Archive 360 Email Archive Migration Blog

Santa Seeks Exemption from GDPR

Posted by James McCarthy, Esq. on December 22, 2017

How His New Machine Learning SW is Causing Big Headaches for the North Pole

AP Report--Dublin, Eire December 25, 2017; by James M. McCarthy, General Counsel

Santa.jpgHaving just rebounded from fallout arising from defending privacy claims involving its controversial practice of sending a special (and just a bit creepy) elf scout from the North Pole to EU homes to help Santa Claus manage his naughty and nice lists[1], NorthPole, Inc., is grappling with a new compliance  problem…GDPR.  Readers will recall that its stock (ST-NIK) took a hit on all exchanges following legal fees and penalties for violations of the EU’s Directive 95/46 and UK’s Data Protection Act, proscribing automated collection of data that occurred in the “Eric the Elf” debacle.  [2] 

Santa is spending yet another holiday with its General Counsel, but this time Santa and his lawyer elves are trying to craft a work around for its new machine learning software, OverwatchTM [3] which leverages machine learning to developing hyper accurate naughty/nice lists.  Northpole’s Director of Marketing, C. L. Who, describes the new software as “state of the art which monitors customer’s user activity and keystrokes at work station devices, email, phones, social media platforms to track compliance with company policies.” Ms. Who explains, “a score is developed which lands in either the Nice or Naughty list allowing Santa to create hyper accurate delivery lists,” and this last feature is where GDPR’s “profiling” restrictions come into play. 

As many readers may know, the new GDPR rules become effective in Spring 2018 which, among other things, regulate even non-EU controllers that perform “profiling” functions on EU residents.  Generally, profiling includes automated processing of personal data that is used to, inter alia, analyze or predict performance at work, behavior, reliability, etc. [4]  While Santa’s R&D department is making serious IT upgrades to its systems, the Northpole will be busy this off season trying to get an exemption from the European Data Protection Board for the 2018 busy season.   Standing in their way is one defiant “customer” identified in court documents only as “Caroline” who has challenged her inclusion on the “naughty” list by filing a formal complaint with the EU Parliament citing her data privacy rights against profiling.

The young plaintiff and future lawyer is demanding a personal review of her record by Santa himself in order to secure a new phone this year under the tree.  In her pro se defense, she has cited Article 22(1) of the GDPR, which provides that data subjects like her have a right not necessarily to avoid profiling itself (e.g. automated processing of personal data for the purpose of making a decision), but rather to avoid being “subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Recital 58 provides as examples the “automatic refusal of an on-line credit application or e-recruiting practices without any human intervention.” Citing a letter sent to the Northpole which Santa acknowledged,  Caroline has won the first round since GDPR Article 22(3) mandates that any decision made pursuant to a contract with the data subject or his explicit consent, the controller (Santa) must still allow the data subject to contest the decision.  In her brief to the Court, Caroline cites that profiling decisions that landed her on the naughty list must be explained to her because according to Articles 13 and 22, Santa needed to inform Caroline at the time data was collected not only of the fact that profiling will occur, but as well “the logic involved” and “the envisaged consequences of such processing.”

So as Santa’s litigation team takes on Caroline, stay tuned for a few things this New Year…just how much GDPR may affect different parts of the business and social worlds; how machine learning advances and GDPR will likely collide in future litigation; and Archive360’s new software launch in FY 2018 will, quite simply, change everything.

Happy Holidays from your Friends at Archive360

 

[1] Created to serve as a light-hearted holiday story, a family adopts an elf with magical ability to fly back and forth to the North Pole each night to tell Santa Claus about all of the day's adventures returning each morning, perched in a different place to watch the fun, authors Laura Pinto & Selena Nemorin discuss the erosion of children’s sense of privacy with ubiquitous surveillance messaging. https://www.policyalternatives.ca/publications/commentary/whos-boss

 [2] #fakenews.  But see Directive 95/46/EC of the European Parliament http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf  and Data Protection Act 1998, 1998Chapter29, Section 7;

 [3] Only half fake news, wait for Archive360’s 2018 rollout of its new software offerings; 

[4] Under Article 4(4), data processing may be characterized as “profiling” when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

Topics: GDPR

Subscribe to Our Blog