High time for Santa Claus to step up his privacy game?

Santa Claus is undoubtedly one of the largest data controllers in existence, processing all the world’s children’s personal data. There are estimated more than 2 billion children in the world, not to mention the number of parents, approximately 4 billion, which makes Santa Claus a data controller comparable to data giants such as Google, Meta, and Amazon.  He is believed to process personal data such as children’s names, age, gender, preferred presents, personal traits, preferences, and hobbies (to determine suitable presents), home address and possible other location on the 24-25 of December, and information on the child’s behavior before Christmas along with a scoring related to that behavior’s estimated naughtiness or niceness.

Due to the sheer volume of data subjects, the worldwide scope of activities and Santa Claus’s personal data processing being centered on children’s data, and including behavioral profiling of those children, Santa’s processing activities are to be seen high risk at their face value. It is quite evident that before continuing his activities, Santa Claus should make a thorough data protection impact assessment to determine the necessary controls mitigating the risks to the rights and freedoms of the data subjects.

There are at least three categories of high-risk activities we would like to draw his special attention to:
  1. Firstly, we have received some information suggesting that Santa Claus is engaged in quite extensive surveillance activities through his agents, the elves, who are constantly keeping an eye on children and reporting their findings back to Santa Claus. It is not clear whether such surveillance activities extend to network and/or digital surveillance – children are after all known to spend more and more time online and in digital spaces, which has also opened new dimensions for nice and naughty behavior. The legality of these surveillance activities is highly questionable especially as the legal basis for such activities is unclear and uncommunicated.

  2. Secondly, and this is related to the first point, Santa is engaged in behavioral profiling and quite probably automated decision-making by attaching certain values indicating a behavior’s niceness or naughtiness, including maintaining a list of these behaviors and the related naughtiness/niceness scores. This information is used to determine whether the child should receive presents at all, and such scoring may also affect the number and nature of the presents received by a child. In other words, the processing produces significant legal effects affecting the child.

    Especially if the scoring is done by automated means, Santa should make sure that there is human intervention in deciding the consequences, e.g., whether the child is to receive coal (or brushwood in Finland) instead of presents. It is worthwhile to note here that elf intervention is not in compliance with the GDPR. Santa should furthermore allow the child and/or their parents to express their point of view and to contest the decision before it is put into effect. It is also important to note that the effects of such decision-making should not be discriminatory in any manner - e.g., the income level or social status of the parents should not affect the amount or nature of gifts.

  3. Finally, Santa Claus seems to have serious transparency issues, which also seriously hampers meaningful effectuation of data subject rights. Indeed, it is somewhat difficult to find reliable and up-to-date information on Santa Claus’s processing practices. Santa Claus doesn’t for example have an official website and, at least according to our understanding, he isn’t in the habit of providing written privacy statements to children in connection with his visits either.  There are, however, several Christmas songs from which we can receive some information regarding his data processing (whether the lyrics of those songs ultimately originate from Santa Claus himself is up for some debate but let’s give him the benefit of the doubt here).

    While we welcome the innovative and age-appropriate approach in Santa Claus’s communications, the current level of information provided is insufficient with regard to the transparency requirements of the GDPR as it seems to lack a majority of the points required in Articles 13 and 14 of the GDPR. Santa is therefore advised to extend the information provided to include these points, special attention being drawn to information related to the logic involved in automated decision-making and its consequences to the children concerned. Whether the information is provided in the form of a jolly GDPR Christmas song, a printed and illustrated GDPR themed bedtime story, or otherwise, is up for Santa Claus himself to decide as long as the relevant information reaches the data subjects. We would, however, advise him to at least consider modernizing his communications strategy by, for example, putting up a website.

In conclusion, we encourage Santa Claus to urgently take action to bring his processing activities to an acceptable GDPR compliance level

Otherwise, he will risk significant fines and reputational damage. As Santa Claus’s headquarters are located in northern Finland, a far-away place called Korvatunturi (English-speaking countries have mistaken this to be the North Pole), his activities fall under the supervision of the Finnish Data Protection Ombudsman, who can at their own initiative or following a complaint by a data subject, conduct an investigation and take disciplinary action towards Santa Claus.

Santa, if you’re reading this, we’re happy to help you fix this.