Recently, the Mexican Federation of Association Football (Federación Mexicana de Fútbol Asociación, A.C.) ("Femexfut"), announced its intention to obtain biometric data of attendees at sporting events, with the goal of increasing security controls at the stadiums. This objective became more pressing after the unfortunate incident in Queretaro City a few weeks ago.

Although the intention of this plan is to increase security controls at sporting events and to have the means to hold the people who participate in them accountable, the way in which Femexfut intends to achieve these aims may be problematic. Thus, in an interview, Francisco Acuña, one of the Commissioners of the National Transparency Institute ("INAI"), confirms that, although it is not a crime to collect biometric personal data, it is a very delicate matter and seems not to be being addressed in the best way.

Although this program has not yet been implemented, there are still many uncertainties. Before implementing such programs, Femexfut and other companies considering the large-scale collection of biometric data should consider a number of factors:

  • Will they be ready to implement sufficient physical, technical and/or administrative security measures to protect such valuable data from a possible breach?
  • In a country where soccer is one of the most popular sporting events, the amount of personal data, including biometric data, that Femexfut will manage could be very attractive to people who intend to misuse it. Will they have carried out the corresponding impact analysis?
  • Will they consider data protection as part of the design of its systems?
  • Will they be able to minimize and process the data collected in a proportional manner? In the case of Femexfut, the latter questions seems especially complicated, with the information we have available, since it intends to take biometric data as part of a registry, but also to monitor the attendees to the events through video surveillance cameras and even through facial recognition. All this could become even more complicated if Femexfut decides to share this data with its constituent football clubs, as it could increase the risk of possible loss or violation.
  • Have they contemplated the collection of biometric data in their privacy notice and obtained any necessary consents for such collection from data subjects.

All of these questions are valid for the attendees as data subjects; therefore, I would agree with Commissioner Acuña that, although it is not a crime to collect the specific personal data, Femexfut needs to have the infrastructure and expert advice to reduce possible risks in the implementation of this Fan ID program, and consider at all times the prevailing reasonable expectation of privacy.