How does DHS’s 75‑year retention policy for noncitizen biometrics compare to retention policies in other countries?
Executive summary
The Department of Homeland Security’s policy to retain biometric photos of noncitizens for up to 75 years places the United States on the extreme end of retention durations compared with international data‑protection norms that require keeping biometrics only as long as necessary; DHS defends the period for immigration enforcement and law‑enforcement uses while privacy advocates warn of scope creep and long‑term surveillance risk [1] [2] [3]. European and many other national frameworks instead demand purpose‑limitation and demonstrable, proportionate retention schedules—often far shorter in practice—though available public reporting does not list a comprehensive laundry‑list of every country’s exact statutory retention term [4] [5] [6].
1. DHS’s 75‑year rule: what it says and why proponents justify it
The DHS final rule formalizes enrolling noncitizen facial photos into the DHS Biometric Identity Management System with retention of images “for up to 75 years,” arguing the horizon supports identity confirmation, detection of overstays, visa fraud prevention, and counterterrorism or removal‑case tracking across long timeframes—an explicit national‑security and immigration‑control rationale presented in DHS and CBP materials [1] [3] [2].
2. How that duration stacks up against core international data‑protection principles
By contrast, Europe’s GDPR and like frameworks treat biometric data as a special category and require that personal information be retained only as long as necessary for the identified purpose and be justified and documented in retention schedules—language that implies far shorter, purpose‑tied retention than a flat 75‑year ceiling [4] [5] [6]. Multiple international commentators and compliance resources summarize the prevailing expectation: retention must be proportionate, transparent and limited [4] [7].
3. National examples and private‑sector norms: shorter, conditional retention
Private‑sector statutes and guidance—such as Illinois’s BIPA’s obligations and industry retention recommendations—usually require entities to adopt retention schedules, often suggesting deletion when the purpose is fulfilled or within a few years of last interaction; Canadian authorities have been actively consulting on biometric guidance, signaling moves toward similar limitations rather than multi‑decade holds [7] [4]. Public reporting assembled here does not, however, produce a catalogue of exact retention statutes for every country; the available sources emphasize legal principle over identical numeric ceilings [4] [8].
4. The political and institutional agendas visible in the debate
DHS and CBP foreground border security and operational continuity—arguing long retention is necessary for follow‑up investigations and to track re‑entry—while civil‑liberties groups focus on the risks of surveillance, data breaches, indefinite profiling and secondary uses; industry and privacy‑compliance vendors stress technical safeguards but also push decentralized alternatives that would limit central retention [1] [2] [9] [10]. These competing agendas shape how retention is framed: security advocates emphasize utility; privacy advocates emphasize proportionality and legal oversight [2] [9].
5. Practical implications and governance: safeguards, audits and unknowns
The Federal Register and CBP Business Requirements say partners must purge forwarded images and allow CBP audits, and DHS points to Privacy Impact Assessments and documentation as safeguards, but critics note that long retention magnifies risks from breaches, mission drift, and future policy changes—while the public record here lacks independent audits demonstrating how often or under what conditions 75‑year records have been accessed, shared, or used by other agencies [3] [1] [2]. Reporting available to this analysis documents DHS’s stated controls but does not provide comprehensive evidence of real‑world outcomes.
6. Bottom line: the U.S. stands apart in practice, though legal philosophies clash
Measured purely by numeric horizon and current U.S. federal practice, the DHS 75‑year retention is an outlier relative to the prevailing international data‑protection posture that demands necessity, proportionality and documented, often shorter, retention schedules; yet comparison is complicated because many countries focus on principle and case‑by‑case limits rather than a single long fixed term, and the sources consulted do not enumerate every foreign statute’s exact retention numbers [1] [4] [5]. The tension between border‑security imperatives and privacy‑law principles will continue to drive litigation, oversight requests, and technical debates over decentralized versus centralized biometric architectures [2] [10].