Is Santa UK GDPR Compliant?
The Naughty List & Nice Privacy Notice
Key Contact: Claire Knowles
Author: Adam McGlynn
You better watch out and you better not cry – yes, it is that time of year again when the jolly man in red comes to town. Christmas songs have been playing in public for a while now, with perhaps little respect for fans of Halloween and bonfire night, and one classic in particular caught my attention – Santa Claus is Coming to Town. When listening to the lyrics about making a list, coming to town, and watching us when we sleep, I was astounded that I had never appreciated the quite obvious legal offence there… that’s right… surely that list can’t be UK GDPR compliant, can it?
There are likely few reading this article who haven’t heard of the EU’s General Data Protection Regulations (GDPR). For those who have lived such a blissfully merry existence, the GDPR places obligations on those who control the collection and processing of personal data (data controllers) and those who actually process such personal data (data processors) in order to grant, and safeguard, certain rights to those who can be identified from that data (data subjects). The UK have retained a domestic version of the GDPR (UK GDPR) since 1 January 2021, following the end of the UK-EU Brexit transition period.
Does the UK GDPR even apply to Santa?
As we discussed in Elf Labour – the Definitive Legal Answer, Santa’s workshop is located at the North Pole, which we discovered is governed by the laws of the high seas. Despite being far from UK territory, Santa’s operation would still be subject to the UK GDPR, even in the North Pole, because he offers services to data subjects in the UK and monitors our behaviour to ‘find out who’s naughty or nice’.
While there are no specific UK GDPR exemptions for ‘being Santa’, Santa could argue that the nature of his activities falls outside the scope of UK GDPR anyway as personal or household activities. The benevolence of Santa’s gift-giving and the fact that he is not publishing any of the personal data he collects could lead to compelling arguments that his activities are part of his private life, though the fact that Santa can afford to keep manufacturing toys each year suggests that this ‘Christmas’ venture is somehow connected to a professional or commercial activity. Ultimately though, the fact that Santa ‘sees’ when we are asleep and ‘knows’ when we are bad or good suggests a level of surveillance that is simply irreconcilable with domestic purposes and it would make a mockery of the law if Santa fell outside the scope of the UK GDPR while potentially storing information on every person on the planet.
Santa though the eyes of the I C Ho-ho-ho
So, due to the extraterritorial scope of the UK GDPR and the nature of Santa’s activities, it appears he will need to understand how the UK GDPR applies to his operation or he could end up facing the wrath of the Information Commissioner’s Office (ICO), the UK’s independent regulatory office established to uphold information rights in the interest of the public:
- Purpose – Santa’s purpose seems quite simple: To decide who should receive presents, what presents they should receive, and to deliver those presents to the correct house… within one night… without being caught by those who are still awake… simple.
- Data Controller – Santa determines the purpose of the data processing and controls how it is collected and used, making him a data controller. Whether his elves could be separate data processors would depend on their employment/ commercial relationship with Santa, which is a rather dark shade of legal grey area explored in Elf Labour – the Definitive Legal Answer.
- Data Subjects – Though Santa’s gift-giving criteria in terms of age and belief are shrouded in mystery, we know that he delivers presents (or coal) to the children of the world. At least those children (and parents and guardians) would be identifiable by the personal information that Santa processes, however, depending on how generous those conditions are and how long he retains the data, he could potentially store data on everyone. Personally, I wouldn’t object to a heated blanket this year, so I choose to blindly assume I could still make the list.
- Personal Data – Any information relating to those data subjects will be personal data. At a minimum, Santa collects names, addresses, information contained in Christmas letters, gift preferences, times the person is awake on Christmas eve, and evidence used in naughty/nice assessments. Additional safeguards would apply if Santa included criminal conviction data in his behaviour assessments, however, Santa would not need to know whether society criminalises certain acts as he applies his own moral standards – so be good (to the reasonable satisfaction of Santa) for goodness sake.
Now that we understand the details of Santa’s operation, we can assess whether he is UK GDPR compliant. To keep himself off the ICO’snaughty list, he will need to:
- Establish a lawful basis for processing the above personal data;
- Comply with various data protection principles and obligations; and
- Understand and facilitate the rights of data subjects.
Can Santa’s lists be lawful?
The important first step towards UK GDPR compliance is having a lawful basis for processing the personal data. Santa has a few options which could potentially apply, the most relevant being:
- Consent – Surely a child would consent to Santa having the information he needs to bring them a present, right? Unfortunately, only clear, informed, and demonstrable consent will suffice and so implied consent cannot be assumed.
- Performing a Contract – Santa could argue that delivering Christmas presents is him performing a contractual obligation in exchange, for example, for cookies and milk or the recipient’s good behaviour. A contract could perhaps be established by those sending Christmas letters or those who negotiate with their local shopping centre Santa representative; however, this would likely be a weak basis, especially for other children.
- Public Interest – This sounds promising but would likely fail as well. Few would challenge the public interest of receiving presents, promoting good behaviour, and spreading Christmas cheer, but the basis for relying on this justification needs to be laid down by domestic law. As Santa is a chaotic-good rebel who plays by his own rules, his function operates outside the law.
- Legitimate Interest – Santa’s strongest justification likely lies with the processing being necessary for the legitimate interests of third parties, namely those who receive presents and potentially those who benefit from any consequential behaviour modification. Santa would, however, need to balance those interests against the rights, interests, and freedoms of data subjects, with a greater degree of care for children. It is up to Santa to conduct this assessment and so, despite the daunting scope of processing data on every good and bad deed, he could conclude that appropriate safeguards are in place and the rights of children are adequately protected, perhaps citing that his function is well-known and expected of him.
Where Santa has been Naughty
Establishing a lawful basis is not the end of the sleigh ride for Santa though. He will still have to comply with various data protection principles and obligations. Unfortunately, some of which may pose more of a risk than others:
- Transfer Limitation – Santa could be in breach of UK GDPR when transferring personal data to the North Pole. There are finite circumstances when personal data can be transferred outside the UK but, unfortunately, the UK government has not recognised Santa’s Workshop, North Pole as an adequate destination for data transfers yet and the other exceptions would not apply. In the meantime, Santa could establish local data centres in the UK so that overseas transfers are no longer necessary.
- Transparency – Santa is not particularly transparent about the way he collects and uses personal data. We should really be told how he knows we have been bad or good along with other important details such as his data retention policies and how we exercise our rights of access and rectification etc.
- Storage Limitation – Speaking of retention, Santa can only retain personal data for as long as is necessary for his specific purpose. I.e. names and addresses should only be kept for as long as Santa may deliver presents to that person and only current gift preferences and information on recent good and bad deeds should be stored. It would be reassuring to know that information on our historical bad deeds and gift preferences has been irretrievably deleted… right Santa?
Where Santa has been Nice
I don’t want to be a complete grinch though. Santa is surely aware that it would be difficult to actually hold him accountable for non-compliance in any enforceable way, but he nevertheless seems to make some effort:
- Automated Decision Making and Profiling – By checking his list twice, it seems Santa is not relying on automated processes for profiling or decision making.
- Accuracy – Again, Santa maintains the accuracy of personal data by checking his list twice and seems to do a good job of making accurate deliveries. Except that one time I got Mega Bloks… I asked for Lego and, yes Santa, there is a difference.
- Security, Integrity, and Confidentiality – While I don’t know Santa’s exact security measures, I must recognise that he does not seem to have ever had a data breach. He certainly never shared my Christmas list with anyone – even my parents were always super surprised each year.
Data Subject Rights and Santa’s Privacy Notice
Santa usually gets letters disclosing information and requesting presents but I suspect he rarely gets letters exercising data subject rights. If you wanted to though you could include, in your Christmas letter this year, a request to access your personal data, object to the processing, or request to be forgotten… though *disclaimer* you may risk missing out on presents.
Perhaps the right Santa should be most aware of though is the right of data subjects to be informed. Santa needs to provide all data subjects with a variety of prescribed fair processing information including the identity of the data controller, the purpose of the processing, and the categories of personal data processed, etc. This is commonly achieved by way of a ‘privacy notice’, however, Santa does not appear to have published one. When he does, he will need to bear in mind that special consideration should be given to how it is communicated to children. It should be clear and accessible and adapted to its audience, for example by being child-appropriate and presented in a manner appealing to a young audience. What Santa needs is something like that, perhaps written and spoken, which essentially communicates to children that he will be visiting them while they are asleep but before doing so he will need to know if they have been bad or good in order to put together a list of…
It was at this point the author recognised Santa’s genius and moved to recognise that genius in this article’s title.
How can Santa be more compliant?
Now obviously I’m biased because I’m still hoping for that heated blanket but, with a few tweaks, Santa seems well on his way to UK GDPR compliance. The final few steps I would recommend are:
- Set up those UK data centres we discussed and double check data retention policies.
- Collaborate to release another Christmas song that informs children of the outstanding fair processing information and how to exercise their data subject rights. Though Santa Claus is Coming to Town is an absolute tune… its drafting as a privacy notice leaves a lot to be desired.
- Consider providing a more comprehensive written privacy notice with each Christmas present.
- Appoint a Data Protection Officer. It is a requirement for Santa’s large-scale operation in any event and a good DPO can be a great help advising on compliance responsibilities. Santa, if you have trouble finding an elf who can fill the role, you can learn more about Acuity’s outsourced DPO service.
- Try Acuity’s free Data Asist Audit tool to check for any weaknesses in data security policies and get in touch for further advice.
If you would like to know more about how Santa can come to town following the UK’s revised Immigration Rules, feel free to check out Is Santa Coming to Town? UK Immigration Law v Christmas.