Breaking News: Grinch to Appeal Santa Corp. Ruling

In a last-minute bid to put a stop to Santa Corp’s data processing activities just before Christmas 2023, Ethan Grinch has announced he will appeal the recent decision of the Office of the Finnish Data Protection Ombudsman (ODPO) supporting Santa’s GDPR compliance, insisting that Santa has massively violated the GDPR through his large-scale data processing activities, including monitoring of behavior, without a legal basis for processing and without having conducted proper assessments for his data transfers.

*****

Tired of training new team members with boring old case studies? Why not take something fanciful but recognizable like Santa Claus, try to apply GDPR principles to it, and see where you land? There aren’t always obvious right or wrong answers, but it can be a great way of helping people think through common GDPR problems like jurisdiction, legal basis for processing, cross-border transfers, and others. That's exactly what Kerstin Bagus , Mark Sward and I did with this article on Grinch v Santa.... #gdpr #santa #make_privacy_fun

*****

As a reminder, Grinch’s main allegations in his initial complaint were the following:

• Santa has no legal basis for processing the personal data of EEA data subjects as part of his “Naughty and Nice” program, particularly with regard to automated processing and profiling, especially since Santa has not, and cannot, gather legally valid consent, as such consent could not be freely given where failure to consent would result in withholding of gifts;
• Santa transfers massive amounts of data to his North Pole operations as part of his “Naughty and Nice” program without a valid data transfer mechanism, such as binding corporate rules or an adequacy decision applicable to Santa as an international organization (since his primary establishment is not in any country, but at the North Pole, which is subject only to the Law of the Sea).
• Anticipating jurisdictional challenges, Grinch posited in his initial complaint Santa is both: (a) established in the EEA by virtue of his reindeer subsidiary, which manages a small herd of nine reindeer which graze in Finland and Norway outside of the Christmas season since the North Pole is devoid of proper grazing land; and (b) subject to the extraterritorial application of the GDPR by virtue of both monitoring data subjects’ behavior as part of his “Naughty or Nice” program, and also offering goods to data subjects located in the EEA, namely, gifts manufactured in Santa’s Workshop and delivered to data subjects’ homes without payment.

In response to these allegations, Santa put forth the following arguments:

• Santa indeed has a legal basis for processing data subject’s information. Potential data subjects are at all times aware of any collection of naughty or nice information, and that the processing was not based on consent but on the public interest to incentivize data subjects’ nice behavior and dissuade naughty behavior. Further, Santa indicated that processing basic identifying information, such as name, address, and age, fell under his legitimate interest to ensure accurate gift delivery, which also benefits data subjects. He had completed the required legitimate interest test and sent the documentation to the ODPO. In addition, Santa provided his full records of processing activities to the ODPO, showing what information was collected and the legal basis, among other information as required by the GDPR. Santa also pointed out that the impact on the rights and freedoms of data subjects who were ultimately deemed to be naughty were minimal, as even the naughtiest data subjects would receive coal, which has a monetary value even if its value as a plaything is limited. Finally, Santa argued that any potential data subject who objected to Santa’s processing of their personal data could (in the case of children and with parental approval), opt for an alternate gift program operated by a different organization, such as Hanukkah (which offers distinct benefits such as eight nights of presents rather than a single morning), or opt out of receiving gifts.?
• Santa does not engage in data transfers, as he is directly subject to the GDPR by virtue of his monitoring of data subjects and offer of goods and services and does not “transfer personal data to a third country or international organization”, as the North Pole is neither.
• While Santa neither acknowledged nor opposed the jurisdiction of the ODPO, he expressed a willingness to work in good faith with the Finnish regulator to resolve the complaint.

?

The ODPO’s initial review of the complaint was that Santa’s legal basis for processing was sound: the ODPO was persuaded by Santa’s argument that his processing is in the public interest and that the processing conducted under legitimate interest were adequately assessed and documented, and that data subjects’ rights and freedoms were respected through the transparency of his processing (the ODPO noted that Santa delivers fair processing notices through songs which clearly state, in terms understandable even to children, that “he knows when you are sleeping, he knows when you’re awake, he knows if you’ve been bad or good…” among other things), and also through the options for recipients who do not celebrate Christmas or who do not wish to receive gifts. The ODPO further found that data transferred to Santa does not require a data transfer mechanism as his processing does not meet the definition of “transfer” established by the European Data Protection Board, which requires a controller or processor subject to the GDPR to transfer data to another organization which is in a country outside the EEA or is an international organization.

?

Grinch has doubled down on his argument that Christmas—particularly gift-giving—must be stopped and has asked for an emergency intervention by Finnish courts to overrule the ODPO and order a stop to Santa’s data processing before December 24th, which would, in effect, cancel Christmas for everyone across the EEA.

?