Facial recognition cameras in stadiums? The same question arises again after the derby

Events surrounding the latest derby between Slavia and Sparta have once again raised the question of whether Czech clubs have sufficient tools to identify individuals who commit acts of violence or engage in other inappropriate behaviour at stadiums. The debate today focuses primarily on the possibility of using facial recognition technology, i.e. systems for the biometric identification of individuals.

Yet this is not an entirely new topic. The League Football Association (LFA) itself, in its infrastructure requirements for stadiums, regards CCTV systems as the “cornerstone of the security concept” and, in the fourth phase of implementation, explicitly mentions the use of facial recognition systems to identify individuals subject to a ban and prevent them from entering the stadium. However, Czech legislation is not yet prepared for such deployment.

Biometric data processed for the purpose of uniquely identifying a person constitute a special category of personal data under the GDPR. Their processing is, in principle, prohibited unless one of the exceptions is met. In the case of football and sporting events in general, a justification based on a substantial public interest may be invoked. However, this must be expressly provided for in EU or national legislation.

Inspiration from abroad

The practical deployment of facial recognition systems is not out of the question in the European context, as demonstrated by the Danish example of FC Copenhagen. The Danish model is based on the exception under Article 9(2)(g) of the GDPR, namely the processing of biometric data on the grounds of the aforementioned substantial public interest. This public interest is specifically enshrined in Danish national legislation. A private entity, such as a football club, may only carry out such processing if authorised to do so by the Danish Data Protection Authority. It was this authority that, in the case of FC Copenhagen, authorised automatic facial recognition for the purpose of enforcing stadium bans.

By contrast, the Spanish case of the football club CA Osasuna serves as a warning. The club introduced a facial recognition system at the El Sadar stadium for fan entry, arguing, among other things, that fans had given their explicit consent to the use of biometrics. However, the Spanish supervisory authority, the AEPD, concluded that consent alone does not constitute a sufficient legal basis for processing in such a situation. According to the authority, the conditions of necessity and proportionality were not met, as the same objective could have been achieved by less invasive means. The club was fined €200,000. The case thus demonstrates that, in principle, a mere ‘opt-in’ by fans will not suffice for biometric identification at stadiums; rather, processing on grounds of public interest, as in the case of FC Copenhagen, is more likely.

Impact of the AI Act

In addition to the GDPR, compliance with the AI Act will also need to be assessed for any future deployment. Depending on their specific configuration, biometric identification systems may fall within the category of high-risk AI systems. For their operators, this would entail, in particular, the obligation to manage risks, maintain technical documentation, ensure data quality, keep logs, provide transparent information to data subjects, ensure human oversight, ensure cybersecurity, continuously monitor the system’s operation, and, where applicable, register the system in the European database of high-risk AI systems. At EU level, a postponement and amendment of some of the obligations for high-risk systems is currently under discussion, partly because the relevant technical standards and implementation tools are not yet fully ready. Despite these postponements, however, the implementation of biometrics in stadiums must also comply with the requirements of EU regulation on artificial intelligence.

What next?

It is clear that suitable technology to prevent such excesses by problem fans already exists, and the football community, including clubs, is already factoring this in. However, biometric identification may constitute a significant intrusion into individuals’ privacy, and it is therefore essential to clearly define the conditions for its use. Thanks to our EU membership, the Danish approach to setting rules for the deployment of biometric identification systems is a readily transferable example for us and offers inspiration for a workable solution.