Chapter 21: Facial Recognition at Borders — The Legal Framework for Biometric Identity Verification

The previous chapter examined how text analytics can shape an asylum file before the adjudicator reaches the merits. Facial recognition raises a structurally similar problem in a different form: instead of screening a narrative, it screens the body. At the border, identity is law. If the system confirms a match, the person moves. If it does not, the person may be diverted, subjected to secondary inspection, or drawn into an enforcement process with consequences that extend well beyond the border crossing itself. A false match is not a harmless technical error in that environment. It is a legal event.

For lawyers, the analytical task is the same as in the previous chapters: identify the system, identify the applicable legal framework, identify the rights it implicates, and identify the litigation tools available. Facial recognition at borders is now operational infrastructure in both the United States and the European Union. The legal frameworks governing it are asymmetric — and understanding that asymmetry is essential for practitioners working in immigration, border law, or digital rights.

I. The United States: biometric entry-exit as formalized legal requirement

Collection of Biometric Data From Aliens Upon Entry to and Departure From the United States, 90 Fed. Reg. 48604 (Oct. 27, 2025), effective Dec. 26, 2025 Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 108-458

Facial recognition at U.S. borders is no longer an experimental program. On October 27, 2025, DHS published a Final Rule in the Federal Register — 90 Fed. Reg. 48604, CBP Dec. 25-06 — establishing mandatory biometric collection from all noncitizens upon entry and exit at airports, land ports of entry, seaports, and other authorized points of departure, effective December 26, 2025.

The rule implements a Congressional mandate that has existed since the Intelligence Reform and Terrorism Prevention Act of 2004 and advances CBP’s Traveler Verification Service — the Traveler Verification Service (TVS) — a cloud-based facial biometrics matching service that compares a live facial image against a gallery of photographs associated with the traveler’s expected travel documents and government holdings. The match threshold and operational parameters of TVS are documented across more than ten Privacy Impact Assessments that DHS has published on various components of the Biometric Entry-Exit program.

Several aspects of the Final Rule are legally significant beyond the basic collection authority. First, the rule removes prior exemptions that had applied to diplomats and most Canadian visitors, making the biometric requirement universal for noncitizens. Second, it eliminates the cap on the number of locations where CBP may conduct biometric processing, enabling nationwide expansion across all transportation modalities. Third — and most significant for litigation purposes — photographs of noncitizens who complete the entry or exit process are enrolled in the DHS Biometric Identity Management System and retained for up to 75 years as a biometric confirmation of entry or departure. Photographs of travelers who cannot be matched or who trigger secondary review may be retained for enforcement or intelligence purposes within the same retention framework. U.S. citizens retain the right to opt out and undergo manual document inspection; noncitizens do not.

That 75-year retention period transforms a border screening event into a long-term biometric record. The legal consequences of an erroneous match are therefore not limited to the border crossing itself. They extend to every subsequent interaction with CBP’s biometric systems, every watchlist check that draws on the stored record, and every enforcement action that is informed by the accumulated biometric history.

II. The legal framework for challenging US border facial recognition

U.S. Constitution, Amendment IV — Carpenter v. United States, 585 U.S. 296 (2018) Privacy Act of 1974, 5 U.S.C. § 552a Administrative Procedure Act, 5 U.S.C. § 706

The constitutional baseline for Fourth Amendment analysis of biometric border processing begins with the border search doctrine, which permits warrantless searches and seizures at the international border as a historical exception to ordinary Fourth Amendment requirements. Courts have consistently applied significant deference to border screening measures under that doctrine. The starting point for any constitutional challenge to facial recognition at the border must therefore acknowledge that the border search exception is real and that facial comparison as a form of identity verification is likely to survive ordinary Fourth Amendment scrutiny when applied to document verification at entry.

The harder legal questions arise from the operational architecture surrounding the scan — not the scan itself. Carpenter v. United States, 585 U.S. 296 (2018), established that the government’s warrantless collection of comprehensive, long-term location data constitutes a Fourth Amendment search because it enables retrospective reconstruction of a person’s movements and associations in ways that implicate reasonable privacy expectations. The 75-year retention of biometric data in the DHS Biometric Identity Management System, combined with that system’s integration with watchlisting, enforcement, and identity resolution infrastructure, creates a persistent biometric record whose cumulative function — tracking, recognizing, and categorizing an individual across repeated border encounters over decades — may fall closer to the surveillance pattern that Carpenter identified as constitutionally significant than to the routine document check the border search exception was designed to accommodate.

The APA provides a more immediately accessible legal pathway for challenging specific operational decisions. Under 5 U.S.C. § 706, reviewing courts must set aside agency action that is arbitrary, capricious, or contrary to constitutional right. A border processing outcome that was materially influenced by an erroneous facial match — leading to secondary detention, denial of boarding, or an adverse entry in the biometric record — may be challenged as arbitrary where the agency cannot demonstrate that the match was reliable, that human review was meaningful, or that the factual basis for the adverse outcome was adequately verified.

The Privacy Act provides a further instrument for records correction. DHS has published Privacy Impact Assessments covering each component of the Traveler Verification Service system architecture. The relevant systems of records include DHS/CBP-016 (Advance Passenger Information System), DHS/CBP-021 (Arrival and Departure Information System), and the overarching DHS Biometric Identity Management System. For qualifying individuals — U.S. citizens and lawful permanent residents — the Privacy Act provides a right to access records in those systems and to request amendment of inaccurate data. The law enforcement exemptions applicable to enforcement-related records remain relevant constraints, but requests targeting specific, demonstrable factual errors in biometric records are the most likely to survive exemption objections.

III. Accuracy, demographic differentials, and the legal relevance of NIST data

NIST Face Recognition Vendor Test — Demographic Effects (NISTIR 8280, 2019)

A facial recognition system that is accurate in aggregate can still be unfair in operation if its errors are unevenly distributed across demographic groups. That distinction is not merely a technical observation. It is a legal argument.

NIST’s Face Recognition Vendor Test — Demographic Effects report, published as NISTIR 8280 in 2019 and updated through ongoing FRVT evaluation work, documented significant variation in facial recognition algorithm performance across demographic characteristics including age, sex, and skin tone. The patterns are not uniform across algorithms or operational settings, but the NIST data establishes that demographic performance variation is a documented, measurable property of facial recognition systems that must be accounted for in any adequate validation and governance framework.

For border operations, that documentation is legally relevant in at least two ways. First, it establishes the factual foundation for a disparate-impact argument under Title VI of the Civil Rights Act, 42 U.S.C. § 2000d, in programs that receive federal financial assistance — including airline partners operating under CBP biometric exit programs. If a facial recognition algorithm used in a federally funded program produces significantly higher false-positive rates for travelers of particular national origins or skin tones, the disparate-impact framework may apply even absent discriminatory intent. Second, NIST data provides the technical foundation for expert witness testimony challenging the reliability of a specific match in individual litigation — moving the argument from “facial recognition might be biased” to “this algorithm, according to NIST FRVT data, has a documented false-positive rate of X for individuals with characteristics matching my client.”

The CBP Final Rule cites NIST’s >98% match accuracy figure from the FRVT program. That aggregate figure does not resolve the demographic differential question, and lawyers should be prepared to address both dimensions.

IV. The EU framework: biometric data as a specially protected category

GDPR, Regulation (EU) 2016/679, Article 9 EU AI Act, Regulation (EU) 2024/1689, Article 5 EU Charter of Fundamental Rights — OJ C 326, 26.10.2012, Article 8

The European legal baseline for biometric processing at borders begins from a fundamentally different position than the US border search doctrine.

Article 9 of the GDPR classifies biometric data processed for the purpose of uniquely identifying a natural person as a special category of personal data, for which processing is prohibited in principle unless one of the enumerated exceptions in Article 9(2) applies. At the border, the applicable exceptions typically include processing necessary for reasons of substantial public interest under Union or Member State law, subject to proportionality and fundamental rights safeguards, and processing necessary for the performance of tasks carried out by competent authorities in the field of border management where national law provides for appropriate safeguards. The legal basis must be specific, accessible, and proportionate — general invocations of security do not satisfy Article 9(2)’s requirements.

The AI Act adds a layer of prohibition specific to the most intrusive uses of biometric technology. Article 5(1)(d) prohibits the use of real-time remote biometric identification systems in publicly accessible spaces for law-enforcement purposes, except under narrow conditions requiring prior judicial or independent administrative authorization, a necessity finding, and the existence of a legal basis in Union or national law. That prohibition directly affects law-enforcement uses of facial recognition in border-adjacent public spaces — transit areas, ports, and border crossing zones. The exceptions are narrow and procedurally demanding: they require individualized authorization, not blanket operational deployment.

Article 6 of the EU Charter of Fundamental Rights protects the right to liberty and security. Article 8 protects personal data as a fundamental right. Both Articles must be considered alongside the GDPR and AI Act frameworks when biometric processing at borders produces adverse consequences — secondary detention, denial of entry, or the generation of enforcement-linked records — affecting individuals’ liberty and legal status.

V. iBorderCtrl — what the legal analysis actually requires

CORDIS Project ID 700626, Horizon 2020 Research Programme, concluded 2023

iBorderCtrl is frequently cited in AI governance discussions as an example of EU border AI overreach. The legal analysis requires precision about what the project actually was.

iBorderCtrl was a research project funded under the Horizon 2020 program — CORDIS Project ID 700626 — with a €4.5 million grant. Its research design combined biometric verification, document authentication, risk assessment, and an Automated Deception Detection System (ADDS) that used an avatar-based interview to analyze travelers’ micro-expressions as indicators of deception. The system was piloted at land border crossing points in Hungary, Latvia, and Greece. Following the conclusion of the research pilots, the iBorderCtrl consortium itself acknowledged that some technologies — specifically the deception-detection component — are not covered by the existing legal framework, meaning they could not be deployed operationally without a democratic political decision establishing the applicable legal basis.

The project did not go into routine operational deployment. That is the correct factual baseline.

Its legal significance is nonetheless real and specific. The ADDS component of iBorderCtrl — automated behavioral inference at the border based on facial micro-expression analysis — illustrates precisely the category of system that the EU AI Act’s prohibited practices framework is designed to address. Article 5(1)(f) of the AI Act prohibits AI systems that use real-time remote biometric categorization in publicly accessible spaces for law enforcement purposes in ways that infer sensitive characteristics. The scientific validity of micro-expression deception detection is not established — the iBorderCtrl project’s own FAQ acknowledged false positive risks and the absence of a validated scientific basis for the inference — and the AI Act’s prohibitions are calibrated in part to prevent systems whose inferences lack scientific grounding from generating legal consequences for individuals who have no meaningful way to challenge them.

iBorderCtrl is therefore not primarily a story about a system that failed. It is a case study in the legal question the AI Act forces before deployment: what is the legal basis, what is the scientific validation, and what happens to the people who receive false positives?

VI. Rectification: the record behind the camera

GDPR, Regulation (EU) 2016/679, Article 16 Privacy Act of 1974, 5 U.S.C. § 552a

When lawyers encounter facial recognition issues at the border, the focus often falls on the scan itself. The more durable legal problem is typically the record architecture that the scan interacts with and populates.

A facial comparison event at a US border crossing may interact with the Traveler Verification Service matching gallery, the Advance Passenger Information System, the Arrival and Departure Information System, the DHS Biometric Identity Management System, and — where a mismatch or enforcement flag is generated — watchlisting and targeting systems whose records persist and propagate. A false match does not only cause a problem at the moment it occurs. It can generate an adverse entry that follows the individual across subsequent border encounters, secondary screening episodes, and enforcement interactions.

In the EU, Article 16 of the GDPR provides a right to rectification of inaccurate personal data without undue delay. Where a biometric mismatch has produced or reinforced an incorrect identity record, that right is directly applicable — and the fact that biometric data falls within Article 9’s special categories raises the standard of care that the controller must apply in responding to a rectification request. A supervisory authority complaint under Article 77 GDPR is available where the controller fails to act.

In the United States, the path is more architecturally complex. The appropriate strategy is to identify the specific system of records that received the erroneous data — using the DHS SORN index and CBP’s published PIAs to map the relevant systems — and then pursue a targeted Privacy Act amendment request focused on demonstrable factual errors. Where the client qualifies under 5 U.S.C. § 552a(a)(2), the amendment right is directly available subject to applicable law enforcement exemptions. Where statutory Privacy Act rights are unavailable, FOIA requests targeting the specific record entries, combined with administrative appeal and constitutional due process arguments, provide alternative pathways.

The practical litigation question is always the same: did the erroneous biometric record produce a downstream adverse consequence — a denial of entry, secondary detention, a watchlist entry, a recurring pattern of heightened scrutiny — that is traceable to a specific inaccuracy that can be documented and corrected? If so, the legal framework exists on both sides of the Atlantic to pursue that correction. The challenge is the architecture, not the principle.

Next: Chapter 22 — Rectification rights in immigration: a full chapter.