Facial recognition and its use in different spheres are the subject of much debate. One recent example is in France, where the President of the CNIL issued a warning to a sports club this week. The latter was planning to use a facial recognition system to automatically identify persons subject to a commercial stadium ban. This project does not comply with the RGPD and the Data Protection Act.
Following reports concerning the implementation by a sports club of a spectator facial recognition device, the President of the CNIL decided to have checks carried out on the use of this technology.
This system, which was in the experimental phase, was intended to identify persons subject to a stadium trade ban, detect abandoned objects and combat terrorism.
The analysis of the characteristics of the proposed system showed that it was based on the processing of biometric data. However, the collection and use of this sensitive data is, with some exceptions, prohibited by the General Regulation on Data Protection (RGPD) and the French Data Protection Act (Loi Informatique et Libertés).
The warning issued by the CNIL
In the absence of a special legislative (e.g. law) or regulatory (e.g. decree, order, etc.) provision, the implementation of such a scheme by a sports club for “counter-terrorism” purposes is unlawful.
The President of the CNIL therefore warned the sports club that, in the current legal framework, the planned processing could not be carried out in a lawful manner.
If, despite this warning, the sports club concerned proceeds with the effective implementation of the facial recognition system, it will be exposed to one or more of the corrective measures provided for by the RGPD and the French Data Protection Act, including a financial penalty.
What is a commercial stadium ban?
Article L. 332-1 of the French Sporting Code provides that the organisers of sporting events may refuse or cancel the issue of tickets to these events or deny access to persons who have contravened or are contravening the provisions of the general terms and conditions of sale or the internal regulations relating to the security of these events.
The same article authorises the organisers of sporting events to implement “automatic processing of personal data relating to breaches” in order to ensure the security of sporting events. Such processing must be provided for in the general conditions of sale or in the rules of procedure.
These commercial stadium bans, which are intended to contribute to the security of sporting events by preventing certain persons from gaining access to them and which are decided by the organisers of sporting events, must be distinguished from judicial or administrative stadium bans which can only be imposed by judicial authorities or prefects.
In practice, the registration of a person in a stadium commercial ban treatment will allow the stadium ticketing system to automatically deny him or her a subscription or a ticket in his or her name. In addition, security officials will be able to deny access to the stadium to a person registered in the stadium ban treatment, even if he or she has a valid access ticket.
How is this treatment regulated?
General framework: the RGPD
Stadium ban treatments contribute to the security of sporting events by enabling the organisers of such events to prevent certain persons from gaining access to their sports venues, due to dangerous behaviour corresponding to breaches of obligations of a contractual nature. Such treatment must comply with the GDMP.
Conditions of implementation: the Sport Code
More specifically, the conditions for implementing this processing are specified by the provisions of Articles L. 332-1 and R. 332-14 et seq. of the French Sports Code, in particular as regards :
- the purpose of such processing;
- the categories of data that may be subject to such processing;
- the length of time for which such data are kept;
- the categories of recipients of such data;
- as well as the rules applicable with regard to the information to be given to individuals (in particular by posting or handing over a document).
In this respect, although article R. 332-15 of the Code provides that the photograph associated with a person’s season ticket must be processed as part of the management of stadium bans, it does not allow for the implementation of a biometric device based on these photographs in particular.
Finally, Article R. 332-18 of the Sport Code explicitly provides that data subjects may not object to the processing of commercial stadium bans.
Translated from La CNIL adresse un avertissement à un club sportif sur l’utilisation d’un système de reconnaissance faciale