Belgium’s data protection authority fined two airports for having checked body temperatures, sensitive personal health data, with thermal cameras during the COVID-19 pandemic with “no legal basis”.
The Data Protection Authority of Belgium on April 4 fined two of the three Brussels’ airports for having processed sensitive health data of traveler without legal rights.
The Brussels airport of Zaventeem is fined 200,000 euros (220,000 dollars) and the Brussels South Charleroi 100,000 euros (110,000 dollars). During the fight against the COVID-19, the airports checked body temperatures of passengers. They started in June 2020 when non-essential travels resumed and kept doing it until March 2021 in Charleroi and January 2021 in Zaventeem.
But for the data protection authority, they did “did not have a valid legal basis to process passenger health data”.
These two airports used thermal cameras to identify people with a body temperature higher than 38°C (100F). In Zaventeem, the people with a high body temperature would then receive a questionnaire with possible symptoms related to the COVID-19. The company which carried out the questionnaire, Ambuce Rescue Team, was fined 20,000 euros.
In 2021, the Data Protection Authority issued a note saying body temperature was personal data, which was all the more sensitive that it was health personal data. Such data is protected by the general data protection regulation.
The authority considered there were no public health reasons nor important public interest for these processes to take place, justifications which would have otherwise allowed exceptional process of personal health data.
Furthermore, information given to travelers was insufficient and data safety was not correctly taken care of according to the control body.
“Better safe than sorry is also important in the area of data protection,” said DPA President David Stevens.
For Hielke Hijmans, the president of the Litigation Chamber which sets the fines, “we understand that companies have been hit hard by the pandemic and that they had to implement measures never seen before hastily. However, privacy rules are an essential protection for the rights and freedoms of individuals, and must therefore be respected.”
According to Belga news agency, Brussels Airport’s management was “particularly disappointed” by the decision. For the airport, the instructions were given by the Federal Public Service Mobility and Transport. Both airports said they processed data carefully and even reached out to the ADP for guidance and cooperation but didn’t get any positive answer.
The airports have the right to challenge the decision.