The TikTok breach

A notice of intent (a legal document that precedes a fine) was issued by the Information Commissioner’s Office (ICO) to the Chinese-owned app TikTok in September 2022. It has been stated that between May 2018 and July 2020, TikTok may have processed the data of children under the age of 13 without appropriate parental consent. TikTok had failed to provide proper information to its users in a concise, transparent and easily understandable way. The ICO said TikTok may have processed special category data, which is more sensitive personal data requiring additional protection – including ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership and genetic, biometric or health data – without a ‘legal basis’ or condition under the General Data Protection Regulation (GDPR).

There are six legal bases to choose from to process personal data: consent, contract, legal obligation, vital interests, public task and legitimate interest. If you are processing special category data, a further condition for processing is required together with a legal basis for the processing to be lawful. This recent revelation stems from an investigation the ICO first initiated back in 2019, as the regulatory body revealed that it would be looking into how TikTok collects private data. More specifically, the investigation sought to discover whether TikTok’s practices constitute a breach of the GDPR, which requires companies to put robust measures in place to protect underage users, including addressing how the platform allows children to interact with adults.

Past behaviour

TikTok has been controversial when it comes to issues surrounding children’s privacy, ever since it launched in 2014. The app’s user base has always been broadly very young, and in its early years, the app was arguably not necessarily that careful about screening users by age. There have been many problems with TikTok using children’s personal information and browsing habits for targeted advertising. Ad algorithms sometimes promote gambling sites to children, or show them games with intentionally addictive components. Most alarmingly of all, TikTok has received heavy criticism for promoting dangerous ‘challenges’ that spread among underage users and have caused serious harm and even death.

The fine

TikTok is set to be fined £27m by the ICO for this recent breach. It would be the largest fine in the ICO’s history, exceeding the record £20m handed to British Airways in 2018. This impending fine relates to a class action against TikTok, brought in 2020 by Anne Longfield, a former Children’s Commissioner, for violations of the EU GDPR on behalf of children residents in the UK or the EEA since May 2018. In its decision issued in March 2022, the High Court highlighted that TikTok had breached UK GDPR transparency requirements as to the extent and purpose of children’s data it processed.

ICO developments

The ICO is the UK’s data protection regulator: its role is to regulate and enforce data protection law in the UK, which consists of the UK GDPR and the Data Protection Act 2018. It has the ability to consider complaints, monitor compliance and take enforcement action where appropriate against UK organisations. Enforcement action includes issuing fines of up to £17.5m or four per cent of an organisation’s global annual turnover. Recent developments in respect of the protection of children’s personal data have included the introduction in September 2021 of the ICO’s Children’s Code which (among other things) considers the best interests of the child and parental controls. Online services covered by the Code are wide ranging and include apps, games, connected toys, devices and news services.

The ICO has implemented, on its website, a Children’s Code Self-Assessment Risk Tool for medium to large private, public and third sector organisations to use. This tool helps conduct a risk assessment, focusing on how the UK GDPR and the Code applies in the context of an organisation’s digital service. This is a practical way to achieve a ‘proportionate and risk-based approach to ensuring children’s protection and privacy’. The ICO’s Code and the substantial fine issued to TikTok show a firm commitment by the ICO to protecting children’s privacy

Sian Stephens is a data protection associate at Payne Hicks Beach: phb.co.uk