‘Be cautious on US stadium trend’, clubs urged
A data-protection expert has warned sporting bodies in Britain and the EU that they will need to take extra care if they look to follow US examples of using biometric data for letting fans into stadiums.
Los Angeles FC (LAFC) of the US’s MSL football league is the latest club to roll a fully integrated biometric system for fans attending games at its BMO Stadium, following in the footsteps of fellow MLS side Columbus Crew.
Law firm Pinsent Masons says, however, that stricter regulation on data protection across Europe will require operators looking to follow LAFC’s approach to face much greater scrutiny from watchdogs.
Special-category data
Dom White, a data-protection expert at the firm, points out that use of facial-recognition technology (FRT) to grant stadium access would put it within the scope of special-category personal data under GDPR rules for the British and EU data regimes.
“Even it is optional or designed to improve the fan experience, clubs must meet the higher compliance threshold that applies to biometric processing,” he says.
White cites potential issues with transparency and how biometric data is stored, “particularly given the sensitivity of the data and the general expectation that fans can attend matches without providing biometrics”.
The Pinsent Masons lawyers says that biometric systems can deliver operational benefits for clubs, but warns that their long‑term success will hinge on “getting compliance right, tightly defining how the data is used, and being open and clear with fans from the outset”.
‘Less tolerance’
He adds that a long‑standing tradition of fan autonomy in Britain and the EU means that there is far less tolerance for technologies that feel like surveillance or that control access to the game.
FRT systems, operated with ticket providers, have also increasingly found favour in other US sports venues, where they have been deployed to speed up access through ticket gates or allow fans to pay at the cash-free concession stands.
Pinsent Masons says, however, that Europe’s stricter legislation means clubs and bodies must take greater care – with Spanish football giants Barcelona fined €500,000 earlier this year by the country’s data protection authority (AEPD) for failing to carry out appropriate digital-impact assessments when gathering biometric data during its mandatory census of 143,000 club members.
The census collated biometric selfie and ID scan data, along with optional voice data, leading to complaints the club had included minors, consent had not been explicitly asked, and previous members who did not complete the census had lost their membership with the club.
Systems ‘must be proportionate’
Spain’s football league, La Liga, was also fined €1 million last year for similarly breaching rules on implementing impact assessments when trialling facial recognition to improve stadium security and safety – a ruling the league has since appealed.
According to Pinsent Masons, the Spanish case highlights that, while new legislation on ticketless entry to matches and the use of FRT to identify trouble in stadium crowds reflects the strengthening of legal frameworks linked to match-day safety, clubs are still required to introduce solutions proportionally.
Malcolm Dowden, a technology and privacy expert with Pinsent Masons, warned that sanctions for unauthorised stadium entry do not alone justify deploying biometric identification systems.
“Clubs still need to demonstrate that biometric systems are necessary, effective, and proportionate compared with less intrusive alternatives, and that their deployment is supported by appropriate safeguards for supporters’ rights,” he adds.