The GDPR became applicable on 25 May 2018, after several years of negotiations between EU institutions. The law, which protects EU data subjects’ personal data, grabbed headlines for the strictness of its rules and its worldwide applicability.
“This was what really surprised us in our investigations into Santa’s operations,” the spokesperson said. “He’d been labouring under the misapprehension that, operating from the North Pole, the GDPR didn’t apply to him. But he was monitoring the behaviour of children in the European Union. The GDPR clearly applies in these circumstances and he should know better.”
The spokesperson pointed to several aspects of Santa’s operations that fell short of GDPR standards, including:
Failure to provide transparency notices: “Try as we might, we simply could not find a privacy notice for Santa anywhere”, the spokesperson said. “At the very least, we’d have thought he could have posted privacy notices on the chimneys and letter boxes where children post their letters to him.”
The spokesperson also pointed out that, where parents - rather than the children themselves - had provided their children’s data to Santa, Santa should have given privacy notices to those children within a one month period. “As the recent decision in Bisnode makes clear, it’s simply not a valid argument for Santa to say that providing these notices would have been a disproportionate effort,” the DPA said.
Failure to establish a lawful basis: The GDPR requires organisations that process personal data to have a “lawful basis” for their processing. This was another area where the DPA found Santa lacking: “Santa tried to argue reliance on legitimate interests but, frankly, he failed to produce any kind of legitimate interests assessment, and the GDPR already makes clear that particular care must be taken relying on legitimate interests when processing children’s data.”
In his response, Santa suggested that children had “consented” to the processing of their personal data, but failed to produce any auditable consent records or to evidence that parents had consented on behalf of children under the age of valid consent.
3. Special categories of data: The spokesperson reported that Santa collected data about the race, ethnicity, and religion of children in order to provide them with culturally-appropriate gifts, but failed to show any lawful grounds for collecting and using these so-called “special categories of data”. “Santa told to us that it was in the substantial public interest to gather this data,” the spokesperson said, “but we were having none of it!”
4. Automated decision-making: “It was clear to us, early on in our investigations, that Santa relies on profiling and automated decision-making,” said the spokesperson. “I mean, how else could he possibly process the volume of personal data that he does to segment child audiences into “naughty” or “nice” lists?"
The algorithms Santa relies on for this automated sifting have a dark side, however - resulting in significant impacts on children’s happiness by determining whether or not they receive presents. This “automated decision-making” is prohibited under the GDPR, the spokesperson said, unless an exception applies and there is a right of human intervention.
“Santa did argue that there was a right of intervention, but conceded that it was elf intervention, rather than human intervention,” said the DPA spokesperson. “That’s just not good enough.”
5. Lack of a DPO: The GDPR requires certain organisations to appoint a “data protection officer” to advise the organisation on its data protection responsibilities. This is the case for organisations that engage in “regular and systematic monitoring” - for example, monitoring whether children are being good throughout the year. Needless to say, Santa had not appointed a DPO. “What we found,” said the spokesperson, “was that Santa - through his use of proprietary algorithms - effectively acts as judge and jury deciding who does and doesn’t receive presents. Had he appointed a DPO, he would have been much better advised on his compliance responsibilities.”
6. International transfers: In addition to the multiple failings described above, the DPA discovered that Santa had failed to take any measures to protect the data sent to the North Pole. “Santa had no Standard Contractual Clauses, no BCR, and had no valid basis to rely on data export derogations. The North Pole is simply not an 'adequate' place to send data.”
In his defence, Santa responded that the data export solutions available under the GDPR were not applicable to his particular circumstances and that the DPA’s suggestion, that he establish local operations, including data centres and decision-makers in Europe, was excessively costly and impracticable.
“Difficulty in complying with the law is not an excuse for not complying with the law,” said the spokesperson. “Nobody is making Santa process this data – he chooses to do so. And if he chooses to do so, then he has to accept the compliance responsibilities that come with it.”
After considering the significant violations of the GDPR attributed to Santa, the spokesperson told us the DPA intends to impose a £1bn fine - equivalent to 4% of Santa’s annual worldwide turnover, generated through Santa’s lucrative advertising deals on digital media which rely heavily on targeting of children. The fine is the maximum that can be imposed under the GDPR and will be the largest fine ever imposed by a European DPA. "The failings we've told you about are really just the tip of the iceberg," said the spokesperson. "No pun intended."
In light of this planned enforcement action, a spokesperson for Santa told us that Santa would review his organisation's privacy compliance obligations worldwide and would establish local datacenters in Europe, as well as encrypt letters sent up chimneys, in the near future. Proof, said the DPA, that GDPR enforcement produces results.
Merry Christmas everyone!
Reporting by: Phil Lee; Editing by: Phil Lee’s kids
December 15th: 11.31am. Updated: 1 hour ago.
Sign up to our email digest