{"id":25218,"date":"2025-06-19T08:00:29","date_gmt":"2025-06-19T06:00:29","guid":{"rendered":"https:\/\/voelkerrechtsblog.org\/?p=25218"},"modified":"2025-11-14T15:07:50","modified_gmt":"2025-11-14T14:07:50","slug":"et-tu-u2","status":"publish","type":"post","link":"https:\/\/voelkerrechtsblog.org\/de\/et-tu-u2\/","title":{"rendered":"Et Tu, U2?"},"content":{"rendered":"

If you were using social media around September 2023, there\u2019s an excellent chance you\u2019ve already seen images or videos of the newly opened Las Vegas Sphere, an 18,000-capacity music and entertainment venue which opened that month. The venue opened with a 5-month U2 <\/em>residency which drew in over 600,000 attendees, becoming one of the highest grossing<\/a> concert residencies of all time. U2 fans lucky enough to attend one of these record-breaking shows were met with the Sphere\u2019s state-of-the-art visual and sound system, its near-panoramic indoor screen, various technological attractions, and an innocuous \u201cfacial recognition notice\u201d above the entrance, emblazoning a warning that the venue uses facial recognition technology in line with its Privacy Policy.<\/p>\n

That Privacy Policy, accessible online<\/a>, lists biometric data (a class of sensitive personal data which includes<\/a> facial features) alongside other personal information such as name, age and email address among the data it collects from concert-goers attending events at the venue (Section 1A). Further information provided to comply with the California Consumer Privacy Act reveals that biometric information \u201ccollected when visiting one of our venues\u201d can be used for, among other purposes, \u201c[advancing] our commercial or economic interests\u201d (Section 8).<\/p>\n

This blog post explores the legality of commercial biometric data processing, first by highlighting recent cases involving alleged misuse of biometric data by the Sphere\u2019s parent company, Madison Square Garden Entertainment Group (MSG), before drawing a comparison between the US and EU frameworks for biometric data protection. The purpose is not to provide a comprehensive overview \u2013 to that end, we will not discuss the ECHR, also applicable in Europe \u2013 but to discover whether the EU\u2019s General Data Protection Regulation (GDPR<\/a>) would allow data processing of the kind seen by MSG.<\/p>\n

Madison Square Garden Entertainment Corp and Abuse of Biometric Data<\/strong><\/p>\n

MSG own<\/a> several high-profile venues across the USA including Radio City Music Hall and New York\u2019s Madison Square Garden \u2013 and they are no stranger to controversy surrounding their biometric data usage. In October 2022, a New York lawyer was denied entry<\/a> to a Knicks game and had his season ticket revoked when his name appeared on the venue\u2019s \u201cexclusion list\u201d, nine days after his firm had filed a lawsuit against MSG in an unrelated matter. Around the same time, a lawyer working for a different firm was turned away<\/a> at the door to Radio City, despite the fact that she was not involved in her firm\u2019s case against MSG.<\/p>\n

These instances revealed that MSG was using facial recognition technology to blacklist lawyers working for firms involved in cases against it. According to NYT<\/a>, MSG was using third-party technology to mine the websites of law firms involved in cases against the company for photos of their lawyers \u2013 and conducting facial recognition scans at the doors to its venues to identify and remove them from events. MSG representatives have defended<\/a> the policy as a reaction to the \u201cadversarial environment\u201d caused by litigation.<\/p>\n

In March 2023, several lawyers initiated a class action lawsuit<\/a> alleging MSG of improperly utilising their biometric data to deter litigation against the company. Under New York law, the plaintiffs had to show that MSG sought to directly profit from collecting their biometric data and sharing it with the facial recognition service \u2013 as opposed to deriving some other benefit. Put another way<\/a>, the law \u201cexplicitly permits the collection and sharing of biometric data for commercial purposes provided that the public is warned,\u201d as long as the data controller does not \u201cprofit from the transaction itself<\/em>.\u201d On that basis, since MSG was not directly selling the data but instead purchasing a service, the case was thrown out<\/a> in May 2024. It appeared that the \u201cfacial recognition notices\u201d above Sphere entrances were enough to legally justify the exclusion policy. Since then, a Bill has been introduced<\/a> to the New York Senate which, if enacted, would establish a taskforce to identify the regulatory and ethical concerns around facial recognition technology. A much more comprehensive 2023 New York City Council Bill<\/a> which would have banned<\/a> the use of facial recognition technology in places of public accommodation, failed to reach enactment despite strong support<\/a> from civil rights groups.<\/p>\n

While the MSG exclusion policy seems to currently only apply to lawyers, CEO James Dolan has indicated<\/a> in the past that he sees anyone who acts \u201cconfrontational [\u2026] with the ownership\u201d as fair game, implying a broad approach which could foreseeably lead to bans for all sorts of people who take issue with the company\u2019s business practices. There are already scant and anecdotal reports<\/a> of fans who claim to have struggled to access MSG venues after criticising Dolan on social media.<\/p>\n

Biometric Data Protection in the USA and Europe<\/strong><\/p>\n

The upshot of the failed New York lawsuit is that the law has remained one step behind the development of invasive surveillance technologies and their use by private companies. This is generally reflective of the wider legal progress on data protection, particularly in the US, where there is no comprehensive federal-level data privacy law equivalent to the EU\u2019s GDPR.<\/p>\n

Data protection law in the US is splintered by the nature of the data and is often left up to individual states. There are federal laws governing health data (HIPAA) and online privacy for children under 13 (COPPA), among others. At a state level, while many states remain broadly unregulated, few states have already introduced<\/a> general data protection laws. States like Illinois, Texas and Washington have been particularly proactive in developing biometric data protection laws<\/a>. In Illinois, this law establishes a private right of action which has seen fines of up to $75 million USD awarded in class action lawsuits<\/a> against companies found to be misusing biometric data.<\/p>\n

This fragmented approach to data protection stands in contrast to the EU, where the GDPR carves out special protections for biometric data. Article 9 prohibits the processing of \u201cspecial categories\u201d of data (including biometric), with a list of enumerated exceptions. Among those are with the explicit consent of the data subject (Article 9(2)(a)) and data which are already made public by the data subject (Article 9(2)(e)). While the CJEU has recently confirmed<\/a> that personal data may be processed by for-profit organisations on the basis of legitimate commercial interests, that decision related to non-sensitive data (Article 6), which is far less tightly regulated. Indeed, Article 9 governing biometric data makes no mention of legitimate interests \u2013 referring only to the \u201clegitimate activities\u201d of non-profit organisations.<\/p>\n

So, what about consent, or public information? Ordinarily, data subject consent sought under GDPR must be freely given, specific, informed and unambiguous (recital 32). This means<\/a>, among other things, consent given by a \u2018clear, affirmative act\u2019 and with knowledge of its processing purposes. While whether or not walking through the entrance to a venue could be considered a clear, unambiguous granting of consent is perhaps debatable, biometric data enjoys extra protection that requires explicit <\/em>consent, meaning consent given expressly by written or digital confirmation<\/a>. More problematic could be the allowance of sensitive data processing where the data subject has made that data public themselves. If our facial images are mined from our employers\u2019 websites, or our Facebook pages, would this give free reign to their processing?<\/p>\n

Very little guidance<\/a> has been published on Article 9(2)(e). Even though facial images are considered biometric, and therefore, sensitive data (recital 14), the manifestly already-public nature of what our faces look like makes this information virtually impossible to obscure from the public, especially in the digital age. However, the use of facial recognition technology under GDPR is still subject to the additional requirements in Article 6, must be pursuant to the data processing principles enumerated in Article 5, and is restricted by Article 22 governing automated individual decision-making. Article 22 seems to offer the clearest protection in this context, as data subjects are protected from automated profiling with very few exceptions. Those exceptions include explicit consent (discussed above), and when the processing is authorised by law in a way which protects the freedoms and legitimate interests of the data subject. Read alongside Article 5, which restricts lawful data processing to that which is fair, transparent, and pursues a legitimate purpose, it does not seem likely that facial recognition-operated blanket bans would qualify as lawful under GDPR, nor that individual EU Member States could lawfully authorise it.<\/p>\n

Rolling out More Spheres?<\/strong><\/p>\n

Despite hiding behind their status as private companies, large corporations in charge of iconic venues like MSG are providing places of public accommodation \u2013 whether it be for sports, music, or any other public entertainment. Within those venues, civil and human rights (including but not limited to data protection) should be applied in how the owners interact with the public. MSG\u2019s prevalence in the events space may soon spread internationally with their plans to roll out<\/a> more Spheres in countries such as Dubai and South Korea. Their first proposal, for London, was ultimately rejected<\/a> after a long public consultation period wherein it was decided that local residents did not want 1.2 million LED lights shining advertisements through their bedroom windows throughout the night. For those residents in cities which may soon be welcoming their own Spheres, a final note of warning about their prospects of entry should they choose to be publicly critical of James Dolan and MSG: Achtung, Baby!<\/em><\/p>\n

 <\/p>\n

The \u201cBofaxe\u201d series appears as part of a\u00a0<\/em>collaboration<\/em><\/a>\u00a0between the\u00a0<\/em>IFHV<\/em><\/a>\u00a0and V\u00f6lkerrechtsblog.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

If you were using social media around September 2023, there\u2019s an excellent chance you\u2019ve already seen images or videos of the newly opened Las Vegas Sphere, an 18,000-capacity music and entertainment venue which opened that month. The venue opened with a 5-month U2 residency which drew in over 600,000 attendees, becoming one of the highest […]<\/p>\n","protected":false},"author":36,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[6639],"tags":[4915,4868,5019],"authors":[7438],"article-categories":[5108],"doi":[],"class_list":["post-25218","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-access-to-information","tag-data-protection","tag-privacy","authors-jack-provan","article-categories-bofaxe"],"acf":{"subline":"Surveillance Capitalism and the Las Vegas (Data) Sphere"},"meta_box":{"doi":"10.17176\/20250627-083201-0"},"_links":{"self":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/25218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/comments?post=25218"}],"version-history":[{"count":3,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/25218\/revisions"}],"predecessor-version":[{"id":25222,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/25218\/revisions\/25222"}],"wp:attachment":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/media?parent=25218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/categories?post=25218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/tags?post=25218"},{"taxonomy":"authors","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/authors?post=25218"},{"taxonomy":"article-categories","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/article-categories?post=25218"},{"taxonomy":"doi","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/doi?post=25218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}