The TikTok breach

29 Nov 2022Opinion

Sian Stephens examines the ICO's recent fine of the social media giant

A notice of intent (a legal document that precedes a fine) was issued by the Information Commissioner’s Office (ICO) to the Chinese-owned app TikTok in September 2022. It has been stated that between May 2018 and July 2020, TikTok may have processed the data of children under the age of 13 without appropriate parental consent. TikTok had failed to provide proper information to its users in a concise, transparent and easily understandable way. The ICO said TikTok may have processed special category data, which is more sensitive personal data requiring additional protection – including ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership and genetic, biometric or health data – without a ‘legal basis’ or condition under the General Data Protection Regulation (GDPR).

There are six legal bases to choose from to process personal data: consent, contract, legal obligation, vital interests, public task and legitimate interest. If you are processing special category data, a further condition for processing is required together with a legal basis for the processing to be lawful. This recent revelation stems from an investigation the ICO first initiated back in 2019, as the regulatory body revealed that it would be looking into how TikTok collects private data. More specifically, the investigation sought to discover whether TikTok’s practices constitute a breach of the GDPR, which requires companies to put robust measures in place to protect underage users, including addressing how the platform allows children to interact with adults.

Past behaviour

TikTok has been controversial when it comes to issues surrounding children’s privacy, ever since it launched in 2014. The app’s user base has always been broadly very young, and in its early years, the app was arguably not necessarily that careful about screening users by age. There have been many problems with TikTok using children’s personal information and browsing habits for targeted advertising. Ad algorithms sometimes promote gambling sites to children, or show them games with intentionally addictive components. Most alarmingly of all, TikTok has received heavy criticism for promoting dangerous ‘challenges’ that spread among underage users and have caused serious harm and even death.

The fine

TikTok is set to be fined £27m by the ICO for this recent breach. It would be the largest fine in the ICO’s history, exceeding the record £20m handed to British Airways in 2018. This impending fine relates to a class action against TikTok, brought in 2020 by Anne Longfield, a former Children’s Commissioner, for violations of the EU GDPR on behalf of children residents in the UK or the EEA since May 2018. In its decision issued in March 2022, the High Court highlighted that TikTok had breached UK GDPR transparency requirements as to the extent and purpose of children’s data it processed.

ICO developments

The ICO is the UK’s data protection regulator: its role is to regulate and enforce data protection law in the UK, which consists of the UK GDPR and the Data Protection Act 2018. It has the ability to consider complaints, monitor compliance and take enforcement action where appropriate against UK organisations. Enforcement action includes issuing fines of up to £17.5m or four per cent of an organisation’s global annual turnover. Recent developments in respect of the protection of children’s personal data have included the introduction in September 2021 of the ICO’s Children’s Code which (among other things) considers the best interests of the child and parental controls. Online services covered by the Code are wide ranging and include apps, games, connected toys, devices and news services.

The ICO has implemented, on its website, a Children’s Code Self-Assessment Risk Tool for medium to large private, public and third sector organisations to use. This tool helps conduct a risk assessment, focusing on how the UK GDPR and the Code applies in the context of an organisation’s digital service. This is a practical way to achieve a ‘proportionate and risk-based approach to ensuring children’s protection and privacy’. The ICO’s Code and the substantial fine issued to TikTok show a firm commitment by the ICO to protecting children’s privacy

Sian Stephens is a data protection associate at Payne Hicks Beach: phb.co.uk

Legal News desk contact: editorial@solicitorsjournal.com

The UK’s dirty money reforms: from pledges to practice

David Lammy’s tough rhetoric on illicit finance revives long-standing pledges, but delivery, not words, will determine success

Government unveils ambitious road safety strategy

The new road safety strategy aims to reduce road deaths and serious injuries by 65% by 2035

UK expected to see IPO revival

UK capital markets are set for a considerable revival in IPO activity due to extensive reforms

Cox v HMRC: Upper Tribunal clarifies penalty suspension criteria

Taxpayers cannot rely on one-off errors to secure penalty suspension

New plan enhances cyber security for public services

A new cyber action plan has been launched to improve online public services, ensuring they remain secure and resilient for users

Legal aid faces critical funding crisis

A Parliamentary report highlights urgent action needed from the government to ensure the future of legal aid

Williams and Owen challenge Natural Resources Wales embankment decision

High Court upholds flood authority's withdrawal from Tan Lan Embankment maintenance

Legal sector needs clarity on AI

The Law Society of England and Wales insists that clarity in existing regulations is essential for AI use in the legal sector to ensure professional standards and public trust

Vote for your most iconic trademark

The UK’s trade mark registry is asking for public input to declare the most iconic trade mark

Calls for urgent reform of spinal injury care

Two Bristol solicitors demand action to improve inadequate care for those with spinal injuries

Optosafe Limited v Robertson: High Court grants final injunction in harassment and contract breach case

High Court upholds harassment claim and contract breaches against former employee's LinkedIn campaign

Afan Valley Ltd v Lupton Fawcett LLP: Scope of duty in professional negligence claims

Professional negligence claims must demonstrate recoverable loss within duty scope

Ishtiaq Baig v Zoheb Hassan: domicile and jurisdiction in defamation proceedings

High Court clarifies approach to residence test and cross-examination in defamation jurisdiction challenges.

Magna Carta and constitutional rights in Papua New Guinea

Papua New Guinea demonstrates the continuing influence of Magna Carta principles on constitutional rights and the rule of law

UK lawyers forecast significant AI savings

UK lawyers anticipate artificial intelligence will generate £2.4 billion in productivity savings over the coming year

SJ Interview: Joelle Grogan

Dr Joelle Grogan is a legal scholar specialising in the rule of law in times of crisis. She presents The Law Show on BBC Radio 4, and is Co-Academic Director of the Rule of Law Clinic at the CEU Democracy Institute (Budapest), and a Senior Research Fellow at the UCD Sutherland School of Law. Her work focuses on constitutional accountability, emergency powers, and legal misinformation. In this interview, she examines the pressures facing the rule of law in the UK, from executive power and court delays to media narratives, emergencies, and the impact of AI on legal practice.

Justice reform risks targeting the wrong fix

As 2026 approaches, ministers eye jury trials while ignoring deeper causes of England’s criminal justice crisis