The online video-sharing site TikTok has over 1.53 billion users including many politicians. However, several governments have taken the view that it represents an unacceptable privacy and security risk that may be enabling Chinese government surveillance. In March, UK government ministers were banned from using the app on their work phones following a similar move by the US and the European Commission.
TikTok’s data-handling practices are increasingly coming under scrutiny by data protection regulators. On 4 April, the Information Commissioner’s Office (ICO) issued a £12.7m fine to TikTok for a number of breaches of the UK General Data Protection Regulation (UK GDPR), including failing to use children’s personal data lawfully. This follows a £27m Notice of Intent issued in September.
Article 8(1) of the UK GDPR states the general rule that if a data controller is offering an online service directly to a child and is relying on consent as its lawful basis for processing, only a child aged 13 or over is able to provide their own consent. For a child under 13, the data controller must seek consent from whoever holds parental responsibility. Article 8(2) further states: ‘The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.’
In issuing the fine, the ICO said TikTok had failed to comply with Article 8, even though it ought to have been aware that under-13s were using its platform. It also failed to carry out adequate checks to identify and remove underage children from its platform. The ICO estimates up to 1.4 million UK children under 13 were allowed to use the platform in 2020, despite TikTok’s own rules not allowing children of that age to create an account.
The ICO investigation found that a concern was raised internally with some senior employees about children under 13 using the platform and not being removed. In the ICO’s view, TikTok did not respond adequately. Information Commissioner John Edwards said: ‘TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.’
In addition to Article 8, the ICO found that, between May 2018 and July 2020, TikTok breached the following provisions of the UK GDPR:
- Article 13 and 14 (Privacy Notices) – Failing to provide proper information to people using the platform about how their data is collected, used and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
- Article 5(1)(a) (The First DP Principle) – Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.
Since the conclusion of the ICO’s investigation into TikTok, the regulator has published the Children’s Code. This is a statutory code of practice aimed at online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. The code sets out 15 standards to ensure children have the best possible experience of online services.
Notice of intent
It is noticeable that this fine is less than half the amount (£27m) in the Notice of Intent issued last September. The ICO said that it had taken into consideration the representations from TikTok and decided not to pursue its provisional finding relating to the unlawful use of Special Category Data. Consequently, this potential infringement was not included in the final amount of the fine.
We have been here before. In July 2018 British Airways was issued with a Notice of Intent in the sum of £183m but the actual fine in July 2020 was for £20m. In November 2020, Marriott International Inc was fined £18.4m, much lower than the £99m set out in the original notice. Some have suggested that the fact that fines are often substantially reduced (from the notice to the final amount) suggests the ICO’s methodology is flawed.
In a statement, a TikTok spokesperson said: ‘While we disagree with the ICO’s decision, which relates to May 2018 to July 2020, we are pleased that the fine announced today has been reduced to under half the amount proposed last year. We will continue to review the decision and are considering next steps.’
We suspect TikTok will appeal the fine, to the First-tier Tribunal (General Regulatory Chamber), if only to put pressure on the ICO to think about whether it has the appetite for a costly appeal process. The ICO’s record in such cases is not great. In December 2021, it fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients. The Cabinet Office appealed against the amount of the fine arguing it was ‘wholly disproportionate’. In November 2022, the ICO agreed to a reduction to £50,000. Recently an appeal against the ICO’s fine of £1.35m issued to Easylife Ltd was withdrawn, after the parties reached an agreement whereby the amount of the fine was reduced to £250,000.
This is not the first time TikTok has been accused over alleged mishandling of children’s data. Last month, it agreed to pay C$2m to settle two class action lawsuits in Canada. These alleged that the company collected private information from minors and adults alike in breach of British Columbia’s Privacy Act, among other Canadian privacy law. More recently, a Portuguese-based NGO, lus Omnibus, has filed two lawsuits against TikTok seeking damages of up to €1.12bn for ‘illegal and abusive practices’ in relation to children’s data.
With increasing concern about security and data-handling practices across the tech sector (see the recent fines imposed by Ireland’s Data Protection Commission on Meta), many governments will be looking at how they can use the law to restrict the power of social media companies.
Ibrahim Hasan is a solicitor and director of Act Now Training
No comments yet