The impact of the Covid-19 pandemic cannot be overstated. The loss of human lives, the disruption of social and daily life, the burden on public resources and the economic crisis, just to name a few effects of this global public health crisis, will make their long-lasting mark on many aspects of our diverse ways of life, all over the planet.
Extraordinary times have called for extraordinary measures. Emergency powers have been invoked by governments in many different contexts, mostly reflecting the pre-existing organization of their respective countries.
Given the fact that most symptomatic patients infected with the SARS-CoV-2 virus present fever, the measurement of body temperature became a common method of the detection of possible patients.
Portuguese authorities have, similarly to many others worldwide, made this a compulsory practice under some circumstances. As this has an impact on the fundamental rights of free development of personality and protection from intrusion on the personal health status, it constitutes a restriction that must be provided by law, with due consideration given to the adequateness, necessity and proportionality of this restriction, when weighted against the impacted fundamental rights.
That was provided, within the constitutional framework for the declaration of a state of emergency, by Presidential Decree no. 51-U/2020, dated 6/11/2020, allowing the imposition of body temperature checks, by noninvasive means, namely as a requisite for gaining and maintaining access to a number of facilities as well as to the work place.
This was, in turn, further regulated by the Government Decree no. 8/2020, dated 8/11/2020, in which article 4, paragraph 3, the personal data protection aspect of this measurement was addressed, expressly forbidding any record of the measured temperature in connection with the identity of the subject, unless under his/her express consent.
Paragraph 4 made clear that any such record had to be done by means other than the measurement device, as it also forbade the use of devices with memory or recording function.
On this subject the Portuguese National Committee for Data Protection (CNPD) issued, on 13/11/2020, "Guidelines" on the processing of personal data under the said Government Decree no. 8/2020.
Of special interest is the statement on page 3 of these Guidelines that "the operation of reading body temperature translates into a processing of personal data subject to the GDPR"1.
The explanation provided by CNPD for this assertion is, apparently, based on the digital nature of the electronic circuitry built in the thermometers in use, namely the role of microchips in translating the electronic impulses read by sensors into a human-readable result (a numeric value of temperature in the Celsius scale).
The Guidelines state that clearly, this requires an automated processing of personal information. Therefore, it follows, it falls under the scope of the GDPR, as it meets the criterium of article 2(1): "processing of personal data wholly or partly by automated means".
The Guidelines also draw attention to the dissenting opinions of other European personal data authorities, namely the European Data Protection Supervisor (EDPS), quoting the "Orientations from the EDPS: Body temperature checks by EU institutions in the context of the COVID-19 crisis", based on this statement in page 5: "«Processing (wholly or partly) by automated means» refers to all processing done by means of computer technologies. This is not the case here: the use by a security officer of an analogue or digital thermometer results only in displaying the temperature, allowing the security officer to read the temperature value with this2 eyes."
It would appear that the Portuguese CNPD have focused their analysis on the digital technology of the thermometers while the EDPS would have excluded those digital processes that do not represent "computer technologies".
In fact, the EDPS text continues to elaborate, stating that "When the body temperature checks operated manually are followed by the registration of the measurement or combined with an identity check, such temperature checks must be considered as forming part of a filing system subject to the scope of application of the Regulation. The use of automated digital means to detect body temperatures, such as the use of thermal cameras or thermal scans, also falls under the scope of the Regulation since the EDPS considers such checks as a processing of personal data wholly or partly by automated means within the meaning of Article 2(5) of the Regulation" (italic original).
Under the light of recital (15) of the GDPR: "In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used.", we find that there is, clearly, a need to adopt a standard interpretation of what is meant by technological neutrality.
A good example of why this is so is to be found in the said Guidelines of the Portuguese CNPD; page 4 refers to the Lindqvist judgement of the Court of Justice of the European Union, in particular paragraphs 21, 23 and 26. The quoted excerpt, though, reads "regardless of the technical means used, provided that there are no technical limitations which restrict the processing to a purely manual operation.".
However, the theme under judgement was the disclosure of some personal data over the internet, which hardly compares to the use of a hand-held digital thermometer.
For completeness, the text of paragraph 23 of the Lindqvist judgement actually reads: "The Commission submits that Directive 95/46 applies to all processing of personal data referred to in Article 3 thereof, regardless of the technical means used. Accordingly, making personal data available on the internet constitutes processing wholly or partly by automatic means, provided that there are no technical limitations which restrict the processing to a purely manual operation. Thus, by its very nature, an internet page falls within the scope of Directive 95/46.".
Furthermore, paragraph 26 reads: "It remains to be determined whether such processing is 'wholly or partly by automatic means'. In that connection, placing information on an internet page entails, under current technical and computer procedures, the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet. Such operations are performed, at least in part, automatically."
In our view, the judgment should be read bearing in mind that the terminology of Directive 95/46 used the word "automatic" where the GDPR uses "automated".
While it may be that an interpretation such as the one in the Portuguese CNPD is required for a higher degree of protection of the individual rights, the CNPD doesn't seem to make a very strong case for it in the Guidelines of 13 November 2020.
With this call of attention, we hope that the personal data protection community may take an interest in clarifying this matter of interpretation of the GDPR.
On a final note, the later Presidential Decrees (of 20 November and 4 December) added a new provision addressing the protection of personal data and expressly forbidding the recording or storage in memory of any temperature readings taken under the Decrees. The Government Decrees, in turn, added a new provision imposing a duty of professional secrecy on the operators of the thermometers.
1. Cf. https://www.cnpd.pt/home/orientacoes/Orienta%C3%A7%C3%B5es_Decreto_8_2020.pdf, available only in Portuguese, accessed on 28/12/2020. Our translation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.