A couple of years ago, I blogged about how European data protection law applies to Santa Claus – in particular how data protection law applies in relation to the list that he maintains of children that are naughty and nice.
In that blogpost I based my analysis on the fact that Santa’s place of establishment was Lapland (an area covering EU member states Finland and Sweden).
However it was subsequently pointed out that Santa may actually be based in Greenland – which has had home rule since 1979 and left the EU (or EEC as was) in 1985. If that is the case, then Santa is in fact established outside the EEA and (therefore) the scope of EU data protection laws.
Perhaps in a bid to close this loophole, earlier this year, the European Commission announced plans to introduce a new data protection regulation, which would replace the existing directive and local implementation of that directive in each member state.
Crucially, the proposed new regulation would change the regime applying to data controllers established outside the EEA (such as Facebook, Twitter and Santa Claus).
The proposed new regime
The current data protection directive states that the laws apply only to organisations that were “established” in the EU. However Article 3 of the draft regulation would extent the laws to:
…the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union; or
(b) the monitoring of their behaviour.
This would appear to clearly cover Santa in respect of naughty and nice lists of, and the delivery of presents to, children in the EU.
As a consequence, Santa will be obliged, under Article 22 of the draft regulation, to appoint a representative in one of the member states where he delivers presents to children, and to ensure that his processing of personal data complies with the strict new rules under the regulation.
As the new regime is intended to simplify regulatory accountability (by allowing data controllers to select a single supervisory regulator, rather than being subject to different regulators in each member state), it will be interesting to see whether Santa elects to appoint a representative in a country with a traditionally business friendly approach to regulation (such as the UK), rather than a country with a strict approach to regulation (for example, CNIL in France).
Changes to rules on consent
The new regulation also proposes changes to the rules on consent.
In particular, stricter rules would be introduced in relation to obtaining consent from children and consent will not be legally valid if there is:
a significant imbalance between the position of data subject and the controller
Given Santa’s strong bargaining position in relation to the delivery of Christmas presents, it’s doubtful whether consent could be freely given by any child. This may mean that Santa has to rely upon the ground for processing in relation to organisations that exist for philosophical purposes (covered in Article 9 2(d) of the draft regulation).
Breaches of the new regulation
Under the Commission’s proposals, organisations that seriously breach the new law could be fined up to 2% of their global turnover. Whilst the finances behind Santa’s operations are opaque, for someone who sources and delivers presents to many millions of children such a fine could be vast.
No doubt Santa is watching in earnest to see what shape the regulation finally takes.
On December 20, 2012