Earlier this month the Belgium data protection regulator fined two airports and a contractor under the EU GDPR for unlawful monitoring of airport passengers for Covid. Both airports used thermal cameras for checking passengers’ temperatures and one of the airports supplemented this by requiring passengers with temperatures of 38O Celcius or above to complete questionnaires that asked for other information about their symptoms and additional health information. The use of thermal cameras and questionnaires in this way caused personal data to be captured, which is a processing activity regulated by data protection law.
LOS ANGELES, CALIFORNIA – JUNE 24: Travelers are displayed on a video screen walking past a test … [+]
Getty Images
Legal basis, transparency and risk assessments
There was an array of legal contraventions that justified the fines, including the absence of a clear legal basis for the monitoring, lack of transparency about what was happening and failure to conduct proper risk assessments, in breach of the requirements of the GDPR.
The fines themselves were not large (€200,000, €100,000 and €20,000), but they might represent a tip of the iceberg moment, signposting the way for other cases in the future. Taking account of the magnitude of Covid monitoring and testing that was performed during the Pandemic – and which is still ongoing to varying degrees – the size of the iceberg of unlawful monitoring hiding underneath the surface is probably vast. As time moves on, the willingness of people to challenge the lawfulness of the measures that were put in place to fight Covid is only likely to increase. The range of possible targets for legal challenge is virtually unlimited, covering public authorities, health and care institutions, education, workplaces, schools, transport and consumer environments such as retail, hospitality, leisure and entertainment (to name just a few). And when weighing up the potential for legal problems, we should not forget that the class of people affected by Covid monitoring is huge: the bigger the class of people affected by an event, the greater is the likelihood of legal problems.
Leaving aside any arguments about whether the Pandemic was predictable, or whether we were suitably prepared, it was plainly an emergency situation that needed an urgent response and of course the EU data protection system permitted measures to be taken that interfered with individual rights and freedoms for the purpose of protecting public health. However, the emergency situation did not wipe away or neutralise all established legal concepts regarding the rights and freedoms of individuals. The need for emergency measures to be conducted in accordance with the law is well established.
Less haste, more speed – inevitability of legal problems
The problem that these cases seem to point to is that in emergency situations, when things need to be spun up at speed, hasty measures can be error prone, thereby storing up longer term problems. Insufficient care may be taken with ironing out the legal basics, such as ensuring that the measures build upon appropriate legal footings, are duly transparent and properly risk assessed. Thus, if airports can fall into legal difficulties on these basics, it seems that there is a high likelihood that other measures taken during the Pandemic by other actors for similar purposes will suffer from the same problems.
Proportionate responses
It might be argued that because the measures taken for virus control during the Pandemic saved lives, technical legal problems should be excused. There is some strength in this point of view and to provide a legal context for the framing of the argument, regulators and the courts will consider the overall proportionality of things when legal challenges come their way. However, the issues that the Belgian regulator latched on to are not issues within the legal periphery, but, instead, are at the very heart of how the EU (and, despite Brexit, the UK at this moment in time) judge questions of law relating to the fundamental rights and freedoms of individuals. There are many illustrations of this point, but the case of Bridges v. South Wales Police (2020), a decision of the English and Welsh Court of Appeal, is one that contains many parallels with the Belgian cases.
Bridges was concerned with police trials of Automated Facial Recognition technology (i.e., surveillance cameras, just like the Belgian cases) in public places (airports are public places). The trials were found to be unlawful, due to inadequacies in the underlying legal basis that was relied upon and deficits in the risk assessment process that was followed. In Bridges, the police relied upon a legally unclear policy framework (the airports relied upon legally unclear protocols) and they failed to conduct a proper “data protection impact assessment” (just like the airports). The legal arena of Bridges was privacy and data protection law, while the Belgian cases were data protection, but this also protects the right of privacy. Both cases were concerned with matters of very high public importance, namely public safety and security in Bridges and public health in the Belgian cases.
The clear lesson taught by these cases is that the end does not justify the means in societies that are subject to the Rule of Law.
Emergency situations – we’ve been around this buoy before
There is a long line of legal authorities that teach us that exceptional care needs to be taken with legal matters in emergency situations. The cases also teach us that what might be deemed acceptable to society in the immediacy of an emergency may prove to be less so as time progresses, with dramatic and sustaining legal consequences
In the data protection context, perhaps the best example of these risks is the surveillance system built by the US intelligence agencies in the aftermath of 9/11. 9/11 was a uniting moment for billions of people around the world as we watched in horror as the attacks on the US unfolded. That unity included a wish to take necessary steps to prevent further atrocities. However, it was subsequently discovered that the surveillance system built in response was fundamentally unlawful in myriad ways and we are still feeling the legal consequences over two decades on.
Specifically, the nature of the surveillance system was such that it led to the end of the EU-US mechanism to guarantee the lawfulness of transatlantic data flows, called “Safe Harbour”, in 2014, and the end of its successor, “Privacy Shield”, in 2020. The EU and US authorities have recently announced a new successor, called “The Trans-Atlantic Data Privacy Framework”, but this is considered by some commentators to suffer from the same deficits of its predecessors, due to the nature of the legal basis that it will build upon in the US, i.e., a Presidential Executive Order rather than Congressional legislation. The fate of The Trans-Atlantic Data Privacy Framework is a matter for future determination, but borrowing from the examples of its predecessors, it is impossible to rule out the risk of Covid monitoring measures following a similar, prolonged period of reactive legal challenge.
Data protection was a known challenge during the Pandemic
The challenges of achieving compliance with data protection and privacy law were strongly analysed and debated during the Pandemic, most obviously in the context of contact tracing utilising computer technology, apps and Bluetooth. The nub of the concern was whether these systems should be centralised or decentralised and eventually, in large part due to the intervention of the academic community and the engagement of Apple and Google, the decentralised system was widely preferred, as being more privacy-friendly. Therefore, the possibility of contravention of data protection and privacy rights was a known risk of virus control measures, providing an alert to all actors involved in measures that involved monitoring of people.
Therefore, when the Belgian cases are considered, their implications should be viewed in the round, not simply by reference to the specific factual matrix of the cases. It is perhaps possible that the Belgian regulator reached the wrong conclusions on the facts or misapplied the law – these would be matters for subsequent legal adjudication – but even if so, it would not materially lessen the risk of a legal homecoming for some of the measures taken in the interests of virus control.
