10/05/22

Brussels and Brussels South Charleroi airports fined for use of thermal cameras

The Belgian Data Protection Authority (“DPA”) has fined Brussels Airport and Brussels South Charleroi Airport 200,000 and 100,000 EUR respectively for their use of thermal cameras during the Covid-19 pandemic.

In two extensive decisions (Brussels decision and Charleroi decision), the DPA has fined the two airports for their use of thermal cameras. The DPA has decided that the airports did not have a sufficiently clear legal basis for the processing of health data, stating they could not rely on “public interest” to process health data. The DPA has determined that the information provided to passengers was insufficient, and that the data protection impact assessment (“DPIA”) and the record of processing activities did not meet the legal requirements. Read further for a short summary of the decisions.

Press articles triggered DPA investigation on the use of thermal cameras by airports during Covid-19

The DPA learned via the media that Brussels Airport had measured passengers’ temperatures and started an investigation. At the same time, the DPA’s inspection service started, on its own initiative, an investigation into Brussels South Charleroi Airport’s taking of passengers’ temperatures.

The two Belgian airports used thermal cameras to identify and screen passengers who had a temperature of more than 38°C. Once identified, that temperature was confirmed by a second manual temperature check, and then the passengers concerned were asked to answer a questionnaire concerning Covid-19 symptoms.

Lack of adequate processing ground

As with any processing of personal data, the airports needed a processing ground for processing the passengers’ temperatures. This is especially true as a temperature check entails the processing of health data.  

Considering that a processing ground under both article 6 and 9 GDPR was required according to the DPA, the latter ultimately concluded that the conditions for “legal obligation” (Article 6.1.c GDPR) and the “public interest” (Article 9.2.i GDPR) as processing ground were not met because there was no clear, precise standard of law, the application of which was foreseeable for the data subjects (i.e. the passengers).

The temperature controls relied primarily on a protocol issued by the Federal public service Mobility and Transport of Belgium, which, in the DPA’s opinion, did not strictly oblige the airports to use temperature checks. The DPA has also determined that the protocol is not a law sensu stricto and so is not a legal basis in the sense of Article 6 GDPR. Finally, the DPA has found that the protocol was not precise enough regarding the processing activities. For all these reasons, the DPA has decided that the airports infringed the GDPR’s Articles 6 and 9.

Lack of sufficient information and an insufficient DPIA

Besides the lack of a valid processing ground, the DPA has also found some other GDPR infringements.

First, the DPA has determined that the information provided to passengers about thermal cameras was insufficiently clear and detailed. Although, it was clear that passengers’ temperatures were being checked, the DPA considered the use of thermal cameras was not transparent enough. The DPA has also found that the processing ground (even if was not satisfactory in this case) should have explicitly referred to the relevant legal act(s) and article(s).

The DPA has also found that it should have been made clear in every relevant document (i.e. in the internal regulations, and also the privacy policy) that a passenger’s temperature above 38°C could result in the need to leave the airport.

Second, the DPA retained an infringement because of the lack of quality of each airport’s data protection impact assessment (“DPIA”).

In this case, the DPA has decided that the DPIAs lacked sufficient quality, as some information was not detailed enough. The lack of details in certain fields then prevented the DPA from verifying that sufficient thought had been made, such as for the measures designed to deal with the risks that the processing entailed for the data subjects (i.e. the passengers).

Third, for the Charleroi Airport, the DPA also found an infringement of Article 30 GDPR for the incomplete record of processing activities, as some mandatory information was lacking.

Fines despite the Covid-19 pandemic

Brussels Airport was fined 200,000 EUR, and Brussels South Charleroi Airport was fined 100,000 EUR.

The DPA has stated that it took the health crisis of the Covid-19 pandemic into account when making its decision. However, it has argued that it transparently informed the companies at the outset of the pandemic as to what actions they could, or could not, take in light of the pandemic. The DPA referred to its website page about temperature checks in this regard.

Brussels Airport has already confirmed that it will appeal the DPA’s decision.  

dotted_texture