Rolling Stone reported that Taylor Swift secretly used facial recognition on her fans attending the May 18th Rose Bowl show of her 2018 Reputation Tour (see Rolling Stone link). Allegedly, a kiosk displaying rehearsal clips contained a camera was taking photos of the fans. The photos were then sent to a Tennessee site where they were cross-referenced with a database of Ms. Swift's known stalkers.
If this occurred in Europe, would this use of facial recognition be lawful under the GDPR? It depends. First, was there a privacy notice, and how was it presented and what did it say? Second, what was the lawful basis for the processing? I assume the basis would be an asserted legitimate interest of Ms. Swift. Was the legitimate interest properly evaluated? Third, where did they send the data? If they sent it out of the EU, did they have the proper documentation in place to send it.
Image is from Marcin Wichary and published under the CC BY-SA 2.0 license.