Having spent many years advising clients on what data protection law says and how to put it into practice, I am keenly aware that we do not live in a perfect world; that business doesn’t exist solely for the purpose of being good at data protection, and that the marketplace is awash with tools that are cheap, convenient and difficult – perhaps impossible – to use in compliance with DP laws.
Inevitably, when faced with these challenges, the conversation turns away from ‘compliance’ and towards risk. What’s the risk of being caught out and getting into trouble? What’s the risk of harm to data subjects? What’s the risk of not being able to operate fast and flexibly?
As a content creator, I am a Data Controller (and yes, I’ve registered with the ICO, but they haven’t updated the register to publish my company’s details yet), and so I’m responsible in the eyes of the law for the processing of personal data I carry out in delivering my services. Patreon is a Processor to the extent of handling communications and transactions between me and my Patrons, but for their own secondary uses of data (advertising, marketing, profiling etc) they are Controllers. I’m a Joint Controller with Patreon for some elements of their commercial processing of my Patrons’ data, but the chances of being able to get them to sign my Joint Controllers Agreement are hovering somewhere around zero.
I evaluate the risk to your rights and freedoms from following me on Patreon as high-likelihood, but low-impact. Yes, your activity is being recorded and data-mined – unless you’re deeply ashamed of being interested in data protection, that’s probably not going to affect you much. Yes, your data is going to the US where the protections on your rights and freedoms are not as robust as they might be in Europe. If you were already here on this platform and have just added me to your list of supported creators, you’re presumably okay with that. If you joined up for the sole purpose of reading my stuff, but you’re uncomfortable with the privacy implications then I’m not going to try to persuade you to stay; it’s your choice.
For the DP nerds among you, here’s what’s going in my ROPA….
Purpose: to make some income by writing about data protection online, without taking on the overheads of running my own publishing and payment infrastructure.
Processing activities: 1. offering a variety of service levels and benefits, 2. maintaining a list of Patrons, 3. analysing how Patrons interact with my content, 4. making offers and advertising new material, 5. taking payments, 6. corresponding and engaging online with Patrons, 7. record-keeping to fulfil compliance obligations.
Lawful basis: if you’re paying to be a Patron, then there’s a contract between us – I provide content, and you chuck money my way. That covers activities 2, 5 and 6. You can terminate the contract at any time, and I’ll stop processing your data, except as for 7.
If you’re following me then I have a legitimate interest in activities 1, 3 and 4, and your interests are also supported by 1 and 4, as you get to read funky data protection content. The balancing test goes something like this: you’ve got most of the power here – you can stop using Patreon, stop supporting me, delete your account or even lurk under a pseudonym. My processing is low-impact and driven by your preference as to the level of engagement we have. The risk to you is most likely very low, and Patreon provides mechanisms for your rights to be exercised. Therefore, my conclusion is that as long as I’m suitably transparent and diligent about my end of things, there shouldn’t be a problem. I’m afraid there’s no way for you to follow me without some of this processing taking place, because I don’t control its collection and presentation – Patreon does.
I have to keep payment records for compliance with tax and company law, so that’s my lawful basis for 7. Retention period for this data (reports and receipts) is 7 years.
Recipients: Patreon (obvs), Paypal (another one of those problematic but inescapable services), Patreon’s advertising and supply chain partners, Paypal’s advertising and supply chain partners, me, my accountant, HMRC.
ex-EEA transfers: to the US. Whether you can truly consent is an arguable question, as there’s no viable alternative that realistically allows me to offer this business model on any other platform, but legal technicalities aside; if you’re unhappy with the idea then you don’t have to come to this site.