Belgium's Data Protection Authority (DPA) has imposed fines of up to €200,000 on two Belgian airports for using thermal cameras to measure travellers' body temperature during the Covid-19 pandemic.
Both Brussels Airport Zaventem and Brussels South Airport Charleroi used thermal cameras to check whether people had a temperature of more than 38°C during the Covid-19 peak(s).
In Zaventem, those with high temperatures were then given an extra check and were even asked had to fill out a questionnaire about possible symptoms related to the Covid-19. These surveys were then stored.
According to the DPA Dispute Chamber, however, the airports did not have the right to process such "sensitive health data," it announced in a press release on Monday.
"We understand that companies have been hit hard by the pandemic and have had to take unprecedented emergency measures. However, the privacy rules are essential protection for the rights and freedoms of individuals, and must therefore be respected," said Hielke Hijmans, Chair of the Dispute Chamber.
Duty to check rules
The DPA added that it was doing "its duty" in ensuring that these rules are applied. "Our decision today is all the more important because it can serve as a guide for any similar data processing, whether in the context of the health crisis or not."
For the violations, the DPA imposed a €100,000 fine on Charleroi airport (which carried out temperature checks from June 2020 to March 2021), and a €200,000 fine on Zaventem airport (where temperature checks took place from June 2020 to January 2021).
"This decision shows how important it is to carry out a rigorous and comprehensive data protection impact assessment before implementing any data processing that may pose a risk to individuals," said David Stevens, President of the DPA.
- Brussels Airport stops checking temperatures
- Airport temperature checks break data privacy laws, watchdog says
- Brussels Airport expects nearly one million passengers during Easter holidays
"Prevention is better than cure is a principle that also applies in the field of data protection." However, the airports can still appeal against the decision.
Protocol not sufficient
The DPA had reservations about the legal basis of these temperature checks – which started in June 2020 – and decided to refer the matter to its inspection service, which passed its investigation on to the Dispute Chamber.
The Chamber now ruled that there was indeed no legal basis for processing temperature data (mainly for the second measurement, for people whose temperature was higher than 38°C). This second check was carried out by the company Ambuce Rescue Team, which was also given a €20,000 fine by the DPA.
While processing these sensitive data for public health reasons would be allowed if the procedure was based on a "clear and precise legal norm whose application is predictable for the data subject," the protocol that the temperature checks were based on did not meet those requirements.
Additionally, the DPA felt that travellers were not sufficiently informed about the temperature checks and that the report to assess the risks related to the processing of the temperature data was not "qualitative" enough.
'Necessary measures taken in good faith'
In an official reaction statement given to The Brussels Times, Brussels Airport stressed that while it learned of the imposed fines via a press release on the DPA's website, the airport company itself has not yet received the decision.
The temperature controls were introduced on 15 June 2020 during the restart of non-essential travel, the airport said. This was "at a time when the Covid crisis was still raging, little was known about Covid and measures such as testing were not yet widely available."
In the interest of public health, measures had to be taken quickly and the airport took "the necessary measures in good faith based on the information and guidelines available at that time," said Brussels Airport.
From the Federal Public Mobility Service, the airports received a binding protocol (dated 11/06/2020), stating that temperature screening had to be carried out in places where social distance could not be guaranteed.
"This protocol is based on the Ministerial Decree of 05/06/2020 that provides a legal basis for this. Contrary to what the DPA maintains in its press release, there was therefore indeed a valid legal basis for the processing," the company said, adding that it concerned "a considerable investment of the airport."
'What we were told to do'
Brussels Airport underlined that it handled the checks "extremely cautiously" and clearly communicated that to the passengers. The information was only shown briefly on the screen for a few seconds and was immediately deleted after.
"These images were only viewed by authorised personnel and it was not linked to other data. Brussels Airport also carried out a thorough data protection impact assessment," it said, adding that the checks were abolished as soon as the Government measures allowed in January 2021.
The company also stressed that, while it had repeatedly asked the DPA to work together to find a suitable solution before the screenings were implemented, such cooperation was always refused.
Brussels Airport stated it is "very disappointed" with the decision, as it "did what it was told to do by the Federal Public Service for Mobility and is now being fined for it by another Public Service." It also said that the "incredibly high fine" is disproportionate to the alleged infringement and previous rulings by the DPA.
Lastly, the airport said that it has cooperated with the DPA's investigation and provided all necessary information. "We are now considering how to respond to this decision by the Dispute Chamber."