Santa’s blatant disregard for Canadian privacy law

I was in the midst of my annual ritual of removing the undeserving from my Christmas card list (take that, opposing counsel who would only respond to the senior on the file! Et tu, client who revised a four-page affidavit 18 times on the Friday before a long weekend!) when it occurred to me that my list was a veritable gold mine of personal information. And I knew that I, being a competent lawyer appropriately terrified by both the LSUC and the Privacy Commissioner of Canada, was fully compliant with the privacy legislation protecting all that information.

Then it occurred to me that other people must have lists like mine…bigger, more detailed lists. Lists in the hands of others who might not be so compliant. In fact, I thought, the mother of all Christmas card lists must be Santa’s.

And Santa, I fear, is a lawbreaker.

Santa’s data collection practices are, frankly, scandalous. I attempted to bring them to the attention of Canada’s Privacy Commissioner, but his office merely said it “would study the matter.” I may also have overheard the word “whackjob” as I was hanging up the phone. Clearly, they’re worried about lumps of coal in their stockings and have no faith in the federal whistleblower legislation.

Santa, having been declared a Canadian citizen, is subject to Canadian laws, including the privacy legislation, PIPEDA. PIPEDA applies to organizations that collect, use or disclose personal information in the course of their commercial activities.

I can already hear some of you grumbling. Santa isn’t about crass commercialism, you say; he’s about hope and joy and the spirit of the season. Sure, I know Santa’s branding team has pitched him that way, but make no mistake — he is in it for the money and sits atop a complex pyramid of trusts, charities, and off-shore accounts. Santa himself is judgment-proof, with his assets, notably Santa’s Workshop and Santa’s Helpers, protected in registered charities. He’s obviously had top-notch legal advice.

And he clearly collects personally identifiable information…without the required consents or permissions. It’s admittedly hearsay, but we all know “he’s making a list.” While Santa does document the purposes for which he seeks to collection personal information (“to find out who’s naughty or nice”), and I respect his commitment to accuracy (he claims he’s “checking it twice”), he nonetheless collects this information without consent. While consent can sometimes be implied, covert nighttime surveillance (“he sees you when you’re sleeping”) hardly qualifies.

PIPEDA also provides that upon written request, an individual shall be informed of the existence, use and disclosure of his or her personal information and has the right to challenge the accuracy of the information. Santa’s data gathering practices, however, seem immune from challenge. I wrote to Santa asking whether I had been assigned to the Naughty List or the Nice List and requesting that, if I was on the Naughty List, what steps I should take to correct this obviously erroneous designation. I received reassurances from Postal Elf Bob that Santa would respond:


But when he did, Santa’s response was vague and just went on at length about his reindeer:


Because of my business acumen, I also know a money-losing proposition when I see one. Santa flies around the world, delivering toys — for free. Anyone who has been on the wrong end of the billable/non-billable debate knows that giving stuff away for free is not a sustainable business model, so I can only conclude he must be driving revenue somehow. It’s not through advertising, as I have yet to find a slick Santa marketing brochure under my tree. But Santa has been collecting children’s consumer data for years — he has a database of their preferences for toys and their behaviour, and it’s all tied to the child’s name, age and address. This is the real value in Santa’s operations, particularly since Santa’s largest real estate asset, his workshop, while vast and technologically sophisticated, but is devalued due to its North Pole location and the various infrastructure, supply chain and distribution channel challenges. There is no doubt in my mind that Santa is peddling his database of information to Toys-R-Us or Walmart. I imagine this kind of information is worth millions to them.

With his shoddy data protection practices (yes, he lives in the North Pole in an impenetrable fortress/workshop guarded by the Abominable Snowman…but we live in a global digital economy now and anyone who has watched the Frosty TV special knows snowmen make lousy security guards when the heat is really on), Santa is bound to have a privacy breach sooner or later. And me, I’ll be there. With this new tort of intrusion upon seclusion, just think of the class action possibilities.

Of course, finding a representative plaintiff could be tough. There’s little incentive to complain — the Big Guy trumpets defensively that he uses the information to help the kiddies, as though this justifies illegality. If you want a Nintendo, you get one. If you want a drum kit, you don’t ending up sulking with a Furby. Who in their right mind would crash the Privacy Commissioner’s doors to complain about that?


See my original post at Precedent Magazine.


About InfoLawyer

I'm an cybersecurity, data protection and privacy lawyer lawyer at the Toronto law firm of McCarthy Tetrault. When not writing here, I am writing restaurant reviews for Precedent legal magazine or using the backs of restaurant napkins to work out the odds of whether I can be replaced by an artificially intelligent machine (this week's odds are 70:30).
This entry was posted in Humour, Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s