Masks are entering the “new normal”, although there are fears due to their shortage. In this “new reality” also enters technology, which has been revealed in the pandemic of coronavirus Covid-19 as one of the great allies. Robots, tracking apps, drones. Any innovation can serve if it is given a twist, so entering the de-escalation phase one of the measures that seems to charge more interest are the thermal cameras to monitor the temperature of people in companies and stores. A technological bet that has awakened the specter of intrusion into privacy. Is it a legal measure?
The Spanish Data Protection Agency (AEPD) has warned in a statement that taking the temperature of people so that they can access certain services or shops may violate the fundamental right to data protection, by affecting “data related to the Health” without counting on the “prior and necessary criteria of the health authorities.” These measures are being included, apparently in a generalized way and in very varied environments, so that citizens can access work centers, shops, educational centers or other types of establishments or facilities. And, in this situation, the Spanish regulator has shown its concern about this type of action “that is being carried out without prior criteria and necessary from the health authorities.
The collection of temperature data must be governed, like any personal data, by the principles established in the General Data Protection Regulation (RGPD) and, among them, the principle of legality, they argue from the AEPD, who insist: this Treatment must be based on a legitimate cause of those provided for in data protection legislation for special categories of data (articles 6.1 and 9.2 of the RGPD). In this sense, indiscriminate fever controls may violate article 18.4 of the Spanish Constitution, which includes the right to the protection of personal data. This measure – they insist from the regulator “supposes a particularly intense interference in the rights of those affected.”
“It is not unconstitutional” but it is “an illegitimate interference”
Legal experts consulted by this newspaper believe that “it is not unconstitutional” but it is “an illegitimate interference” in the privacy of workers and citizens contrary to the RGPD in the way it is being carried out in many places. «The temperature measurement by companies, shops or businesses is a measure to combat Covid-19 with a potential high impact on the privacy of citizens and with limited effectiveness, since a high number of infections occurs on the part of asymptomatic patients without fever “, assesses in conversation with ABC Fernando Fernandez-Miranda, director of the digital regulation area of PwC.
In the opinion of this expert, the implementation of this measure is being carried out “arbitrarily and without any type of scientific rigor”, at street level by the entrepreneurs themselves and not by qualified doctors, in addition to being carried out in some cases “using non-approved equipment and without being accompanied by any other type of additional measure”, therefore “they are absolutely contrary” to the RGPD.
«The value of body temperature it is a health data in itself “, they allege from the AEPD, which warns that the implantation of this type of scanners should not be launched” without the support of the legislation. ” The agency warns that the shops and establishments that support this measure to screen who enters or not can suppose “an eventual denial of access” and “would be revealing to third parties” a person’s state of health without “any justification to know it.”
Other countries have incorporated these control measures in some establishments such as China. In Europe, however, the measure is under public scrutiny to analyze possible interference with people’s privacy. In the Netherlands, in fact, last week the Data Protection Authority in another statement expressly prohibited the temperature measurement of workers in search of fever by means of thermometers or thermal cameras. «In order for this measure to be lawful and to find accommodation in the data protection regulations, it must be revealed as suitable and effective, being essential that it be accompanied by other additional measures that must be determined by the company’s own occupational risk prevention service and with all guarantees “, adds Fernández-Miranda.
The AEPD is in the same line, which ensures that “it would be legal to take temperature and access these health data if the person gives their express consent», Although it also finds some gaps in which this could be legal, since consent would be conditional on their need to access the business or service in question. For the regulator, “the affected persons cannot refuse to take the temperature without losing, at the same time, the possibility of entering work, educational or commercial centers, or means of transport, to which they are interested in accessing ».
In the event of express consent from the person to have their temperature taken, this decision however “would not be free”, which is essential to comply with a “legitimizing basis”. Among the data protection principles included in the RGPD, the limitation of the purpose should be mentioned.
“This principle assumes that the data can only be obtained for the specific purpose of detecting possible infected persons and preventing their access to a certain place and their contact within it with other people. But these data should not be used for any other purpose “, insist the experts. In such a way that only in the work environment can there be a “legal basis”, according to the AEPD, as they are in the obligation that employers have to guarantee the safety and health of their workers.