Biometric Evidence in Court: EU AI Act, DPDP and US Statutes

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689), adopted by the European Parliament in March 2024 and published in the Official Journal of the EU in July 2024, is the world's first comprehensive legislative framework for AI systems. It organises AI systems into four risk tiers: unacceptable risk (prohibited), high risk (permitted with conformity-assessment requirements), limited risk (transparency obligations only), and minimal risk (unregulated).

Biometric identification systems sit at the intersection of two of these tiers. Remote biometric identification systems used in publicly accessible spaces for real-time identification of natural persons are classified as posing unacceptable risk and are prohibited. The prohibition applies to AI systems that identify individuals by comparing their biometric data against a database while they are present in a public space, without prior individual consent or a real-time comparison happening while they walk through. This is the legal classification that applies to live facial recognition deployed by police in shopping centres, train stations, or football grounds, the applications that have attracted the most civil liberties attention in the UK (under the Met Police and South Wales Police trials that preceded the AI Act) and across EU member states.

However, the prohibition carries three statutory exceptions. First, real-time biometric identification is permitted for the targeted search for specific victims of crime (including missing children). Second, it is permitted to prevent a specific, substantial and imminent threat to life or a terrorist attack. Third, it is permitted for the prosecution of serious criminal offences carrying a maximum sentence of at least four years, where prior judicial or independent administrative authorisation has been granted. These exceptions are intentionally narrow: the competent judicial or independent authority must authorise the specific deployment before it occurs, not after, and the deployment may not become systematic or indiscriminate.

Biometric identification systems used in post-event investigation (comparing a stored probe image against a database gallery, as in the FBI NGI or India AFRS model) are not covered by the real-time prohibition. They are, however, classified as high-risk AI systems under Annex III of the Act, which triggers mandatory conformity-assessment requirements: technical documentation, risk management system, data governance procedures, transparency obligations to affected persons, and post-market monitoring. The conformity-assessment must be completed and a CE marking obtained before the system is placed on the EU market or put into service by a law enforcement agency in an EU member state.

For EU member state police forces that use face recognition databases for post-event investigation (searching CCTV frames against gallery databases in the way documented in the FBI NGI section of the companion topic on this module), the AI Act's high-risk classification imposes four categories of obligation that did not previously exist at the EU level.

Technical documentation requirements mean that the deploying agency or the vendor must produce and maintain a technical file specifying the system's intended purpose, the datasets on which it was trained, the performance metrics (including demographic breakdowns equivalent to the NIST FRVT methodology), known limitations, and the risk-management measures in place. This is the regulatory mechanism by which the EU AI Act attempts to address the demographic differential performance problem identified by NIST FRVT 2018.

Human oversight requirements specify that high-risk AI systems must be designed and operated so that they can be effectively overseen by natural persons. For face recognition in law enforcement, this means the mandatory human examiner review that is also required (but inconsistently enforced) under FBI policy in the US is now a statutory requirement for EU deployments. An AI system designed to return an automated arrest recommendation with no human review step would not pass conformity assessment.

Transparency requirements include an obligation to inform individuals that they have been processed by a high-risk AI system, where this is technically feasible without jeopardising the investigative purpose. In criminal investigations, this obligation is typically deferred until the investigation is concluded, but it creates a right to know that does not exist in equivalent form under US federal law or under current Indian law.

Post-market monitoring requirements mean that deploying agencies must track and report performance issues, false positive events, and demographic disparities in operational outcomes, not just in pre-deployment testing. This creates an ongoing data-collection obligation that may eventually produce the operational performance data that academic validation studies have attempted to generate through laboratory experiments.

The Digital Personal Data Protection Act 2023 (DPDP Act 2023), enacted by the Indian Parliament and receiving Presidential assent in August 2023, is India's first comprehensive data protection statute. It applies to the processing of digital personal data of individuals located in India, whether by Indian or foreign entities. Biometric data (defined in the Act as facial images, iris scans, fingerprints, voice prints, and other body parameters that allow unique identification) falls within the definition of personal data and is processed under the same consent-and-purpose-limitation framework as other personal data, with certain exceptions.

The consent requirement means that a data fiduciary (the entity processing personal data, including a private employer collecting employee biometric data for attendance, or a bank collecting biometric data for KYC) must obtain free, specific, informed, and unambiguous consent before collecting biometric data. The consent must be linked to a specific purpose; processing for a different purpose requires fresh consent or falls within a statutory exemption. The purpose-limitation principle prohibits processing biometric data for any purpose other than that for which consent was given, or for which a statutory exemption applies.

The DPDP Act does not apply to personal data processed by the Central Government for national security, public order, or sovereignty purposes. This exemption covers law enforcement biometric collection (CCTNS, AFRS, border control databases) without requiring consent. The Act also preserves the Aadhaar Act 2016 framework: Aadhaar biometric data (collected under the mandatory identification programme) is not subject to the DPDP consent framework; it is governed by the Aadhaar Act's own security and access controls and by UIDAI regulations. The DPDP Act specifically excludes data notified as excluded under any other law enacted by Parliament, which preserves the Aadhaar Act 2016 carve-out.

Storage-limitation requirements in the DPDP Act require that personal data be retained only as long as the purpose for which it was collected remains in force, after which it must be erased. For private-sector biometric data (employer attendance systems, bank KYC databases), this creates a legal obligation to delete biometric templates when an employee leaves or a customer closes an account. For law enforcement databases, the storage-limitation obligation is overridden by the national-security exemption, but civil society organisations have argued that this creates an indefinite retention regime for AFRS and CCTNS data that lacks the proportionality requirements applied in the EU.

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the most consequential biometric privacy statute in the United States and the model against which every subsequent state and proposed federal biometric law is measured. BIPA prohibits private entities (it does not apply to government agencies) from collecting, capturing, purchasing, or otherwise obtaining a person's biometric identifier (fingerprint, retina scan, voiceprint, face geometry, or hand geometry) without first: informing the individual in writing that biometric data is being collected; informing the individual of the specific purpose and length of retention; and obtaining a written release from the individual.

The critical mechanism that makes BIPA uniquely powerful is its private right of action. Any aggrieved individual may sue for 1,000 dollars per negligent violation and 5,000 dollars per wilful violation, with attorneys' fees. Class-action litigation under BIPA has produced settlements and verdicts against Facebook (650 million dollars, 2021, for face-tagging without consent), BNSF Railway (228 million dollars, 2023, for fingerprint scanning of truck drivers without consent), Six Flags amusement parks, and numerous retail employers who scanned fingerprints for time-and-attendance systems without disclosing the practice. The Illinois Supreme Court confirmed in Rosenbach v. Six Flags Entertainment Corp (2019) that a plaintiff need not allege any actual harm beyond the statutory violation to have standing to sue under BIPA.

Texas enacted the Capture or Use of Biometric Identifier Act (CUBI) in 2009, which prohibits commercial collection or disclosure of biometric identifiers without consent. Texas CUBI lacks a private right of action; enforcement is exclusively by the Texas Attorney General. Washington State enacted SB 6280 in 2020, which applies only to commercial facial recognition services and imposes disclosure, purpose-limitation, and accuracy-testing requirements, also without a private right of action. New York City enacted a biometric identifier disclosure ordinance applicable to commercial establishments in 2021. Several other states, including California, New Jersey, and Maryland, have enacted or are advancing legislation with varying scopes and enforcement mechanisms.

At the federal level, no comprehensive biometric privacy statute is in force as of 2025. The proposed No Biometric Barriers Act (various versions introduced in Congress since 2021) would create a federal floor for biometric privacy requirements and provide a federal right of action, but has not advanced to a vote. The FTC has used its authority under Section 5 of the FTC Act (unfair or deceptive practices) to take enforcement action against some biometric data misuses, but this is not a biometric-specific statutory framework.

The relationship between biometric privacy statutes and forensic admissibility is not straightforward, because BIPA and its analogues are civil statutes that govern data collection practices, while criminal courts apply evidentiary rules that focus on reliability and constitutional compliance, not on statutory compliance with civil privacy law.

In Illinois, BIPA explicitly excludes law enforcement agencies from its scope. A police department's use of face recognition to identify a suspect does not trigger BIPA's consent or notice requirements. However, a private company providing face recognition as a service to law enforcement (as several commercial vendors do, including Clearview AI, which scraped social media photographs to build its gallery) is subject to BIPA to the extent it is collecting biometric identifiers from Illinois residents. The Illinois Supreme Court's 2023 decision in Thornley v. Clearview AI confirmed that BIPA applied to Clearview's scraping of Illinois residents' photographs. Several parallel class actions resulted in settlements or ongoing litigation.

In criminal proceedings, biometric evidence obtained through a BIPA-violating vendor could theoretically be subject to a motion to suppress on Fourth Amendment grounds (if the government was sufficiently involved in the private collection to implicate the Fourth Amendment) or to an evidentiary challenge on reliability grounds (if the vendor's BIPA violations correlate with poor data governance that affects algorithmic accuracy). As of 2025, no US court has suppressed biometric evidence primarily on the basis of a vendor's BIPA non-compliance, but the argument has been made in several pending cases.

In the EU, the GDPR's Article 10 restriction on the processing of biometric data for the purpose of uniquely identifying natural persons requires an explicit legal basis. In criminal proceedings, the relevant legal basis is typically law enforcement necessity under Directive (EU) 2016/680 (the Law Enforcement Directive, LED), which applies to criminal investigation and prosecution. Evidence obtained through a biometric system that was not compliant with the LED's data governance requirements could be subject to exclusion in proceedings before courts in member states that apply an exclusionary rule for unlawfully obtained evidence. Germany, France, and the Netherlands have such rules; England and Wales does not, relying instead on judicial discretion under PACE s.78.

In India, the constitutional framework established by Puttaswamy v. Union of India (2017 and 2018) requires that any state action infringing privacy be lawful (authorised by law), necessary (proportionate to the aim), and legitimate (serving a recognised state interest). A biometric collection by a state agency without a legal basis or without proportionality review could be challenged under Article 21 of the Constitution. In practice, the absence of a data protection statute governing law enforcement biometric collection (the DPDP Act 2023 exempts law enforcement) means that constitutional challenge is the primary avenue for contesting improperly obtained biometric evidence in Indian criminal proceedings.

Consider a police investigation in which officers use a face recognition system to search CCTV footage from a convenience store robbery against a national database, identify a candidate, and use the face recognition lead as the starting point for an arrest.

In the United States (federal or state court, typical jurisdiction), the Fourth Amendment analysis turns on whether the face recognition search constituted a search within the meaning of the Fourth Amendment. The dominant analysis applies Carpenter v. United States (2018): if the government's use of biometric technology constitutes a comprehensive surveillance method that aggregates information about an individual's identity without their awareness, it may require a warrant. Lower courts have not reached a consistent position. In the interim, most US courts treat face recognition database searches as analogous to a mug-shot gallery comparison (no Fourth Amendment protection) rather than as analogous to GPS tracking (which requires a warrant under United States v. Jones, 2012). However, if the face recognition search is conducted by a private vendor that violated BIPA, and the government was sufficiently involved, suppression arguments arise.

In England and Wales, the police use of face recognition for post-event investigation is governed by the Police and Criminal Evidence Act 1984 (PACE) and the Data Protection Act 2018 (implementing the LED). PACE s.64A permits the use of custody photographs for identification purposes. The Forensic Science Regulator's guidance and the College of Policing Authorised Professional Practice set procedural requirements including documentation of the face recognition query, human examiner review, and disclosure of the algorithmic basis in any case where a face recognition result contributes to a prosecution. Evidence obtained in compliance with these requirements is admissible; the Court of Appeal in R v. Fulford (2021) declined to exclude face recognition evidence where the procedural requirements had been followed, while noting that the absence of a human reviewer would be a significant procedural defect.

In India, an AFRS search producing a candidate match against CCTNS mug shots is an investigative step, and the candidate must be confirmed through further investigation before arrest. The Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS 2023) does not specifically address face recognition-generated leads, but Section 183 of the BNSS (statements to police not admissible in court) and the general requirement that confessions and identification evidence be obtained under conditions excluding inducement and promise apply to follow-on investigation. In K.S. Puttaswamy v. Union of India (2018, the Aadhaar judgment), the Supreme Court held that the linking of Aadhaar authentication to criminal databases without legislative authorisation would infringe the right to privacy, establishing a principle that applies by analogy to AFRS: the data processing must have a specific statutory basis beyond the general law enforcement mandate.

1. Identify the governing legal framework
   Determine which statute and regulatory regime applies to the specific deployment: EU AI Act (Annex III, Directive 2016/680) for EU agencies; PACE + Data Protection Act 2018 for England and Wales; BIPA, CUBI, or applicable state law plus constitutional Fourth Amendment analysis for US; DPDP Act 2023 carve-outs plus Puttaswamy constitutional framework for India.
2. Verify collection authorisation
   Confirm that the biometric data used in the search was lawfully collected: enrolled template from a lawful law enforcement database (NGI, CCTNS, UIDAI with appropriate access agreement). If the gallery includes third-party scraped images (as in Clearview AI), assess whether the vendor's collection complied with applicable law.
3. Document the human examiner review
   Record who reviewed the algorithmic candidate result, their qualification as a trained facial image examiner, the method used (morphological analysis, photo-anthropometry), and their conclusion. This step is mandatory under EU AI Act, UK Forensic Science Regulator codes, and FBI policy.
4. Disclose the algorithmic basis in proceedings
   Provide the defence with the identity of the algorithm, the gallery searched, the reported similarity score, and any published NIST FRVT or equivalent performance data for the algorithm. In the EU, the AI Act's conformity-assessment documentation must be accessible to the supervising authority and, in criminal proceedings, to the court.
5. Assess regulatory compliance of the vendor
   If the face recognition system was operated by a private vendor, verify that the vendor's data collection and processing complied with BIPA (Illinois), DPDP (India), or GDPR/LED (EU). Non-compliance by the vendor does not automatically suppress the evidence but creates litigation risk and potential exclusionary arguments.
6. Anticipate and respond to admissibility challenges
   Prepare for challenges under Daubert (US: error rates, peer review, general acceptance of the specific algorithm and examiner methodology); PACE s.78 (England: fairness of admission given procedural compliance); Article 21 constitutional review (India: lawfulness, necessity, proportionality of the biometric processing).