The Information Commissioner’s Office (ICO) — the UK’s data protection regulator — has issued a fine of £12,700,000 to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a number of breaches of data protection law, including failing to use children’s personal data lawfully. Our expert Eleanore Beard explains the decision.
A significant reduction
The ICO’s decision comes after the Dutch regulator fined TikTok €750,000 in July 2021 for violating the privacy of young children. By not offering its privacy statement in Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data.
While data protection legislation is designed to protect everyone, there are additional child-specific considerations if you are processing children’s personal data, as they may be less aware of the risks, consequences and safeguards concerned, as well as their rights in relation to the processing of personal data.
While TikTok has now been hit with a hefty fine, the figure is not as large as it could have been. In September 2022, the ICO issued a ‘notice of intent’ to TikTok, indicating that it could face a fine of £27 million for its breaches, which included failing to protect children’s privacy. The ICO indicated that the notice was provisional and that it would consider any representations from the company before issuing its final decision.
The ICO has now finalised its decision and — having found TikTok in breach of a number of UK GDPR Articles — issued a fine that has been significantly reduced from its original notice of intent.
Which data protection rules did TikTok breach?
The ICO’s final decision found that TikTok was providing its services to an estimated one million UK children under the age of 13. By processing their personal data without consent or authorisation from their parents or carers (contrary to Article 8) it had failed to provide proper information to users about how their data is collected, used and shared in a way that is easy to understand (contrary to Article 12 and 13). It had also failed to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner (contrary to Article 5).
The ICO has said that TikTok did not do enough to check who was using its platform or take sufficient action to remove its underage child users.
However, the ICO did not pursue its initial allegation that TikTok had processed special category data without the legal grounds to do so. Special category data includes information such as ethnic and racial origin, political opinions, religious beliefs, sexual orientation or health data and therefore should be afforded increased protection.
What does the ICO’s decision mean for technology companies?
This latest ICO decision reinforces the importance of ensuring that relevant checks and balances are in place to protect the privacy of individuals, especially where children’s data is concerned.
In September 2022, the ICO issued its Children’s Code, which provides additional layers of protection for online services. These should be followed for apps, games, connected toys or devices and news services, which are likely to be accessed by children even if they are not aimed at children. It is of note that TikTok’s breaches of data protection legislation predate the ICO’s Children’s Code.
If you or your organisation have any queries on how to handle children’s personal data, or how to establish a compliant data privacy culture, please contact me at eleanore.beard@brabners.com or our wider data protection team.
