The data privacy case against Santa Claus
REMEMBER The Grinch, who hated Christ mas? Every year he tries his best to think of ways to stop Christmas, often by stealing gifts that people give; he keeps mistaking Christmas for the presents that people give, not realizing that it is the gift-giving that makes Christmas, Christmas. Not the gifts.
So The Grinch thought he’d sue Santa, and everyone else who works with him. The Data Privacy Act of 2012, or Republic Act No. 10173, requires a legitimate purpose for the processing of personal data, which is anything and everything that can be linked with, and used to identify, an individual. Personal data, of course, includes an individual’s name and contact details, such as home address. Legitimate purpose means legal basis to collect and process personal data, which falls under three general categories: the data subject gave his/her consent; the processing is required under the law or in a contract; or justified by a medical emergency.
Santa Claus, The Grinch said, was violating data privacy laws because he was collecting and processing information with neither consent nor legal basis.
Long story short, The Grinch prepared a case against Santa. Here’s the list of the data privacy violations that The Grinch alleged Santa committed:
1. Unauthorized processing. To make his naughty-or-nice list, Santa had to collect and process personal data; the Data Privacy Act requires not only consent, but recorded consent, from data subjects. Without consent, Santa has to prove that the surveillance he (and his elves, maybe) did on minors was based on law, contract, or a medical emergency. Unauthorized processing, defined as processing of personal
data without the consent of the data subject or authorization under the law, is punishable by one to six years of imprisonment and a fine of P500,000 to P4 million.
2. Accessing personal data due to negligence. When Santa shared his naughty-or-nice list with his elves, he gave them access to personal data without consent from the data subjects, or the kids. If found guilty, he could be fined between P500,000 to P4 million, and imprisoned for one year up to six years, for providing access to personal data without authorization.
3. Unauthorized disclosure. If Santa shared that naughty-or-nice list with the child’s parents, those would be sharing with “third parties”; sharing personal data to third parties without consent from the data subject is punishable with a fine ranging from P500,000 to P2 million, and a jail term of between one to five years.
4. Combination or series of acts. A combination or series of acts that violate the Data Privacy Act is punishable with imprisonment from three to six years, and a fine of between P500,000 and P5 million.
And that was just the naughty-or-nice list. What about the letters that the children wrote?
If a child wrote to Santa Claus and his elves read it instead of Santa, was there a personal data breach? What if the child’s parents read it instead? Or a charitable institution dedicated to fulfilling children’s Christmas wishes?
When Santa delivered the gifts, was that unauthorized processing? Yes, the children said they wanted the gifts, and there was—sort of—an expectation that they would be delivered instead of being picked up at the North Pole, but should an expectation be tantamount to a recorded consent?
The law is clear: Consent must not only be recorded, it must also be informed; the data subject must know what she/he is consenting to. Putting a return address on an envelope with a letter requesting for a Christmas gift is not the same as saying yes to the processing of one’s information on where one lives, putting that on a list, and delivering a gift to that address.
And then there’s cross-border transfer: when Santa brings that naughty-or-nice list with him all over the world, is that a cross-border transfer of personal data? Has he taken steps to ensure that that personal data is protected from the prying eyes of other governments, should the list happen to be lost?
But hey, Santa lives in the North Pole, and he’s not even Filipino. Can he be sued under Philippine laws?
Sadly, yes; the Data Privacy Act is an extraterritorial law, meaning it can reach out and hold accountable even those who live outside the Philippines, for as long as the violations mentioned in the law are applicable to them. In other words, for as long as the personal data involves a Philippine citizen or a resident, or the processing is being done in the Philippines, or the processor has links in the Philippines, the law will apply. The Grinch was sure he had a case. Thankfully, it was dismissed at the prosecutor level, which meant it wasn’t even filed in court. The Prosecutor said there was no prima facie evidence—which meant there was no evidence to establish the fact that a crime had been committed.
First, one exemption under the Data Privacy Act is the processing done for, among others, “literary purposes”, and Santa is, well, more fiction than fact. Second, and just as important, not a single child cooperated with The Grinch. This meant he didn’t have proof that personal data was collected and processed, because he didn’t have the naughty-or-nice list, and he couldn’t point to a single person whose data privacy rights were violated.
***
Dana Batnag heads the policy and risk management section in the data privacy office of a financial service institution. She may be contacted at yourdataprotectionofficer@protonmail.com