Masks enter the “new normal”, although it is feared for their shortages. Technology also enters this “new reality”, which has been revealed in the Covid-19 coronavirus pandemic as one of the great allies. Robots, tracking apps, drones. Any innovation can work if it is given a twist, so entering the de-escalation phase one of the measures that seems to be more interesting is the thermal cameras to control the temperature of people in companies and shops. A technological bet that has awakened the ghost of intrusion into privacy. Is it a legal measure?
The Spanish Data Protection Agency (AEPD) has warned in a statement that taking the temperature of people so that they can access certain services or shops may violate the fundamental right to data protection, by affecting «data related to the health ”without having the“ prior and necessary criteria of the health authorities ”. These measures are being included, apparently in a generalized way and in very varied environments, so that citizens can access work centers, shops, educational centers or other types of establishments or equipment. And, in this situation, the Spanish regulator has shown its concern about this type of actions “that are being carried out without the prior and necessary criteria of the health authorities.”
The collection of temperature data must be governed, like any personal data, by the principles established in the General Data Protection Regulation (RGPD) and, among them, the principle of legality, argue from the AEPD, which insist: this Treatment must be based on a legitimate cause of those provided for in the data protection legislation for the special categories of data (articles 6.1 and 9.2 of the GDPR). In this sense, indiscriminate fever controls may violate article 18.4 of the Spanish Constitution, which includes the right to protection of personal data. This measure – they insist from the regulator “supposes a particularly intense interference in the rights of those affected”.
“It is not unconstitutional” but it is “an illegitimate interference”
Legal experts consulted by this newspaper believe that “it is not unconstitutional” but “an illegitimate interference” in the privacy of workers and citizens contrary to the GDPR in the way it is being carried out in many places. «Temperature taking by companies, stores or shops is a measure to combat Covid-19 with a high potential impact on the privacy of citizens and with limited effectiveness, since a high number of infections occurs on the part of asymptomatic and fever-free patients ”, Fernando Fernández-Miranda, director of the digital regulation area of PwC, values in conversation with ABC.
In the opinion of this expert, the implementation of this measure is being carried out “arbitrarily and without any kind of scientific rigor”, at street level by the entrepreneurs themselves and not through qualified practitioners, in addition to being carried out in some cases “by means of non-approved equipment and without being accompanied by any other type of additional measure”, which is why “they are absolutely contrary” to the RGPD.
“The value of body temperature is a health fact in itself”, argue from the AEPD, which warn that the implementation of this type of scanners should not be launched “without the backing of legislation”. The agency warns that the shops and establishments that support this measure to screen who enters or cannot suppose “an eventual denial of access” and “would be revealing to third parties” a person’s state of health without “any justification for knowing it.”
Other countries have incorporated these control measures in some establishments such as China. In Europe, however, the measure is under public scrutiny to analyze possible intrusions into people’s privacy. In the Netherlands, in fact, last week the Data Protection Authority expressly prohibited the taking of temperature for fever-seeking workers by means of thermometers or thermal cameras from another statement. “For this measure to be lawful and find accommodation in the data protection regulations, it must be suitable and effective, and it is essential that it be accompanied by additional ones that must be determined by the company’s own occupational risk prevention service and with all guarantees ”, adds Fernández-Miranda.
The AEPD is in the same line, which ensures that “temperature taking and access to these health data would be legal if the person gives their express consent”, although it also finds some gaps in that this could be legal, since consent would be conditioned on your need to access the trade or service in question. For the regulator, “the people affected cannot refuse to submit to the temperature taking without losing, at the same time, the possibility of entering some work, educational or commercial centers, or the means of transport, to which they are interested in accessing ».
In case of express consent of the person to take the temperature, this decision, however, “would not be free”, which is essential to comply with a “legitimizing basis”. Among the data protection principles included in the RGPD, the limitation of the purpose should be mentioned.
“This principle assumes that data can only be obtained for the specific purpose of detecting possible infected people and preventing their access to a certain place and their contact within it with other people. But these data should not be used for any other purpose, “insist the experts. In such a way that only in the work environment can there be a “legal basis”, according to the AEPD, as it is in the obligation that employers have to guarantee the safety and health of their workers. .