The Tooth Fairy & the General Data Protection Regulation (GDPR)
I posted recently about Santa Claus & GDPR and this prompted some debate over my analysis and some encouragement to maintain the theme.
The discussion eliminated the Easter bunny as an option as summarily we felt the Easter bunny presented a reverse legal issue (the Easter bunny does indeed trespass to leave eggs on your property, but more so that we take and eat them which may not be the bunny’s intention so this is just theft on our part)
Have you ever thought about the Tooth Fairy and her* General Data Protection Regulation (EU) 2016/679 (“GDPR”) compliance? Well… come right on in.
H/T to the UK Ministry of Justice Data Protection Officer (DPO) for the post idea.
*A 1984 study by Rosemary Wells revealed 74% of those surveyed believed the Tooth Fairy to be female.
I have also written a post about Santa Claus & GDPR.
In essence, the Tooth Fairy swaps baby teeth for hold hard cash — a 2013 survey by Visa, Inc. found American children receive on average $3.20 USD per tooth, and with 20 baby teeth per typical mouth thats $64 USD per child.
The Tooth Fairy is generally depicted as a child with wings, a pixie, a dragon, a blue mother-figure, a flying ballerina, two little old men, a dental hygienist, a potbellied flying man smoking a cigar, a bat, a bear and so on. Unlike the well-established imagining of Santa Claus, differences in renderings of the Tooth Fairy are not as upsetting to children and she is generally not seen as an evil, harsh or punishing creature.
A 2017 consensus in the United States estimated a child is born every 8 seconds (31,557,600 seconds in a year, divided by 8 = 3,944,700 babies) and at $64 USD per child it is clear Ms Fairy has a lot of cash.
Her origins are somewhat opaque but mild consensus imply Northern Europe would be a reasonable assumption to make.
The Tooth Fairy unlike Santa does not appear to have a large supporting organisational structure and pending activities with the acquired teeth (more on that later) we can probably assume the Tooth Fairy has a fence.
The Tooth Fairy’s European origins places her in-scope for GDPR (unlike Santa’s judicially ambiguous location of the North Pole).
One could argue that due to the lack of evidence of what she does with the teeth once acquired, we should simply interpret her goal as providing a pleasant liquidity service (disused teeth for cash) so for these purposes we will do so on face value.
The Personal Data held likely looks something like:
- date of birth (with calculated age)
- current address
- local currency denomination
- calculated score on when baby teeth are due to fall out — this presents some interesting work in progress management!
- parental/guardian information (might even so far as to salary information to determine fair value in context)
- once the first tooth has been collected from a Data Subject, one could argue biometric data is now being held
His staff must have access to this list in order to help him maintain it but at the very least in order to assess the perfect gift (or how big the coal should be) and make it.
One could argue technology could/should be used for automated decision making.
This list (database — unlike Santa with Oracle RDS on AWS she opts for Bigtable from Google Cloud) contains millions of records for Data Subjects all over the world.
For simplicity, we will de-scope the privacy concerns stemming from actually visiting the property and entering it without being explicitly invited by an authorised person — unlike Santa, who only leaves presents (perhaps consuming milk/cookies) the Tooth Fairy does remove items from the property but arguably in exchange for fair value so this isn’t considered ‘breaking & entering with petty theft’.
We will also assume the scope is limited to live Data Subjects (being newborn infant through to once all available baby teeth have been collected) so that legacy records (including backups) are automatically purged when no longer required.
These are in no way exhaustive and I am not a [privacy-specialist] lawyer. I would urge Ms Fairy to retain an appropriately capable and experienced GDPR professional and engage a privacy-specialist legal firm.
I’ll review her GDPR position based on the GDPR core requirements. This is summarily what she could be doing, or at least what I hope she in place, and this will take her through to being somewhat aligned with GDPR’s core principles under a proportionality banner.
What data is being held?
We’ve covered this above, I think she has a pretty good grasp on the information she has.
Similarly to Santa, I would expect some sort of magic tablet system as she moves from home to home each night.
What are the conditions for processing?
Article 6 provides some core options:
- (1)(a) — consent
this cannot apply as Ms Fairy does not obtain consent from Data Subjects (or more likely, parents/guardians on their behalf)
- (1)(b) — contract
there is a promise (leave shed tooth under pillow) and exchange of value (tooth will be replaced with money)
- (1)© — legal obligation
Ms Fairy may be under a legal obligation but this has not been identified
- (1)(d) — vital interests
I would argue the Data Subject has no further use for the tooth but a small sum of money is not in their vital interest
- (1)(e) — public interest task or vested authority
Ms Fairy is not a recognised public body and the task itself is carried out on an individual basis — but I could argue the overall activity is in the wider public interest
- (1)(f) — legitimate interests
the legitimate interests of the third parties (parent/guardian’s) is likely more legitimate than Ms Fairy’s own, as one cannot exercise a legitimate interest which implies one-sidedness when there is an exchange of value
I would advise Ms Fairy to use the ‘contract’ and ‘legitimate interests’ (of the parents/guardians) as possible conditions for processing.
Where the data is being held
Offshore through the Google Cloud Platform. Compute and App Engines are used to crunch the data sitting in Bigtable.
AI Hub, Cloud AutoML and BigQuery are used to calculate the timing and probabilities of when teeth will be shed and be made available for exchange — teeth do need to placed under the pillow after all.
Who has access to the data?
The Tooth Fairy appears a lone wolf so as a sole trader only she has access to her data — or the Google Cloud support staff when she needs query optimisation assistance and permits Professional Services to get access to theaccount/data.
Who is responsible for the data?
With the Ms Fairy as a sole trader she is registered as a Data Controller as an individual.
Given the exchange of value and measurable turnover, Ms Fairy’s potential GDPR fines are staggering and she should ensure she has specific liability insurance in addition to a robust compliance state.
An external DPO in an advisory role may prove beneficial.
That the data is up to date and needs to be kept
Like Santa, Ms Fairy likely gets her data from governmental records (registering a birth workflows etc) and there may well be entirely legal data sharing agreements in place to allow this to happen.
Once she holds this birth information, she can calculate age. But he needs to keep addresses up to date, so likely is buying copies of electoral data through data brokers. Address data is parent/guardian linked, so she clearly has access to a plethora of education, social care and local state/authority data to be able to consistently link a Data Subject child with parents/guardians.
As data matching is hard and a single-source of truth is very difficult to find, Ms Fairy is likely using multiple data sources to increase the probability that her data is accurate — this is assisted by the initial visit for the first tooth, as her BigQuery system may have considered the rate in which families move property as well.
Similarly to Santa, she likely programmatically monitors databases for deaths and change of name. Without assistive Elves, she may is forced to also do the morbid job of monitoring hospital databases and obituary publications.
(I am worried that like Santa Ms Fairy may be using ‘extra legal’ means to obtain data however within Europe it is more probable that the correct data sharing agreements exist)
That processing information is conveyed
Article 13 does not appear to apply (I have not been able to identify government privacy notices including the Tooth Fairy) so she is also very likely in contravention of Article 14 as to my knowledge there is no published or readily available privacy notice conveying processing information.
What security is in place to protect the data?
As a single sole trader Ms Fairy is likely in complete control of her data having leverage the Google Cloud Platform and multi-factor authentication using a Yubikey.
However, as a sole trader Ms Fairy is likely simply using a personal device for both work and pleasure, so this presents a small surface area for attack.
Fortunately she also uses macOS and has simply enabled the auto-update features that come as standard.
Data subject rights (Articles 12 to 23)
Ms Fairy does not typically receive communiqué from Data Subjects or their representatives so Data Subject rights are rarely exercised as a result.
Where letters are received and some rights —Article 15 (‘Right of access’), Article 16 (‘Right to Rectification’) and Article 17 (‘Right to erasure’)—are exercised, these are unfortunately ignored in the face of her unwavering commitment to her mission.
Similarly, due to the incredibly low frequency of communication Article 20 (‘Right to data portability’) is also never exercised.
Due to her opaque position on how scores are tallied and fair value decided upon, we do not truly know what Ms Fairy’s position on Article 22 (‘Automated decision making / profiling’) is.
Ms Fairy’s GDPR compliance is opaque but on balanced probability is likely less problematic than Santa’s non-compliance given a clear exchange of value and lack of underlying organisation (staff).
The unknown activities that may take place after teeth have been acquired is troubling given the biometric data (DNA) contained in teeth however on face value this can be considered benign for now.
Any accurate review is impossible without accurate accessible privacy notices and/or view of independently-audited internal risk assessments or privacy documentation.
My recommendations to Ms Fairy are:
- engage in a proportional review from a high-level data protection/compliance perspective (starting with GDPR then into other requirements from other jurisdictions)
- take a far more transparent approach by publishing a privacy notice
- include a brief leaflet with each exchange explaining where Data Subjects (or parents/guardians on behalf of) can go to view data, request it be updated (including providing notice of moving home) and the contact details for where to send general data protection queries and complaints.
- ensure the leaflet is printed on magic paper (perhaps sharing the same printer as Santa to save ink costs) so the complaints section dynamically conveys the Data Subject’s local data regulator and changes language and phrasing to ensure it is plain language (in the local language) to ensure it is understood.
- take proportional process and technical security steps to protect data in and to/from Google Cloud, particularly on the macOS device which should have a separate one purchased for personal use
I have also written a post about Santa Claus & GDPR.