TikTok is set to be fined £27m by the ICO for this recent breach. It would be the largest fine in the ICO’s history, exceeding the record £20m handed to British Airways in 2018
The TikTok breach
Tue Nov 29 2022Opinion
Sian Stephens examines the ICO’s recent fine of the social media giant
A notice of intent (a legal document that precedes a fine) was issued by the Information Commissioner’s Office (ICO) to the Chinese-owned app TikTok in September 2022. It has been stated that between May 2018 and July 2020, TikTok may have processed the data of children under the age of 13 without appropriate parental consent. TikTok had failed to provide proper information to its users in a concise, transparent and easily understandable way. The ICO said TikTok may have processed special category data, which is more sensitive personal data requiring additional protection – including ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership and genetic, biometric or health data – without a ‘legal basis’ or condition under the General Data Protection Regulation (GDPR).
There are six legal bases to choose from to process personal data: consent, contract, legal obligation, vital interests, public task and legitimate interest. If you are processing special category data, a further condition for processing is required together with a legal basis for the processing to be lawful. This recent revelation stems from an investigation the ICO first initiated back in 2019, as the regulatory body revealed that it would be looking into how TikTok collects private data. More specifically, the investigation sought to discover whether TikTok’s practices constitute a breach of the GDPR, which requires companies to put robust measures in place to protect underage users, including addressing how the platform allows children to interact with adults.
Past behaviour
TikTok has been controversial when it comes to issues surrounding children’s privacy, ever since it launched in 2014. The app’s user base has always been broadly very young, and in its early years, the app was arguably not necessarily that careful about screening users by age. There have been many problems with TikTok using children’s personal information and browsing habits for targeted advertising. Ad algorithms sometimes promote gambling sites to children, or show them games with intentionally addictive components. Most alarmingly of all, TikTok has received heavy criticism for promoting dangerous ‘challenges’ that spread among underage users and have caused serious harm and even death.
The fine
TikTok is set to be fined £27m by the ICO for this recent breach. It would be the largest fine in the ICO’s history, exceeding the record £20m handed to British Airways in 2018. This impending fine relates to a class action against TikTok, brought in 2020 by Anne Longfield, a former Children’s Commissioner, for violations of the EU GDPR on behalf of children residents in the UK or the EEA since May 2018. In its decision issued in March 2022, the High Court highlighted that TikTok had breached UK GDPR transparency requirements as to the extent and purpose of children’s data it processed.
ICO developments
The ICO is the UK’s data protection regulator: its role is to regulate and enforce data protection law in the UK, which consists of the UK GDPR and the Data Protection Act 2018. It has the ability to consider complaints, monitor compliance and take enforcement action where appropriate against UK organisations. Enforcement action includes issuing fines of up to £17.5m or four per cent of an organisation’s global annual turnover. Recent developments in respect of the protection of children’s personal data have included the introduction in September 2021 of the ICO’s Children’s Code which (among other things) considers the best interests of the child and parental controls. Online services covered by the Code are wide ranging and include apps, games, connected toys, devices and news services.
The ICO has implemented, on its website, a Children’s Code Self-Assessment Risk Tool for medium to large private, public and third sector organisations to use. This tool helps conduct a risk assessment, focusing on how the UK GDPR and the Code applies in the context of an organisation’s digital service. This is a practical way to achieve a ‘proportionate and risk-based approach to ensuring children’s protection and privacy’. The ICO’s Code and the substantial fine issued to TikTok show a firm commitment by the ICO to protecting children’s privacy
Sian Stephens is a data protection associate at Payne Hicks Beach: phb.co.uk
Tags:
Latest News
FeaturedParents and carers to be given new employment protections
Fri May 26 2023Committee finds plans to level up the country risk failure due to funding concerns
Fri May 26 2023Government consults on enforcement mechanisms for animal health and welfare offences
Fri May 26 2023Government expands legal aid eligibility
Thu May 25 2023Council of Europe identifies serious concerns affecting minorities in the UK
Thu May 25 2023ONS finds international migration to the UK hit new high in 2022
Thu May 25 2023Government consults on plans to reduce reporting burdens on businesses
Wed May 24 2023Committee report finds government not taking harms from alcohol seriously enough
Wed May 24 2023Committee seeks views on the Digital Markets, Competition and Consumers Bill
Wed May 24 2023
FeatureThu May 18 2023
A closer look at the trademark dispute between retail giants Lidl and Tesco
Angela Jack dissects the recent ruling in Lidl Great Britain Ltd & others v Tesco Stores Limited & others [2023] EWHC 873 (Ch)
FeatureThu May 18 2023
The UK maternity care crisis: £5bn in avoidable damages claims
Billions of pounds in NHS damages claims could have been avoided had recommendations from past reviews been followed by action, argues Kerstin Scheel
FeatureThu May 18 2023
Understanding Chinese underground banking and the risks
Laurence Howland explores the mechanisms of Chinese underground banking and the red flags
FeatureThu May 18 2023
The building blocks for a successful collaborative culture
Chris Marston explores the ways in which law firms can establish a powerful collaborative culture
SJ InterviewThu May 18 2023
SJ Interview: James Fulforth
The Solicitors Journal spoke to James Fulforth, Kingsley Napley’s newly appointed Senior Partner, about his experiences in the law, his thoughts on the UK’s tech sector and what he hopes to achieve in his new role
ForewordTue Apr 25 2023
Long-awaited reports and controversial bills dominate
Sophie Cameron takes a look at the news in the April Foreword