Abstract
Excerpted From: Christopher Muhawe, The (In)visible Immigrant's Privacy, 9 Georgetown Law Technology Review 290 (2025) (398 Footnotes) (Full Document)
Exhaustion gnawed at Dr. James Muntu as he stood at the gates of a United States immigration processing center on the U.S.-Mexico border in Texas. He had narrowly escaped Eritrea's authoritarian regime, where his commitment to human rights activism led to his arrest and five months of incommunicado detention by the military. During his captivity, he was subjected to persecution and torture that left him on the verge of death. After a daring escape from detention in April 2023, he fled Eritrea, seeking asylum in the United States.
Dr. Muntu and other asylum seekers at the U.S.-Mexico border were required to download the AI-powered CBP One app onto their phones to schedule immigration appointments. The U.S. Customs and Border Protection (CBP) had mandated the now-discontinued app as the sole mode of scheduling an appointment with an immigration officer at the Southern border for an asylum application. After eight months of waiting for his appointment, he finally stood in a sterile room at the Ciudad Juárez/El Paso port of entry in front of a CBP officer whose face was hidden behind a computer screen. A barrage of questions rained down on him. Fingerprints, iris scans, and DNA samples--each piece of sensitive personal data meticulously collected and stored without explanation. Throughout the interrogation and data collection process, Dr. Muntu felt as though he was reliving his previous torture ordeal, albeit in a non-physical manner and in a distant land. “This is not about understanding my plight,” Dr. Muntu thought. “It is about building a digital dossier on a person who has lost their agency, dignity, and everything.”
This account mirrors the broader experience of refugees and asylum seekers whose personal data is collected by and shared among U.S. immigration and government agencies. The U.S. immigration system has created a digital panopticon targeting refugees and asylum seekers. While national security and public safety concerns are legitimate, extensive data collection and prolonged retention expose these vulnerable individuals to disproportionate surveillance and its associated harms, including exclusion and discrimination. By contracting profit-oriented private entities to develop and manage immigration enforcement technologies, the government cedes many aspects of its immigration control duty--an inherently governmental function--to these businesses. It incentivizes them to continuously collect extensive personal information from these individuals. This data is frequently used for commercial surveillance and is often sold to third parties without the refugees' and asylum seekers' consent, further eroding privacy.
Privacy is a fundamental human right. Refugees and asylum seekers deserve a chance to rebuild their lives without having their privacy diminished. The privacy rights and concerns of refugees and asylum seekers are often overlooked despite the pervasive use of digital technology in immigration processes and enforcement, including the stark nature of intrusions on their privacy.
While existing privacy scholarship has emphasized the data privacy vulnerabilities of other marginalized communities, the privacy needs and challenges of refugees and asylum seekers remain understudied. Similarly, existing scholarship on immigration surveillance has largely overlooked refugees' and asylum seekers' specific privacy concerns. This Article contributes to the discourse at the intersection of privacy and immigration law by addressing the data protection and privacy concerns of refugees and asylum seekers.
Immigration agencies collect, process, analyze, and share a wide array of biographical, biometric data and related information from refugees and asylum seekers, often with little to no transparency and accountability. The long-term effects of this extensive data collection are disproportionate surveillance, discrimination, and diminished privacy. The history of U.S. immigration policy reveals a pattern of exclusionary surveillance and control targeting immigrants and other marginalized communities.
When facing immigration authorities, asylum seekers are questioned about when, how, and why they fled from their home country. Questions include: Are you a victim of violence? Who are the perpetrators? Do you have family or friends in the U.S.? What could happen to them? What could happen if you return to your home country? The answers to these questions create a cache of personal data--information that persists whether asylum or refugee petitions are granted or denied. Refugees and asylum seekers are compelled to share with “strangers” their traumatic experiences, including torture, rape, and murder, in detail, potentially placing themselves and their families at risk of shame. The immigration screening process is conducted without adequate counseling and psychosocial support, exposing immigrants to the harm of reliving past traumas. None of this personal information is required by law to be deleted once asylum proceedings conclude or a status determination, regardless of the outcome.
The involuntary migration of refugees and asylum seekers often compels them to surrender extensive personal information in exchange for safety and the basic necessities of life. This phenomenon, which I term “data surrender,” sets in because they interact with the immigration authorities at their most vulnerable and desperate moments. The inherent power asymmetry in interactions with authorities compromises their ability to make informed choices and consent. As a result, they cede not only the core personal information required for the Refugee Status Determination (RSD) process, but also additional information that I term “extraneous data”: personal information that is not directly relevant, proportional, or necessary for assessing and processing an asylum claim and providing humanitarian assistance. The extraneous data includes, among other pieces of personal information, pregnancy-related details, familial relationships, sexual orientation, race, color, sex, gender identity, genetic information, bodily markings such as scars and tattoos, religious background, social media handles, and real-time location data.
With the excessive data collection subjected to them, refugees and asylum seekers experience three distinct but related forms of diminished privacy, which I categorize as (1) “data surrender”--an inescapable yielding of information prompted by the overwhelming necessity of the powerless to survive; (2) “personality curation”--undue self-discipline, subordination, loss of self-esteem, and erasure of personal identity and history prompted by the need to appear acceptable to authorities; and (3) “weaponization of personal information”--the harmful, exploitative, and unfavorable use of data often obtained through coercion, vulnerability, or unequal power dynamics.
The current legal regime for data privacy in the U.S. fails to protect refugees and asylum seekers. First, existing privacy laws are outdated and misaligned with the current digital technology landscape. Secondly, the existing civil rights framework has not been adapted or emphasized to keep pace with modern digital technologies, particularly in addressing the harms of surveillance, discrimination, and the attendant digital inequalities experienced by immigrants.
While the Privacy Act of 1974 protects the privacy of information held in federal record systems, it does not apply to non-U.S. citizens and non-Legal Permanent Residents. This, in effect, excludes applicants for refugee and asylum status, as they do not fall within the scope of the Act. Additionally, the Act does not apply to information held by private entities, but DHS and its immigration agencies often partner with private tech contractors and start-ups to develop and operate AI-driven immigration enforcement and border control systems.
The result of extensive data collection is that refugees and asylum seekers become hyper-visible to immigration authorities through the deeply personal information obtained from them, yet their privacy interests remain unseen, unheard, and/or unprotected under the existing legal frameworks. The pronounced absence of laws, regulations, and/or policies protecting a refugee and asylum seeker's privacy is why I refer to them as “(in)visible immigrants.” Despite being among the most over-documented individuals in the U.S., they are the least protected under the current data privacy regime. Beyond government surveillance, the (in)visible immigrant is disproportionately exposed to commercial data exploitation, algorithmic discrimination, misinformation, and surveillance, often with little to no legal recourse.
Part I of this Article situates refugees and asylum seekers in the complex and politically charged U.S. immigration system. I argue that the current data privacy legal regime fails to protect these individuals, often rendering them ““invisible to the law.” In this Part, I acknowledge that the collection of personal information from immigrants is essential for various legitimate purposes, such as identification, fraud prevention, public safety, and national security. However, the data collected from refugees and asylum seekers extends far beyond what is necessary to ensure their safety, access to necessities of life, public safety, and national security.
Part II examines how the (in)visible immigrant with different intersecting identities is thrust into both government and commercial surveillance gazes--with little to no possibility of escaping the resulting diminished privacy violations and their associated harms. Refugees and asylum seekers experience three distinct but interconnected forms of harm in the data cycle: (1) data surrender, (2) personality curation, and (3) weaponization of personal information. This Part also highlights the impact of privacy violations against refugees and asylees, which extends beyond the individuals themselves but also to society. These violations can result in the suppression of freedom of speech, association, and civic participation. While examining how these groups of immigrants are disproportionately subjected to surveillance and exclusion by both government and commercial entities, this Part also sheds a light on similar burdens borne by other marginalized communities.
Part III argues for the protection of the (in)visible immigrant's privacy by advancing the view that privacy is a fundamental human right--one that should be upheld for refugees and asylum seekers regardless of their citizenship and immigration status. I also propose that refugees and asylum seekers be granted the right to data deletion, exercisable upon the grant of citizenship. I also assess the current federal data protection proposals, focusing on the American Privacy Rights Act (APRA) (introduced in the last Congress), to evaluate whether it provides adequate privacy protection for traditionally marginalized groups, including immigrants. To address the key gaps in the APRA, I propose the establishment of an Independent Data Protection Agency (IDPA) tasked with safeguarding the privacy interests of all individuals, including citizens and permanent residents. Within the IDPA, a dedicated office or unit should be created to specifically protect and address the data privacy of refugees and asylum seekers, recognizing their heightened vulnerability throughout the data lifecycle.
[. . .]
Refugees and asylum seekers striving to enter and reside safely in the United States are highly visible to data-collecting entities, yet “invisible” to the nation's privacy protection laws. They are vulnerable candidates for the massive data collection schemes by both government and commercial entities, subjecting them to surveillance, discrimination, and commercial exploitation. It is vital to safeguard the (in)visible immigrant's privacy because the protection of privacy is integral to upholding human dignity in any democratic society. Privacy and related data protection measures advance their agency, autonomy, and self-determination. As explored herein, data surrender results in the yielding of excessive personal information in exchange for safety and necessities of life and services, stripping them of their agency. Constant surveillance forces them to curate their behavior and identity to fit authorities' expectations, resulting in a loss of self-esteem and subdued individuality, inhibiting their ability to express their true self. Additionally, personal data can be weaponized against them, leading to discrimination, targeted surveillance, and exclusion, undermining their efforts to fully integrate into society.
This Article invites lawmakers to consider bold policies in the face of striking realities. Contemplating novel policies is fully warranted. Looking ahead, the challenges faced by the (in)visible immigrant raise urgent and profound questions not only about the future of privacy for immigrants, but also about the broader contours of governance and national identity in the digital age. These concerns extend beyond immigrant populations and increasingly affect the rights and freedoms of citizens as well. As technologies evolve and datafication intensifies, the legal system must grapple with the normative implications of who is seen, remembered, or erased. Protecting the privacy of refugees and asylum seekers is not merely about safeguarding personal information. It is about affirming their humanity, acknowledging their dignity, and reimagining democratic inclusion in an era of pervasive digital surveillance that threatens every facet of life.
Christopher Muhawe is a Postdoctoral Research Fellow at the University of Pennsylvania Carey Law School.
