proportionality requirements applied in the EU.
Illinois BIPA and the US State-Statute Landscape
The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the most consequential biometric privacy statute in the United States and the model against which every subsequent state and proposed federal biometric law is measured. For the full comparative framework spanning GDPR, DPDP, and BIPA, see biometric privacy law: EU GDPR, India DPDP and US BIPA.
BIPA prohibits private entities from collecting, capturing, purchasing, or otherwise obtaining a person's biometric identifier (fingerprint, retina scan, voiceprint, face geometry, or hand geometry) without first:
- Informing the individual in writing that biometric data is being collected
- Informing the individual of the specific purpose and length of retention
- Obtaining a written release from the individual
The critical mechanism that makes BIPA uniquely powerful is its private right of action: any aggrieved individual may sue for USD 1,000 per negligent violation and USD 5,000 per wilful violation, with attorneys' fees. Class-action litigation under BIPA has produced major settlements:
- Facebook/Meta (USD 650 million, 2021): face-tagging without consent
- BNSF Railway (USD 228 million, 2023): fingerprint scanning of truck drivers without consent
- Six Flags and numerous retail employers: time-and-attendance fingerprint scanning
The Illinois Supreme Court confirmed in Rosenbach v. Six Flags Entertainment Corp (2019) that a plaintiff need not allege any actual harm beyond the statutory violation to have standing to sue under BIPA.
Texas enacted the Capture or Use of Biometric Identifier Act (CUBI) in 2009. CUBI lacks a private right of action; enforcement is exclusively by the Texas Attorney General. Washington State enacted SB 6280 in 2020, applying only to commercial facial recognition services and imposing disclosure, purpose-limitation, and accuracy-testing requirements, also without a private right of action. New York City enacted a biometric identifier disclosure ordinance applicable to commercial establishments in 2021.
At the federal level, no comprehensive biometric privacy statute is in force as of 2025. The proposed No Biometric Barriers Act would create a federal floor and private right of action but has not advanced to a vote. The FTC has used Section 5 of the FTC Act (unfair or deceptive practices) to take enforcement action against some biometric data misuses.
| Statute | Jurisdiction | Scope | Private right of action | Government exempt? |
|---|---|---|---|---|
| BIPA 2008 | Illinois (US) | Private entities; all biometric identifiers | Yes; 1k-5k per violation | Yes |
| CUBI 2009 | Texas (US) | Commercial entities; biometric identifiers | No; AG enforcement only | Yes |
| SB 6280 (2020) | Washington (US) | Commercial facial recognition services only | No; limited to AG | Partial |
| DPDP Act 2023 | India | All data fiduciaries; biometric as personal data | No; Data Protection Board | Yes (national security) |
| EU AI Act 2024 | EU member states | AI systems incl. biometric ID; high-risk + prohibited tiers | Via national supervisory authorities | Narrow exceptions only |
How Regulatory Regimes Shape Forensic Admissibility
The relationship between biometric privacy statutes and forensic admissibility is not straightforward, because BIPA and its analogues are civil statutes that govern data collection practices, while criminal courts apply evidentiary rules that focus on reliability and constitutional compliance, not on statutory compliance with civil privacy law.
In Illinois, BIPA explicitly excludes law enforcement agencies from its scope. A police department's use of face recognition to identify a suspect does not trigger BIPA's consent or notice requirements. However, a private company providing face recognition as a service to law enforcement (as several commercial vendors do, including Clearview AI, which scraped social media photographs to build its gallery) is subject to BIPA to the extent it is collecting biometric identifiers from Illinois residents. The Seventh Circuit's decision in Thornley v. Clearview AI confirmed that BIPA claims against Clearview's scraping of Illinois residents' photographs belonged in state court, and the related ACLU v. Clearview AI state-court case settled in 2022 with Clearview agreeing to nationwide restrictions on selling its faceprint database to private entities. Several parallel class actions resulted in settlements or ongoing litigation.
In criminal proceedings, biometric evidence obtained through a BIPA-violating vendor could theoretically be subject to a motion to suppress on Fourth Amendment grounds (if the government was sufficiently involved in the private collection to implicate the Fourth Amendment) or to an evidentiary challenge on reliability grounds (if the vendor's BIPA violations correlate with poor data governance that affects algorithmic accuracy). As of 2025, no US court has suppressed biometric evidence primarily on the basis of a vendor's BIPA non-compliance, but the argument has been made in several pending cases.
In the EU, the GDPR's Article 10 restriction on the processing of biometric data for the purpose of uniquely identifying natural persons requires an explicit legal basis. In criminal proceedings, the relevant legal basis is typically law enforcement necessity under Directive (EU) 2016/680 (the Law Enforcement Directive, LED), which applies to criminal investigation and prosecution. Evidence obtained through a biometric system that was not compliant with the LED's data governance requirements could be subject to exclusion in proceedings before courts in member states that apply an exclusionary rule for unlawfully obtained evidence. Germany, France, and the Netherlands have such rules; England and Wales does not, relying instead on judicial discretion under PACE s.78.
In India, the constitutional framework established by Puttaswamy v. Union of India (2017 and 2018) requires that any state action infringing privacy be lawful (authorised by law), necessary (proportionate to the aim), and legitimate (serving a recognised state interest). A biometric collection by a state agency without a legal basis or without proportionality review could be challenged under Article 21 of the Constitution. In practice, the absence of a data protection statute governing law enforcement biometric collection (the DPDP Act 2023 exempts law enforcement) means that constitutional challenge is the primary avenue for contesting improperly obtained biometric evidence in Indian criminal proceedings.
Comparative Casework Across the Three Regimes
Consider a police investigation in which officers use a face recognition system to search CCTV footage from a convenience store robbery against a national database, identify a candidate, and use the face recognition lead as the starting point for an arrest.
In the United States (federal or state court, typical jurisdiction), the Fourth Amendment analysis turns on whether the face recognition search constituted a search within the meaning of the Fourth Amendment. The dominant analysis applies Carpenter v. United States (2018): if the government's use of biometric technology constitutes a comprehensive surveillance method that aggregates information about an individual's identity without their awareness, it may require a warrant. Lower courts have not reached a consistent position. In the interim, most US courts treat face recognition database searches as analogous to a mug-shot gallery comparison (no Fourth Amendment protection) rather than as analogous to GPS tracking (which requires a warrant under United States v. Jones, 2012). However, if the face recognition search is conducted by a private vendor that violated BIPA, and the government was sufficiently involved, suppression arguments arise.
In England and Wales, the police use of face recognition for post-event investigation is governed by the Police and Criminal Evidence Act 1984 (PACE) and the Data Protection Act 2018 (implementing the LED). PACE s.64A permits the use of custody photographs for identification purposes. The Forensic Science Regulator's guidance and the College of Policing Authorised Professional Practice set procedural requirements including documentation of the face recognition query, human examiner review, and disclosure of the algorithmic basis in any case where a face recognition result contributes to a prosecution. Evidence obtained in compliance with these requirements is admissible; the Court of Appeal in R v. Fulford (2021) declined to exclude face recognition evidence where the procedural requirements had been followed, while noting that the absence of a human reviewer would be a significant procedural defect.
In India, an AFRS search producing a candidate match against CCTNS mug shots is an investigative step, and the candidate must be confirmed through further investigation before arrest. The Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS 2023) does not specifically address face recognition-generated leads, but Section 183 of the BNSS (statements to police not admissible in court) and the general requirement that confessions and identification evidence be obtained under conditions excluding inducement and promise apply to follow-on investigation. In K.S. Puttaswamy v. Union of India (2018, the Aadhaar judgment), the Supreme Court held that the linking of Aadhaar authentication to criminal databases without legislative authorisation would infringe the right to privacy, establishing a principle that applies by analogy to AFRS: the data processing must have a specific statutory basis beyond the general law enforcement mandate.
- Identify the governing legal frameworkDetermine which statute and regulatory regime applies to the specific deployment: EU AI Act (Annex III, Directive 2016/680) for EU agencies; PACE + Data Protection Act 2018 for England and Wales; BIPA, CUBI, or applicable state law plus constitutional Fourth Amendment analysis for US; DPDP Act 2023 carve-outs plus Puttaswamy constitutional framework for India.
- Verify collection authorisationConfirm that the biometric data used in the search was lawfully collected: enrolled template from a lawful law enforcement database (NGI, CCTNS, UIDAI with appropriate access agreement). If the gallery includes third-party scraped images (as in Clearview AI), assess whether the vendor's collection complied with applicable law.
- Document the human examiner reviewRecord who reviewed the algorithmic candidate result, their qualification as a trained facial image examiner, the method used (morphological analysis, photo-anthropometry), and their conclusion. This step is mandatory under EU AI Act, UK Forensic Science Regulator codes, and FBI policy.
- Disclose the algorithmic basis in proceedingsProvide the defence with the identity of the algorithm, the gallery searched, the reported similarity score, and any published NIST FRVT or equivalent performance data for the algorithm. In the EU, the AI Act's conformity-assessment documentation must be accessible to the supervising authority and, in criminal proceedings, to the court.
- Assess regulatory compliance of the vendorIf the face recognition system was operated by a private vendor, verify that the vendor's data collection and processing complied with BIPA (Illinois), DPDP (India), or GDPR/LED (EU). Non-compliance by the vendor does not automatically suppress the evidence but creates litigation risk and potential exclusionary arguments.
- Anticipate and respond to admissibility challengesPrepare for challenges under Daubert (US: error rates, peer review, general acceptance of the specific algorithm and examiner methodology); PACE s.78 (England: fairness of admission given procedural compliance); Article 21 constitutional review (India: lawfulness, necessity, proportionality of the biometric processing).
- EU AI Act 2024
- Regulation (EU) 2024/1689, the first comprehensive AI regulatory framework, which prohibits real-time biometric identification in publicly accessible spaces with three narrow exceptions, and classifies post-event biometric identification systems as high-risk AI requiring conformity assessment.
- High-risk AI system
- An AI system classified under Annex III of the EU AI Act as requiring mandatory technical documentation, risk management, human oversight, transparency, and post-market monitoring before deployment in the EU. Biometric identification and categorisation systems are included.
- Conformity assessment
- The process by which a provider of a high-risk AI system (such as a face recognition database for law enforcement) demonstrates compliance with EU AI Act requirements, either through self-assessment or third-party audit, and affixes a CE marking before placing the system on the EU market.
- DPDP Act 2023
- India's Digital Personal Data Protection Act 2023, which requires consent and purpose-limitation for biometric data processing by private entities, while exempting central government processing for national security and preserving the Aadhaar Act 2016 framework.
- BIPA
- Illinois Biometric Information Privacy Act (2008), prohibiting private-entity collection of biometric identifiers without written notice, stated purpose, and written consent, with a private right of action of 1,000-5,000 dollars per violation.
- Purpose-limitation
- The data protection principle prohibiting processing of personal (including biometric) data for any purpose other than the one for which it was originally collected; central to both DPDP Act 2023 and GDPR/EU AI Act frameworks.
- Law Enforcement Directive (LED)
- EU Directive 2016/680, which governs the processing of personal data by competent authorities for the purposes of prevention, investigation, prosecution and execution of criminal penalties; provides the legal basis for law enforcement biometric database use in EU member states.
- PACE s.78
- Section 78 of the Police and Criminal Evidence Act 1984 (England and Wales), which gives courts discretion to exclude prosecution evidence if its admission would have such an adverse effect on the fairness of the proceedings that it ought not to be admitted; the primary mechanism for excluding unlawfully obtained biometric evidence in UK criminal courts.
- Clearview AI
- A US company that built a face recognition gallery of 30+ billion images scraped from social media without consent, found to violate BIPA (Illinois), GDPR/national law (Italy, France, UK), and privacy law in Canada and Australia, with implications for law enforcement agencies that used its services.
- Puttaswamy v. Union of India
- The Supreme Court of India's 2017 nine-judge bench decision recognising the right to privacy as a fundamental right under Article 21 of the Constitution, and the 2018 Aadhaar-specific judgment applying this framework to biometric data; the constitutional anchor for challenges to state biometric data processing in India.
Under the EU AI Act 2024, which of the following biometric AI system deployments is classified as prohibited unless it falls within one of three narrow statutory exceptions?
Does Illinois BIPA apply to law enforcement agencies collecting biometric data?
Can individuals request deletion of their biometric data from a national law enforcement database?
Test yourself on Fingerprint Sciences with free, timed mocks.
Practice Fingerprint Sciences questionsSpotted an error in this page? Report a correction or read our editorial standards.