Femexfut Fan ID and Privacy

Recently, the Mexican Federation of Football Association (Federacion Mexicana de Futbol Association, AC) (“Femexfut”), announced its intention to obtain the biometric data of participants in sporting events, with the aim of strengthening security checks in stadiums. This objective has become more pressing after the unfortunate incident in Querétaro a few weeks ago.

While the intention of this plan is to increase security checks at sporting events and to have the means to hold those who participate in them accountable, the way in which Femexfut intends to achieve these goals can be problematic. Thus, in an interview, Francisco Acuña, one of the commissioners of the National Institute of Transparency (“INAI”), confirms that, although it is not a crime to collect personal biometric data, it is a very delicate question and does not seem to be approached in the best way.

Although this program has not yet been implemented, many uncertainties remain. Before implementing such programs, Femexfut and other companies considering large-scale biometric data collection should consider a number of factors:

  • Will they be prepared to implement sufficient physical, technical and/or administrative security measures to protect this valuable data from possible breach?
  • In a country where football is one of the most popular sporting events, the amount of personal data, including biometric data, that Femexfut will manage could be very attractive to people who intend to make use of it. abusive. Will they have carried out the corresponding impact analysis?
  • Will they consider data protection as part of the design of their systems?
  • Will they be able to minimize and process the data collected in a proportionate way? In the case of Femexfut, this last question seems particularly complicated, with the information we have, since it intends to take biometric data as part of a registry, but also to monitor event participants through CCTV cameras and even through face recognition. This could all become even more complicated if Femexfut decided to share this data with its constituent football clubs, as it could increase the risk of loss or possible breach.
  • Have they considered the collection of biometric data in their privacy statement and obtained the necessary consents for such collection from data subjects.

All these questions are valid for the participants as data subjects; therefore, I agree with Commissioner Acuña that, although the collection of specific personal data is not a crime, Femexfut must have the infrastructure and expert advice to reduce the possible risks in implementation of this Fan ID program, and at all times consider the prevailing reasonable expectation of privacy.

“This database will grow and cannot be left to drift saying that no additional equipment is needed to protect it. It is necessary to have a register of high security controls because personal data is a very sensitive issue. I will tell you that the issue of facial recognition has been discouraged around the world and I consider it a complex issue to consider. It is not a crime, but it is a very sensitive issue. delicate”.


The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “lawyer advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar results. For more information, please visit: www.bakermckenzie.com/en/disclaimers.