Brussels and Brussels South Charleroi Airports fined for use of thermal cameras
The Belgian Data Protection Authority (“DPA”) has fined Brussels Airport and Brussels South Charleroi Airport 200,000 and 100,000 EUR respectively for their use of thermal cameras during the Covid-19 pandemic.
In two extensive decisions (Brussels decision and Charleroi decision), the DPA has fined the two airports for their use of thermal cameras. The DPA has decided that the airports did not have a sufficiently clear legal basis for the processing of health data, stating they could not rely on “public interest” to process health data. The DPA has determined that the information provided to passengers was insufficient, and that the data protection impact assessment (“DPIA”) and the record of processing activities did not meet the legal requirements. Read further for a short summary of the decisions.
Press articles triggered DPA investigation on the use of thermal cameras by airports during Covid-19
The DPA learned via the media that Brussels Airport had measured passengers’ temperatures and started an investigation. At the same time, the DPA’s inspection service started, on its own initiative, an investigation into Brussels South Charleroi Airport’s taking of passengers’ temperatures.
The two Belgian airports used thermal cameras to identify and screen passengers who had a temperature of more than 38°C. Once identified, that temperature was confirmed by a second manual temperature check, and then the passengers concerned were asked to answer a questionnaire concerning Covid-19 symptoms.
Lack of adequate processing ground
As with any processing of personal data, the airports needed a processing ground for processing the passengers’ temperatures. This is especially true as a temperature check entails the processing of health data.
Considering that a processing ground under both article 6 and 9 GDPR was required according to the DPA, the latter ultimately concluded that the conditions for “legal obligation” (Article 6.1.c GDPR) and the “public interest” (Article 9.2.i GDPR) as processing ground were not met because there was no clear, precise standard of law, the application of which was foreseeable for the data subjects (i.e. the passengers).
The temperature controls relied primarily on a protocol issued by the Federal public service Mobility and Transport of Belgium, which, in the DPA’s opinion, did not strictly oblige the airports to use temperature checks. The DPA has also determined that the protocol is not a law sensu stricto and so is not a legal basis in the sense of Article 6 GDPR. Finally, the DPA has found that the protocol was not precise enough regarding the processing activities. For all these reasons, the DPA has decided that the airports infringed the GDPR’s Articles 6 and 9.
Lack of sufficient information and an insufficient DPIA
Besides the lack of a valid processing ground, the DPA has also found some other GDPR infringements.
First, the DPA has determined that the information provided to passengers about thermal cameras was insufficiently clear and detailed. Although, it was clear that passengers’ temperatures were being checked, the DPA considered the use of thermal cameras was not transparent enough. The DPA has also found that the processing ground (even if was not satisfactory in this case) should have explicitly referred to the relevant legal act(s) and article(s).
The DPA has also found that it should have been made clear in every relevant document (i.e. in the internal regulations, and also the privacy policy) that a passenger’s temperature above 38°C could result in the need to leave the airport.
Second, the DPA retained an infringement because of the lack of quality of each airport’s data protection impact assessment (“DPIA”).
In this case, the DPA has decided that the DPIAs lacked sufficient quality, as some information was not detailed enough. The lack of details in certain fields then prevented the DPA from verifying that sufficient thought had been made, such as for the measures designed to deal with the risks that the processing entailed for the data subjects (i.e. the passengers).
Third, for the Charleroi Airport, the DPA also found an infringement of Article 30 GDPR for the incomplete record of processing activities, as some mandatory information was lacking.
Fines despite the Covid-19 pandemic
Brussels Airport was fined 200,000 EUR, and Brussels South Charleroi Airport was fined 100,000 EUR.
The DPA has stated that it took the health crisis of the Covid-19 pandemic into account when making its decision. However, it has argued that it transparently informed the companies at the outset of the pandemic as to what actions they could, or could not, take in light of the pandemic. The DPA referred to its website page about temperature checks in this regard.
Brussels Airport has already confirmed that it will appeal the DPA’s decision.
Recommended articles
Hacking NIS2: 5 innovations about the sequel to the EU’s cybersecurity framework
NIS2 (the second “Network and Information Systems Directive”) is an updated regulatory framework introduced by the European Union to strengthen cybersecurity across member states. It is a successor to the original NIS Directive, which was adopted in 2016.
Read onBelgium gears up to enforce the EU Deforestation Regulation
The EU Deforestation Regulation (EUDR) was published on 9 June 2023 and came into force on 29 June 2023. Member States, including Belgium, must establish legal frameworks for enforcement.
Read onEU Court of Justice interprets import ban on Chinese animal products: fish oil for feed is not an exempted “fishery product”
On 21 March 2024, the EU Court of Justice (‘CJEU’) handed down its ruling in case C‑7/23, concerning a dispute between a feed company and the Federal Agency for the Safety of the Food Chain. The parties differed in their interpretation of an EU import ban on products of animal origin coming from China. The Council of State sought the CJEU’s guidance.
Read on