Biometric Privacy Law: EU GDPR, India DPDP and US BIPA

The General Data Protection Regulation, which took direct effect across all EU member states on 25 May 2018, creates a two-tier architecture for personal data. Most personal data is governed by the general principles of Articles 5 to 7: lawful basis, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability. Biometric data processed for the purpose of uniquely identifying a natural person falls into a separate category under Article 9, alongside health data, racial or ethnic origin data, and data concerning a person's sex life. The default rule is prohibition: processing is unlawful unless the controller can bring the processing within one of Article 9(2)'s ten exceptions.

For most forensic and law-enforcement biometric processing, the applicable exception is Article 9(2)(g): processing is necessary for reasons of substantial public interest on the basis of Union or Member State law, subject to appropriate safeguards. What counts as "substantial public interest" and what "appropriate safeguards" must look like are left to member state law, which has produced significant divergence. Germany's Federal Data Protection Act (BDSG) sets a proportionality test and requires a Data Protection Impact Assessment (DPIA) under Article 35. France's CNIL (Commission Nationale de l'Informatique et des Libertés) has published sector-specific guidelines on biometric workplace systems, requiring, among other things, a default opt-out and a non-biometric alternative for workers who refuse. The Netherlands Data Protection Authority (AP) fined a company EUR 725,000 in 2022 for fingerprint-based time-and-attendance tracking without a documented Article 9(2) exception.

The GDPR also imposes obligations that apply regardless of which exception is invoked. Article 9 processing requires a DPIA under Article 35 whenever the processing is likely to result in high risk, and the Article 29 Working Party (now the European Data Protection Board, EDPB) has confirmed that systematic biometric identification of individuals is always high-risk for DPIA purposes. Article 30 requires the processing to be recorded in the register of processing activities with full specification of the categories of data, the recipients, and the retention schedule. Article 88 allows member states to set further conditions for biometric processing in the employment context, and several (Germany, Finland, the Netherlands) have used this power to require works-council consent before deploying biometric access systems at the workplace.

The EU Artificial Intelligence Act, formally adopted in May 2024 and entering force in August 2024 with staggered application dates, classifies AI systems by risk level. For biometric systems, the Act creates a two-tier structure: some applications are prohibited outright; others are classified as high-risk and subject to a mandatory conformity-assessment regime before deployment.

Prohibited practices under Article 5 include real-time remote biometric identification (RTBI) systems deployed in publicly accessible spaces for law-enforcement purposes, subject to narrow exceptions (terrorist threats, searches for specific serious-crime victims, prosecution of certain listed offences). Member states may authorise the exceptions by domestic law, but each deployment of a prohibited-exception RTBI system must be authorised in advance by a judicial or administrative body. The drafters modelled the carve-out structure on the European Court of Human Rights jurisprudence on Article 8 ECHR (right to private life), requiring necessity and proportionality for each specific deployment. Biometric categorisation systems that infer race, political opinion, religious belief, or health status from biometric data are prohibited without exception.

High-risk biometric systems under Annex III include biometric identification and categorisation systems not covered by the prohibition, and AI systems for facial recognition in security, border control, and workplace access. High-risk systems must undergo a conformity assessment, register in the EU AI database, implement an appropriate quality-management system, use training data that meets defined accuracy and representativeness standards, and provide human oversight mechanisms allowing operators to detect and correct AI errors. Article 10 requires high-risk systems to use training, validation, and testing datasets that are relevant, representative, and free from errors, with particular attention to possible biases that could lead to prohibited discrimination under EU law.

For forensic biometric systems specifically, the Act's Recital 14 clarifies that biometric systems used for criminal investigation and prosecution fall within the high-risk category and are also subject to the Law Enforcement Directive (LED, Directive 2016/680), which is the law-enforcement equivalent of the GDPR for competent authorities processing personal data for crime prevention, investigation, and prosecution. The LED requires necessity and proportionality for each processing purpose and mandates logging of automated decision-making affecting individuals.

The Digital Personal Data Protection Act 2023 (DPDP Act), enacted on 11 August 2023, is India's first comprehensive data-protection statute. It applies to the processing of digital personal data of individuals in India, regardless of whether the processing occurs in India or abroad, and to the processing of personal data of individuals in India by data fiduciaries (controllers) established outside India where the processing relates to the offering of goods or services to individuals in India. The Act does not use the term "special category" as GDPR does, but it creates elevated obligations through two mechanisms: Section 6 requires that consent be free, specific, informed, unconditional, and unambiguous, with a right to withdraw at any time; and the penalty schedule in Section 33 imposes the highest financial penalties (up to INR 250 crore per instance, approximately USD 30 million) for breaches involving sensitive personal data, which the Government of India may designate by notification, and which is widely expected to include biometric data.

Section 7 lists purposes for which processing may occur without consent (called "legitimate uses"), analogous to GDPR's Article 6(1)(c)-(f) lawful bases. These include performance of a State function, compliance with a court order, medical emergency, and employment-related processing. The State carve-out in Section 7(b) is significant for forensic and law-enforcement biometric processing: processing for performance of any function of the State or under any law, or in the interests of sovereignty, integrity, or security of India, does not require consent. This is the provision under which biometric databases maintained by law-enforcement agencies, forensic science laboratories under the CFSL network, and state police fingerprint bureaus would operate.

The Aadhaar Act 2016 (as amended in 2019) creates a parallel regime for the world's largest biometric identification system. Aadhaar enrols fingerprints and iris scans of approximately 1.4 billion residents of India. Section 29 of the Aadhaar Act prohibits sharing of identity information (including biometric data) for any purpose other than purposes specified in the Act, and Section 37 criminalises unauthorised use of Aadhaar authentication infrastructure. The DPDP Act's Section 17(2)(a) exempts processing covered by the Aadhaar Act from the general DPDP consent and data-principal-rights regime, meaning Aadhaar biometric data is governed exclusively by the Aadhaar Act and UIDAI (Unique Identification Authority of India) regulations, not by the DPDP Act's general framework.

The United States has no omnibus federal data-protection statute and no federal biometric-specific statute as of mid-2026. The proposed No Biometric Barriers Act, introduced in Congress in 2023, would have created a federal private right of action for biometric privacy violations, but it did not advance to a floor vote. In the gap, a patchwork of state statutes has emerged, of which three stand out for their enforcement record and practical impact.

Illinois enacted the Biometric Information Privacy Act (BIPA) in 2008, making it the first US biometric privacy statute and the only one with a per-violation private right of action. BIPA requires any private entity that collects, captures, purchases, receives, or otherwise obtains a "biometric identifier" (fingerprints, retina or iris scans, voiceprints, face geometry, hand scans) or "biometric information" (information based on a biometric identifier that can identify a person) to: (1) publish a publicly available written policy establishing a retention schedule and destruction guidelines; (2) provide written notice to the subject before collection stating the purpose and duration of collection; and (3) obtain a written release from the subject before collection. BIPA provides statutory damages of USD 1,000 per negligent violation and USD 5,000 per intentional or reckless violation, plus attorneys' fees, without requiring proof of actual harm. The Illinois Supreme Court in Cothron v. White Castle System (2023) held that each scan or transmission of biometric data constitutes a separate BIPA violation, dramatically expanding potential damages. By mid-2026, BIPA settlements include USD 650 million (Facebook/Meta, 2021), USD 92 million (TikTok, 2022), and multiple nine-figure awards in employment-context fingerprint cases.

Texas's Capture or Use of Biometric Identifier Act (CUBI), enacted in 2009, covers similar conduct but is enforced exclusively by the Texas Attorney General, with civil penalties up to USD 25,000 per violation. The absence of a private right of action meant CUBI lay largely dormant until 2022, when the Texas AG filed suit against Meta for face-recognition in photo-tagging, settled for USD 1.4 billion in 2024 in what is the largest AG settlement in US privacy law history. Washington's Biometric Privacy Act (2017) also lacks a private right of action and is enforced by the Attorney General, but it introduced a novel "commercial purpose" element: the prohibition targets biometric data collected for commercial purposes, arguably excluding most law-enforcement uses.

At the federal level, the use of biometric data by federal law-enforcement agencies is governed by a combination of the Privacy Act 1974, the E-Government Act 2002, and agency-specific systems-of-records notices. The FBI's Next Generation Identification (NGI) system, which holds fingerprint, palm print, and face records for more than 150 million individuals, operates under Privacy Act system of records notice FBI-001, updated in 2015 to cover face recognition. The Fourth Amendment's third-party doctrine, as refined by Carpenter v. United States (2018) (requiring a warrant for extended cell-site location data), has not yet been extended by the Supreme Court to cover biometric database searches, leaving the constitutional floor uncertain.

Multinational forensic casework, international police cooperation, and global technology deployments have made cross-border biometric data flows routine. Interpol's Automated Fingerprint Identification System (AFIS), accessible to member countries via the Interpol I-24/7 secure network, processes fingerprint queries submitted by national agencies against a global database. When an Indian forensic science laboratory submits a latent print query to Interpol's AFIS, the data leaves India (triggering DPDP Act cross-border transfer obligations), is processed in France (triggering EU GDPR obligations as an Interpol database governed by Interpol's own privacy rules and the agreements it has with member countries), and may return a match against a record contributed by a US agency (which is not itself subject to GDPR but may have contributed the record under bilateral Mutual Legal Assistance Treaty terms).

Under GDPR Chapter V, transfers of personal data to third countries require either an adequacy decision (the European Commission has currently granted adequacy to 15 countries; India does not have one as of mid-2026), appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules, or reliance on one of the Article 49 derogations, of which Article 49(1)(d) (transfer necessary for the establishment, exercise, or defence of legal claims) and Article 49(1)(e) (transfer necessary to protect vital interests where consent cannot be obtained) are most relevant to forensic contexts.

The DPDP Act's cross-border transfer framework (Section 16) allows the Central Government to notify countries to which personal data may be transferred. Pending that notification, the Act's transitional provisions and the existing information-technology rules govern. The Aadhaar Act prohibits biometric data from leaving India regardless of framework, so UIDAI biometric templates are ring-fenced outside any international data-sharing regime.

For technology vendors, the cross-border picture is further complicated by the EU AI Act's extraterritorial reach: AI systems placed on the EU market or put into service in the EU are subject to the Act, even if the developer is based in India or the US. A fingerprint AFIS vendor based in Hyderabad selling a system to a German state police laboratory must comply with the AI Act's high-risk conformity-assessment requirements before the system can be deployed.

1. Identify the data's jurisdictional origin
   Determine under which legal framework the biometric data was originally collected: GDPR (EU), DPDP (India), Aadhaar Act (India, for UIDAI data), BIPA or state equivalent (US), or a bilateral treaty framework (Interpol, MLAT). The origin law's obligations travel with the data.
2. Map the transfer chain
   Document every country the data passes through and every system that processes it. GDPR's accountability principle (Art 5(2)) requires the controller to demonstrate compliance at each transfer point. DPDP will require similar records once the Rules are notified.
3. Check for an adequacy decision or safeguard
   For GDPR transfers, verify whether the destination country has an adequacy decision. If not, implement SCCs or rely on an Article 49 derogation with documented necessity and proportionality analysis.
4. Apply the most restrictive requirement
   Where multiple frameworks apply, comply with the most demanding obligation. If BIPA applies (Illinois-connected biometric data), the consent + notice + written-release requirement from BIPA must be met in addition to GDPR's Article 9 exception requirement.
5. Document and retain records
   Maintain a processing register per GDPR Art 30, a log per LED Art 25, and records per DPDP Act S.15. Cross-border forensic data flows should be covered by a Data Protection Impact Assessment (DPIA) under GDPR Art 35 and a similar risk assessment under DPDP Act once the Rules specify the requirement.

Forensic laboratories, law-enforcement agencies, and biometric system vendors face a cluster of obligations that are common across GDPR, DPDP, and BIPA, despite the different drafting styles. Understanding the operational translation of each obligation is the practitioner's first task.

Retention schedules are mandatory under all three frameworks, but the standards differ. GDPR storage limitation (Article 5(1)(e)) requires personal data to be kept "no longer than necessary for the purposes for which the personal data are processed." For criminal-justice biometric data, national law typically specifies the retention period tied to conviction status, offence type, and time elapsed since offence. The UK Protection of Freedoms Act 2012 provides a detailed fingerprint and DNA retention schedule for England and Wales: profiles of unconvicted adults are deleted (with exceptions), and profiles of convicted individuals are retained for the duration of the sentence plus a post-release period. In India, there is no equivalent statutory retention schedule for police fingerprint records; Bureau of Police Research and Development (BPR&D) guidance exists but is non-binding. DPDP Act Section 8(7) requires data fiduciaries to erase personal data as soon as the specified purpose is served or consent is withdrawn, whichever is earlier, which creates an obligation for forensic agencies to build purpose-tracking into their database management systems.

Security requirements are framed differently across frameworks but converge on similar technical controls. GDPR Article 32 requires "appropriate technical and organisational measures" considering the state of the art, implementation costs, and likelihood of harm. For biometric data, this typically means encryption at rest and in transit, pseudonymisation of templates where possible, role-based access controls, and tamper-evident audit logging. The EU AI Act adds a specific requirement for high-risk biometric systems to record technical documentation sufficient to allow regulatory authorities to assess compliance. BIPA does not specify security controls, but tort claims of negligent security have been brought alongside BIPA claims; Illinois courts have applied a "reasonable care" standard.

Purpose limitation, the requirement that data collected for one purpose not be used for a different purpose, is where forensic biometric systems face the greatest legal risk. A fingerprint database established for criminal identification cannot, under GDPR, be repurposed for employment screening without a fresh legal basis and, in most member states, fresh legislation. In the US, the absence of a federal statute means purpose-limitation obligations vary by context: the Privacy Act 1974 (for federal systems) requires a compatible routine use notice before data can be shared for new purposes; BIPA requires a new written release for each distinct purpose. Several BIPA class actions have specifically targeted employers who collected fingerprints for time-and-attendance and then shared them with third-party payroll processors without separate authorisation.