He'd better watch out, he'd better beware! Posted by Hugh on 22 December 2015

A certain resident of the North Pole may need to change his data processing activities in the next two years, in order to comply with the new General Data Protection legislation, published during the past couple of days and likely to come into effect in early 2018.

Under the provisions of the new Regulation, the processing of personal data of data subjects anywhere in the world by a controller who is established in the EU will be subject to this Regulation. As readers (and reindeers) will be aware, substantial areas of the North Pole, protected by Norway, are recognised as forming part of the European Economic Area, so the new Regulations will apply to such processing.

From our reading of this provision, any “Naughty List” (or “Nice List” for that matter) will therefore be considered as ‘Profiling’ where it is being used to monitor the behaviour of EU citizens of any age.
'Profiling' is defined as any form of automated processing of personal data where those data are used to evaluate certain personal aspects relating to a natural person, including analysis concerning that natural person's performance, personal preferences, interests, reliability and behaviour.

There is no way to sugar-coat this – Santa’s list will be in the cross-hairs by the time this legislation kicks in in early 2018. He and his service providers – again, mostly resident within or on the frozen periphery of the EU, will have two years to get their house in order and find a compliant basis for such processing in the future.

The fact that he makes the list and checks it twice is laudable, indicating awareness of, and compliance with Rule 5 of the current legislation. However, simply having the list in the first place will need to be justified.

Traditionally, Santa does not seek the consent of the under-age data subjects whose behaviour, interests and performance he is monitoring. The principles of fair and transparent processing (key principles under the new Regulation), require that the data subject should be informed of the existence of the processing operation and its purposes.

Anecdotally, such notifications are provided by parents in the time-frame between Hallowe’en and mid-December in the form of threats and reminders a) that the lists exist, b) that Santa is watching, and c) that the data subjects’ data can be moved easily and dynamically from one list to another as circumstances, performance and behaviour dictate. It could be argued that such notifications in the past constituted a ‘fair processing notice’.

However, in a relatively short while, that will not be enough. Santa, as the Data Controller, will be required to provide the data subject with clear information with regard to the specific circumstances and context in which their personal data are processed.

Furthermore, the data subject should be informed directly about the existence of the profiling, and the consequences of such profiling. This is likely to add substantially to Santa’s communications costs in the run-up to Christmas 2018. A substantial opportunity for the creative folks in the direct marketing sector, perhaps?

Every one of these little data subjects will soon have the right to know and obtain communication about the purposes for which their data are processed, for what period (currently up to 10 or 12 years), and the consequences of such processing.

Where possible, Santa may even be required to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data! Imagine a secure, online portal on which these little dears can access and review their status, including the source of the data and the conclusions being drawn.

While such processing is considered to be very seasonal, the sheer volume and range of processing will be a substantial challenge for the Norwegian infrastructure, and is likely to lead to valuable outsourcing opportunities for service providers in other countries. Such processing will need to be covered by the usual Data Processor contracts – even with all this change, some things will remain!

Sytorus look forward to working with all Data Controllers, not just those in the seasonal gift distribution and global courier services, to prepare their data management practices for compliance under the new Regulation. In the interim, we wish all our readers a restful, peaceful and worry-free week on the ‘Nice List’, with all that that entails!

In the quiet of the New Year, we may return to look more closely at the privacy implications of Santa’s data gathering activities, especially the methods by which “he sees you when you’re sleeping, he knows if you’re awake”, etc.

Food for thought, but for another day.

Happy Christmas!