Biometric technologies are increasingly deployed across EU borders to facilitate the identification and verification of individuals based on their unique behavioural or physical characteristics. The most widely used biometric technologies are fingerprint and facial recognition, but they also include more invasive technologies such as DNA biometrics. Under EU law, the use of biometric technologies in almost all cases constitutes the processing of biometric data. The GDPR defines biometric data as a category of special, particularly sensitive personal data, the processing of which is prohibited, except in strictly defined circumstances. Biometric technologies may play a decisive role in processing asylum claims or determining whether a migrant should be admitted into a country. Consequently, their use often falls within the scope of the GDPR’s rules on automated decision-making (ADM) and triggers their application, as Francesca Palmiotto’s work has clarified.

Biometric technologies are employed in key databases such as Eurodac (used for asylum applicants), the Schengen Information System (SIS), and the Visa Information System (VIS). Recent legislative reforms are expanding their use further, particularly in the forthcoming Entry/Exit System (EES) and revised Eurodac Regulation (EU) 2024/1358.  Frontex, the European Border and Coast Guard Agency, not only supports border control operations but also promotes technological research. Its 2023 report, Technology Foresight on Biometrics for the Future of Travel, evaluates twenty new biometric technologies, including DNA profiling, vein recognition, and speaker recognition, and concludes that they could all be used at the EU’s borders in accordance with EU law.

Legal standards and fundamental rights constraints

The deployment of biometric technologies in EU border governance needs to comply with EU data protection rules, as set out in the General Data Protection Regulation (GDPR), the Law Enforcement Directive (LED) and the European Data Protection Regulation (EDPR). In addition, any use of biometric technologies based on EU law or national implementing acts must comply with the EU Charter of Fundamental Rights (EUCFR) and the general principles of EU law. As confirmed by the Court of Justice of the European Union (CJEU), any processing of biometric data constitutes a limitation on the rights to privacy and data protection and must be justified through a strict proportionality assessment (C-291/12 Schwarz; C-61/22 RL v Wiesbaden).

Frontex is considering the use of novel biometric technologies for border security in the EU. Its report Technology Foresight on Biometrics for the Future of Travel explores twenty additional biometric technologies, including DNA biometrics, infrared recognition as well as 2D and 3D face recognition, three types of iris recognition, and eye vein and hand vein recognition, alongside eleven other biometric technologies that could potentially be used in EU external border management. In the report, Frontex concludes that all twenty technologies could be deployed at the EU’s borders in compliance with EU law. This conclusion is contestable, at least with respect to certain technologies, such as DNA profiling, which appears to fail the proportionality requirement in light of the fundamental rights to privacy and data protection. In particular, the use of DNA profiling has not been shown to be necessary for identification purposes at EU borders, given the sensitive nature of genetic data and its limited relevance to routine identification. Processing of biometric data must be necessary, suitable and strictly proportionate in relation to the requirements stipulated in Article 52(1) EUCFR and also taking into account similar requirements which exceptionally allow processing of biometric data by public authorities, as contained in Article 9(2)(g). The CJEU has stated that any processing of biometric data is a limitation of privacy and data protection that must be justified (C-291/12 Schwarz; C-61/22 RL v Wiesbaden, see also other biometric case law of the CJEU analysed in my PhD thesis on “Biometric Law in Migration and Asylum in the EU”).

Interoperability, emerging risks and policy implications

Furthermore, the use of any novel technology, especially biometrics, requires careful scrutiny, including a Data Protection Impact Assessment, as defined under the GDPR. Although Frontex acknowledges the potential negative impact of these technologies on fundamental rights, it downplays these concerns. Moreover, the AI Act (Regulation 2024/1689) classifies many biometric systems as high-risk applications. Some biometric technologies, such as emotion recognition systems or AI systems that scrape the internet to create facial recognition databases, are outright prohibited. Biometric real-time remote identification, though listed among the prohibited AI practices, is allowed under the conditions set out in the AI Act (see EU AI Act, Article 5: Prohibited AI practices). Furthermore, the AI Act carves important exceptions for Eurodac and other migration-related information systems (see EU’s AI Act and Migration Control. Shortcomings in Safeguarding Fundamental Rights by E Brouwer. It requires a Fundamental Rights Impact Assessment (FRIA) for such systems, particularly when used in the context of migration control (see Algorithmic Risk in EU Migration and Asylum Governance by Mirko Đuković). Yet Frontex’s policy document fails to reflect on these legal obligations.

The interoperability of EU databases further compounds the risks. When systems designed to assist in managing European requests for international protection (Eurodac) are interconnected with those designed to maintain security (e.g. SIS), the lines between protection and surveillance become blurred, which could have a detrimental effect on migrants’ rights.

Based on these legal and practical risks, the EU should refrain from expanding EU biometric databases and introducing new biometric technologies, particularly given that interoperability among large-scale EU IT systems is still not fully operational (as for example ETIAS is not operational), and the effectiveness of facial recognition technologies in Eurodac, the Entry/Exit System (EES), and in public space surveillance is still highly contested. It should also suspend the deployment of high-risk biometrics for EU border management purposes. Frontex and EU Member States should not introduce novel biometric technologies, such as DNA biometrics, for border control purposes, unless it is proven, through strict scrutiny, that their use does not violate human dignity, the principle of non-refoulement, as well as other human rights including the right to non-discrimination, and that such use  justified and proportionate in light of the rights to privacy and data protection. We all know that biometric systems used by public authorities must be subject to transparent Fundamental Rights Impact Assessments and Data Protection Impact Assessments before deployment. However, there is much work to be done to ensure these are effective. Policymakers should also ensure public access to information on biometric technologies under consideration, including their legal justifications and potential rights impacts.

Conclusion

Biometric data qualifies as particularly sensitive personal data under the GDPR, and its processing must meet strict legal requirements. Frontex’s exploration of novel biometric technologies, including DNA profiling and vein recognition, raises concerns in the absence of demonstrated necessity or proportionality. As shown in my PhD thesis, such developments require prior Fundamental Rights and Data Protection Impact Assessments. Overall, the legal and technical prerequisites for expanding the use of these technologies, particularly in light of interoperability challenges and fundamental rights protections, are not yet sufficiently established.