Skip to content

Biometric Privacy Law: EU GDPR, India DPDP and US BIPA

The legal frame that gates biometric collection + processing + court admissibility: EU GDPR Article 9 special-category data treatment of biometric identifiers + the EU AI Act 2024 biometric-system high-risk classification, India Digital Personal Data Protection Act 2023 (consent + purpose-limitation + storage-limitation as applied to biometric data, the Aadhaar carve-outs from the Aadhaar Act 2016), US state-level statutes (Illinois Biometric Information Privacy Act 2008 + Texas Capture or Use of Biometric Identifier Act + Washington Biometric Privacy Act + the proposed federal No Biometric Barriers Act), and the cross-border interplay these regimes create for multinational casework.

Last updated:

Share

Biometric data, fingerprints, iris scans, face geometry, and voiceprints, receives the strictest statutory protection of any personal data category because a compromised biometric identifier cannot be changed. The EU GDPR Article 9 presumes all biometric processing prohibited unless one of ten listed exceptions applies. India's Digital Personal Data Protection Act 2023 creates a consent-first framework with a State-function carve-out covering law-enforcement and forensic-laboratory use. In the United States, no federal biometric statute exists as of mid-2026, but Illinois BIPA has generated over USD 2.5 billion in class-action settlements since 2017 and sets the most demanding compliance standard of any US state law.

Biometric privacy law governs who can collect, store, share, and use fingerprints, iris scans, face geometry, and other body-based identifiers. EU GDPR Article 9 presumes prohibition and forces every controller to justify an exception. Illinois BIPA has generated over USD 2.5 billion in class-action settlements since 2017. India's DPDP Act 2023 creates a consent-first framework with a national-security carve-out that covers law enforcement AFIS use.

Key takeaways

  • GDPR Article 9 makes biometric processing presumptively prohibited; the controller must identify one of ten listed exceptions before any processing begins.
  • The EU AI Act 2024 adds a product-safety layer on top of GDPR, classifying real-time biometric identification in public spaces as prohibited with three narrow law-enforcement exceptions.
  • Illinois BIPA provides per-scan statutory damages of USD 1,000 to 5,000 with no actual-harm requirement; the Cothron v. White Castle (2023) ruling means each scan is a separate violation.
  • India's DPDP Act 2023 Section 7(b) exempts State function processing (including forensic labs and police databases) from the consent requirement; Aadhaar biometric data is governed exclusively by the Aadhaar Act 2016.
  • Cross-border forensic data flows require either an EU adequacy decision, Standard Contractual Clauses, or an Article 49 GDPR derogation; India does not currently have an EU adequacy decision.

Whether a border-control kiosk processes an iris scan, a forensic laboratory compares a latent print to a national database, or an employer tracks attendance by fingerprint, the underlying operation is the same: a machine reads a physical feature of a person and converts it into a mathematical template that can be stored, compared, and shared. Biometric data is categorically different from a password or account credential. A compromised password can be changed; a compromised fingerprint template cannot. The permanence of biometric identifiers is what drove legislators on three continents to build special-category protections around them.

The legal landscape is fragmented, fast-moving, and heavily litigated. In the European Union, GDPR Article 9 prohibits processing biometric data for the purpose of uniquely identifying a natural person unless one of a narrow list of exceptions applies, and the 2024 EU AI Act adds a second layer by classifying real-time remote biometric identification in public spaces as a prohibited AI practice (see biometric evidence in court under the EU AI Act). In the United States, no federal biometric privacy statute exists as of mid-2026, but Illinois BIPA alone has generated more than USD 2.5 billion in class-action settlements since 2017. In India, the Digital Personal Data Protection Act 2023 creates a consent-first framework, while the Aadhaar Act 2016 carves out a parallel statutory regime for government-mandated biometric enrolment.

By the end of this topic you will be able to:

  • Identify which legal framework governs a biometric processing operation given its jurisdiction, data type, and processing purpose.
  • Apply GDPR Article 9's exception structure, including the public-interest basis and the Law Enforcement Directive overlay, to forensic and law-enforcement biometric systems.
  • Distinguish the consent, notice, and retention obligations of Illinois BIPA, Texas CUBI, and Washington's Biometric Privacy Act, and explain why BIPA sets the effective compliance floor.
  • Explain how DPDP Act Section 7(b) and the Aadhaar Act 2016 Section 17(2)(a) carve-out interact to create two parallel Indian regimes for biometric data.
  • Trace the legal obligations triggered when biometric data crosses borders in a multinational forensic investigation involving EU, Indian, and US agencies.

EU GDPR Article 9 and the Special-Category Prohibition

The General Data Protection Regulation (GDPR), which took direct effect across all EU member states on 25 May 2018, creates a two-tier architecture for personal data. Most personal data is governed by the general principles of Articles 5 to 7: lawful basis, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability. Biometric data processed for the purpose of uniquely identifying a natural person falls into a separate category under Article 9, alongside health data, racial or ethnic origin data, and data concerning a person's sex life. The default rule is prohibition: processing is unlawful unless the controller can bring it within one of Article 9(2)'s ten exceptions.

For most forensic and law-enforcement biometric processing, the applicable exception is Article 9(2)(g): processing necessary for reasons of substantial public interest on the basis of Union or Member State law, subject to appropriate safeguards. What counts as "substantial public interest" and what "appropriate safeguards" must look like are left to member state law, which has produced significant divergence:

  • Germany (BDSG): sets a proportionality test and requires a DPIA under Article 35.
  • France (CNIL): sector-specific guidelines on biometric workplace systems require a default opt-out and a non-biometric alternative for workers who refuse.
  • Netherlands (AP): fined a company EUR 725,000 in 2022 for fingerprint-based time-and-attendance tracking without a documented Article 9(2) exception.

The GDPR also imposes obligations that apply regardless of which exception is invoked. Article 9 processing requires a DPIA under Article 35 whenever the processing is likely to result in high risk, and the Article 29 Working Party (now the European Data Protection Board, EDPB) has confirmed that systematic biometric identification of individuals is always high-risk for DPIA purposes. Article 30 requires the processing to be recorded in the register of processing activities with full specification of the categories of data, the recipients, and the retention schedule. Article 88 allows member states to set further conditions for biometric processing in the employment context, and several (Germany, Finland, the Netherlands) have used this power to require works-council consent before deploying biometric access systems at the workplace.

Biometric dataprocessing proposedArt 9(1): PresumedprohibitedException applies? Art9(2)(a)-(j)Permitted + DPIA +Art 30 recordProhibited: do notprocessDecision nodeProhibition / riskPermitted path
GDPR Article 9 decision path: prohibition is the default; the controller must identify an applicable exception before any biometric processing begins.

EU AI Act 2024 and Biometric System Classification

The EU Artificial Intelligence Act, formally adopted in May 2024 and entering force in August 2024 with staggered application dates, classifies AI systems by risk level. For biometric systems, the Act creates a two-tier structure: some applications are prohibited outright; others are classified as high-risk and subject to a mandatory conformity-assessment regime before deployment.

Prohibited practices under Article 5 include real-time remote biometric identification (RTBI) systems deployed in publicly accessible spaces for law-enforcement purposes, subject to narrow exceptions (terrorist threats, searches for specific serious-crime victims, prosecution of certain listed offences). Member states may authorise the exceptions by domestic law, but each deployment of a prohibited-exception RTBI system must be authorised in advance by a judicial or administrative body. The drafters modelled the carve-out structure on the European Court of Human Rights jurisprudence on Article 8 ECHR (right to private life), requiring necessity and proportionality for each specific deployment. Biometric categorisation systems that infer race, political opinion, religious belief, or health status from biometric data are prohibited without exception.

High-risk biometric systems under Annex III include biometric identification and categorisation systems not covered by the prohibition, and AI systems for facial recognition in security, border control, and workplace access. High-risk systems must undergo a conformity assessment, register in the EU AI database, implement an appropriate quality-management system, use training data that meets defined accuracy and representativeness standards, and provide human oversight mechanisms allowing operators to detect and correct AI errors. Article 10 requires high-risk systems to use training, validation, and testing datasets that are relevant, representative, and free from errors, with particular attention to possible biases that could lead to prohibited discrimination under EU law.

For forensic biometric systems specifically, the Act's Recital 14 clarifies that biometric systems used for criminal investigation and prosecution fall within the high-risk category and are also subject to the Law Enforcement Directive (LED, Directive 2016/680), which is the law-enforcement equivalent of the GDPR for competent authorities processing personal data for crime prevention, investigation, and prosecution. The LED requires necessity and proportionality for each processing purpose and mandates logging of automated decision-making affecting individuals.

India: DPDP Act 2023 and Biometric Data

The Digital Personal Data Protection Act 2023 (DPDP Act), enacted on 11 August 2023, is India's first comprehensive data-protection statute. It applies to the processing of digital personal data of individuals in India, regardless of whether the processing occurs in India or abroad, and to the processing of personal data of individuals in India by data fiduciaries (controllers) established outside India where the processing relates to the offering of goods or services to individuals in India. The Act does not use the term "special category" as GDPR does, but it creates elevated obligations through two mechanisms: Section 6 requires that consent be free, specific, informed, unconditional, and unambiguous, with a right to withdraw at any time; and the penalty schedule in Section 33 imposes the highest financial penalties (up to INR 250 crore per instance, approximately USD 30 million) for breaches involving sensitive personal data, which the Government of India may designate by notification, and which is widely expected to include biometric data.

Section 7 lists purposes for which processing may occur without consent (called "legitimate uses"), analogous to GDPR's Article 6(1)(c)-(f) lawful bases. These include performance of a State function, compliance with a court order, medical emergency, and employment-related processing. The State carve-out in Section 7(b) is significant for forensic and law-enforcement biometric processing: processing for performance of any function of the State or under any law, or in the interests of sovereignty, integrity, or security of India, does not require consent. This is the provision under which biometric databases maintained by law-enforcement agencies, forensic science laboratories under the CFSL network, and state police fingerprint bureaus would operate.

The Aadhaar Act 2016 and the Puttaswamy judgments (as amended in 2019) create a parallel regime for the world's largest biometric identification system. Aadhaar enrols fingerprints and iris scans of approximately 1.4 billion residents of India. Section 29 of the Aadhaar Act prohibits sharing of identity information (including biometric data) for any purpose other than purposes specified in the Act, and Section 37 criminalises unauthorised use of Aadhaar authentication infrastructure. The DPDP Act's Section 17(2)(a) exempts processing covered by the Aadhaar Act from the general DPDP consent and data-principal-rights regime, meaning Aadhaar biometric data is governed exclusively by the Aadhaar Act and UIDAI (Unique Identification Authority of India) regulations, not by the DPDP Act's general framework.

DimensionEU GDPR Art 9India DPDP Act 2023Aadhaar Act 2016
Default rule for biometric dataProhibited unless exception appliesConsent required; elevated penalties for breachMandatory enrolment for specified welfare/service delivery
Law-enforcement carve-outArt 9(2)(g): substantial public interest, member state lawS.7(b): State function or lawS.29: UIDAI-regulated authentication only
Data subject rightsAccess, rectification, erasure, portability (Arts 15-20)Access, correction, erasure, grievance redress (Ss. 11-14)Limited; no right to opt out of enrolment for mandatory services
Cross-border transferAdequacy decision or safeguards (Ch. V)Government may notify approved countries / standard contractsBiometric data cannot leave India (UIDAI architecture)
Enforcement bodyNational DPAs + EDPBData Protection Board of India (not yet constituted as of mid-2026)UIDAI + Adjudicating Officer

US State Biometric Statutes: Illinois BIPA, Texas CUBI, and Washington BPA

The United States has no omnibus federal data-protection statute and no federal biometric-specific statute as of mid-2026. The proposed No Biometric Barriers Act, introduced in Congress in 2023, would have created a federal private right of action for biometric privacy violations, but it did not advance to a floor vote. In the gap, a patchwork of state statutes has emerged, of which three stand out for their enforcement record and practical impact.

Illinois BIPA (2008) is the first US biometric privacy statute and the only one with a per-violation private right of action. BIPA requires any private entity that collects a "biometric identifier" (fingerprints, retina or iris scans, voiceprints, face geometry, hand scans) to:

  1. Publish a publicly available written policy establishing a retention schedule and destruction guidelines.
  2. Provide written notice to the subject before collection stating the purpose and duration.
  3. Obtain a written release from the subject before collection.

BIPA provides statutory damages of USD 1,000 per negligent violation and USD 5,000 per intentional or reckless violation, plus attorneys' fees, without requiring proof of actual harm. The Illinois Supreme Court in Cothron v. White Castle System (2023) held that each scan or transmission constitutes a separate BIPA violation, dramatically expanding potential damages. By mid-2026, major BIPA settlements include:

  • Facebook/Meta: USD 650 million (2021)
  • TikTok: USD 92 million (2022)
  • BNSF Railway: USD 75 million (2024)

Texas CUBI (2009) covers similar conduct but is enforced exclusively by the Texas Attorney General, with civil penalties up to USD 25,000 per violation. CUBI lay largely dormant until 2022, when the Texas AG filed suit against Meta for face-recognition photo-tagging, settling for USD 1.4 billion in 2024, the largest AG settlement in US privacy law history.

Washington's Biometric Privacy Act (2017) also lacks a private right of action and is enforced by the Attorney General. Its "commercial purpose" element arguably excludes most law-enforcement uses.

At the federal level, the FBI's Next Generation Identification (NGI) system, which holds fingerprint, palm print, and face records for more than 150 million individuals, operates under Privacy Act system of records notice FBI-001, updated in 2015 to cover face recognition. The Fourth Amendment's third-party doctrine, as refined by Carpenter v. United States (2018) (requiring a warrant for extended cell-site location data), has not yet been extended by the Supreme Court to cover biometric database searches.

Cross-Border Interplay for Multinational Casework and Systems

Multinational forensic casework, international police cooperation, and global technology deployments have made cross-border biometric data flows routine. Interpol's Automated Fingerprint Identification System (AFIS), accessible to member countries via the Interpol I-24/7 secure network, processes fingerprint queries submitted by national agencies against a global database. When an Indian forensic science laboratory submits a latent print query to Interpol's AFIS, the data leaves India (triggering DPDP Act cross-border transfer obligations), is processed in France (triggering EU GDPR obligations as an Interpol database governed by Interpol's own privacy rules and the agreements it has with member countries), and may return a match against a record contributed by a US agency (which is not itself subject to GDPR but may have contributed the record under bilateral Mutual Legal Assistance Treaty terms).

Under GDPR Chapter V, transfers of personal data to third countries require either an adequacy decision (the European Commission has currently granted adequacy to 16 countries and territories; India does not have one as of mid-2026), appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules, or reliance on one of the Article 49 derogations, of which Article 49(1)(d) (transfer necessary for the establishment, exercise, or defence of legal claims) and Article 49(1)(e) (transfer necessary to protect vital interests where consent cannot be obtained) are most relevant to forensic contexts.

The DPDP Act's cross-border transfer framework (Section 16) allows the Central Government to notify countries to which personal data may be transferred. Pending that notification, the Act's transitional provisions and the existing information-technology rules govern. The Aadhaar Act prohibits biometric data from leaving India regardless of framework, so UIDAI biometric templates are ring-fenced outside any international data-sharing regime.

For technology vendors, the cross-border picture is further complicated by the EU AI Act's extraterritorial reach: AI systems placed on the EU market or put into service in the EU are subject to the Act, even if the developer is based in India or the US. A fingerprint AFIS vendor based in Hyderabad selling a system to a German state police laboratory must comply with the AI Act's high-risk conformity-assessment requirements before the system can be deployed.

  1. Identify the data's jurisdictional origin
    Determine under which legal framework the biometric data was originally collected: GDPR (EU), DPDP (India), Aadhaar Act (India, for UIDAI data), BIPA or state equivalent (US), or a bilateral treaty framework (Interpol, MLAT). The origin law's obligations travel with the data.
  2. Map the transfer chain
    Document every country the data passes through and every system that processes it. GDPR's accountability principle (Art 5(2)) requires the controller to demonstrate compliance at each transfer point. DPDP will require similar records once the Rules are notified.
  3. Check for an adequacy decision or safeguard
    For GDPR transfers, verify whether the destination country has an adequacy decision. If not, implement SCCs or rely on an Article 49 derogation with documented necessity and proportionality analysis.
  4. Apply the most restrictive requirement
    Where multiple frameworks apply, comply with the most demanding obligation. If BIPA applies (Illinois-connected biometric data), the consent + notice + written-release requirement from BIPA must be met in addition to GDPR's Article 9 exception requirement.
  5. Document and retain records
    Maintain a processing register per GDPR Art 30, a log per LED Art 25, and records per DPDP Act S.15. Cross-border forensic data flows should be covered by a Data Protection Impact Assessment (DPIA) under GDPR Art 35 and a similar risk assessment under DPDP Act once the Rules specify the requirement.
DimensionEU GDPR Art 9Illinois BIPAIndia DPDP Act 2023Default ruleProhibited unlessexception applies (Art9)Allowed; notice +written release requiredfirstConsent required; elevatedpenalties for breachConsent standardExplicit; freely given,specific, informed(Recital 51)Written release persubject before firstscanFree, specific, informed,unconditional; withdrawableanytimeLaw-enforcementcarve-outArt 9(2)(g): substantialpublic interest viamember-state lawNone explicit;Washington BPA excludeslaw-enforcement useS.7(b): State function ornational security; noconsent neededPrivate right ofactionNo; enforcement bynational DPAs and EDPBYes; USD 1,000 to 5,000per scan, no harmrequiredNo; Data Protection Board(not yet constitutedmid-2026)Cross-border transferAdequacy decision orSCCs or Art 49derogationNo federal restriction;state law variesGovernment-notifiedcountries; Aadhaar datacannot leave India
Five compliance dimensions compared across GDPR Art 9, Illinois BIPA, and India DPDP Act 2023: default rule, consent standard, law-enforcement carve-out, private right of action, and cross-border transfer mechanism.

Practical Obligations for Forensic Practitioners and System Operators

Forensic laboratories, law-enforcement agencies, and biometric system vendors face a cluster of obligations that are common across GDPR, DPDP, and BIPA, despite the different drafting styles. Understanding the operational translation of each obligation is the practitioner's first task.

Retention schedules are mandatory under all three frameworks, but the standards differ. GDPR storage limitation (Article 5(1)(e)) requires personal data to be kept "no longer than necessary for the purposes for which the personal data are processed." For criminal-justice biometric data, national law typically specifies the retention period tied to conviction status, offence type, and time elapsed since offence. The UK Protection of Freedoms Act 2012 provides a detailed fingerprint and DNA retention schedule for England and Wales: profiles of unconvicted adults are deleted (with exceptions), and profiles of convicted individuals are retained for the duration of the sentence plus a post-release period. In India, there is no equivalent statutory retention schedule for police fingerprint records; Bureau of Police Research and Development (BPR&D) guidance exists but is non-binding. DPDP Act Section 8(7) requires data fiduciaries to erase personal data as soon as the specified purpose is served or consent is withdrawn, whichever is earlier, which creates an obligation for forensic agencies to build purpose-tracking into their database management systems.

Security requirements are framed differently across frameworks but converge on similar technical controls. GDPR Article 32 requires "appropriate technical and organisational measures" considering the state of the art, implementation costs, and likelihood of harm. For biometric data, this typically means encryption at rest and in transit, pseudonymisation of templates where possible, role-based access controls, and tamper-evident audit logging. The EU AI Act adds a specific requirement for high-risk biometric systems to record technical documentation sufficient to allow regulatory authorities to assess compliance. BIPA does not specify security controls, but tort claims of negligent security have been brought alongside BIPA claims; Illinois courts have applied a "reasonable care" standard.

Purpose limitation, the requirement that data collected for one purpose not be used for a different purpose, is where forensic biometric systems face the greatest legal risk. A fingerprint database established for criminal identification cannot, under GDPR, be repurposed for employment screening without a fresh legal basis and, in most member states, fresh legislation. In the US, the absence of a federal statute means purpose-limitation obligations vary by context: the Privacy Act 1974 (for federal systems) requires a compatible routine use notice before data can be shared for new purposes; BIPA requires a new written release for each distinct purpose. Several BIPA class actions have specifically targeted employers who collected fingerprints for time-and-attendance and then shared them with third-party payroll processors without separate authorisation.

Key terms
Special-category data (GDPR)
Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, sex-life data, and sexual-orientation data, all subject to Article 9's default prohibition.
Biometric identifier (BIPA)
Under Illinois BIPA: a retina or iris scan, fingerprint, voiceprint, or scan of a person's hand or face geometry; distinct from 'biometric information' which is information derived from a biometric identifier.
Data Protection Impact Assessment (DPIA)
A risk assessment required by GDPR Article 35 before processing likely to result in high risk. Systematic biometric identification always triggers DPIA requirements under EDPB guidelines.
Explicit consent (GDPR)
A higher consent standard required for special-category data processing under Article 9(2)(a): must be freely given, specific, informed, and involve an explicit affirmative act. Blanket consent in employment contracts is insufficient.
Data fiduciary (DPDP Act)
Any person who alone or in conjunction with others determines the purpose and means of processing personal data; the DPDP Act equivalent of the GDPR 'controller'.
Aadhaar exclusion (DPDP Act s.17(2))
Provision that exempts processing covered by the Aadhaar Act 2016 from the general DPDP Act regime, meaning UIDAI biometric data is governed exclusively by the Aadhaar Act.
Real-time remote biometric identification (RTBI)
As defined in the EU AI Act: automated identification of natural persons at a distance by comparing their biometric data to those in a reference database, in a publicly accessible space, and without their active involvement.
Per-violation damages (BIPA)
BIPA's statutory damages structure: USD 1,000 per negligent violation or USD 5,000 per intentional/reckless violation; confirmed by Cothron v. White Castle (2023) to accrue on each scan or transmission, not per person per engagement.
Standard Contractual Clauses (SCCs)
Pre-approved contract terms issued by the European Commission that create GDPR-compliant safeguards for cross-border data transfers to countries without an adequacy decision. Widely used for forensic data-sharing arrangements.
Adequate country (GDPR Ch. V)
A country that the European Commission has determined provides a level of data protection essentially equivalent to the EU's. As of mid-2026, the list does not include the United States (at a general level) or India.
Practice
Question 1 of 5· 0 answered

Under GDPR Article 9, what is the default legal position on processing biometric data for the purpose of uniquely identifying a natural person?

Does GDPR's biometric prohibition apply to police fingerprint databases used for criminal identification?
Yes, fingerprints processed for the purpose of uniquely identifying an individual fall within GDPR Article 9's definition of biometric data. However, criminal-justice processing by competent authorities is primarily governed by the Law Enforcement Directive (LED, Directive 2016/680) rather than the GDPR itself. The LED's Article 10 imposes specific conditions on processing special categories including biometrics: it must be strictly necessary, subject to appropriate safeguards, and authorised by Union or Member State law. National police fingerprint databases in EU member states operate under national police laws that incorporate these requirements.
Can an EU forensic laboratory share biometric data with an Indian counterpart for cross-border casework?
India does not currently have an EU adequacy decision, so transfers require either Standard Contractual Clauses (SCCs), Binding Corporate Rules, or reliance on a GDPR Article 49 derogation. For forensic criminal-justice transfers, Article 49(1)(d) (establishment, exercise, or defence of legal claims) or the LED's Article 36 (transfers to third-country competent authorities) is typically relied upon, coupled with a bilateral agreement or Mutual Legal Assistance Treaty (MLAT) that specifies the data-protection obligations of the receiving agency.
Which is more legally demanding for employee fingerprint collection: Illinois BIPA or Texas CUBI?
Illinois BIPA is more demanding in practically every dimension. It requires a published written retention policy, individual written notice before collection, and a written release (consent) from each employee before the first scan. It provides per-scan statutory damages without proof of harm and supports class-action claims. Texas CUBI requires informed consent before collection but lacks a private right of action and carries lower maximum penalties. A company operating in both states should implement BIPA-compliant procedures as the baseline, which will exceed CUBI's requirements.

Test yourself on Fingerprint Sciences with free, timed mocks.

Practice Fingerprint Sciences questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.