What you need to know
- Apple has reopened stores in Germany.
- It is conducting temperature checks of customers and employees, as it has done in several other countries.
- It appears the practice is being probed by local regulators over concerns that this is a breach of EU privacy rules.
A report from Bloomberg Law suggests that Apple's practice of checking customer temperatures in its German Apple Stores is being probed over a possible breach of EU privacy rules.
According to the report:
Apple Inc. is facing a probe by a regional German data protection office into whether its plan to take the temperature of its store customers violates EU privacy rules, the regulator said.
The Hessian data protection agency's investigation comes after Apple reopened stores across Germany May 11 with extra safety procedures, including temperature checks and social distancing.
The office wants to know if the temperature checks violate the applicable data protection rules, Ulrike Muller, a spokesperson for the Hessian Data Protection Commissioner, said. There are no results yet from the probe and the office is coordinating with other German data protection authorities, Muller said
Now, this may sound ridiculous at face value. However, a recent legal assessment regarding conduct temperature checks has confirmed that the EU's GDPR rules actually make this a bit of a minefield. The upshot is this:
Information collected through checks relating to an employee or visitor's temperature, even just noting it as "high" or "within a normal range," will constitute "data concerning health" under the GDPR. By recording such data, you will be processing a "special category of personal data." The GDPR generally prohibits processing of this kind of data unless you can demonstrate you satisfy one of the legal grounds under Article 9(2).
It seems that under EU privacy rules, a person's temperature can be considered 'data concerning health'. One of the key aspects will be whether Apple is collecting the data, or simply using it as a screening tool to determine whether employees and customers are allowed in the building. If Apple is recording, for instance, the temperature of its employees so that it has data should a case be confirmed amongst staff, it will have to satisfy certain legal grounds as to why it should be collecting the data. The chair of the EU's European Data Protection Board has previously stated that "data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic." However, she reiterated that "even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects."
If any such breach is found regarding the checking of temperatures in retail spaces, it could have repercussions within the EU far beyond Apple's own retail operation, and any such finding would impact not just Germany but all EU member states.