On 4 April 2023, the Information Commissioner’s Office (ICO) announced that it had issued a £12.7m fine to the video-sharing platform TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a number of breaches of data protection law. This is one of the largest fines that the ICO has issued.
Background to the ICO’s Ruling
Under the UK General Data Protection Regulation (GDPR), businesses have specific legal responsibilities when processing the data of children, as set out in Recital 38 of the UK GDPR: ‘Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data’.
The rules governing the processing of children’s data are dispersed throughout the UK GDPR regulation, but the crucial principle is contained in Articles 8 (1) and (2): ‘the processing of the personal data of a child shall be lawful where the child is at least 13 years old. Where the child is below the age of 13 years, processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child … The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child’.
According to the ICO guidance, this principle should be implemented through a cautious approach and ‘privacy by design’. The cost of non-compliance can be high: the ICO has the power to enforce a civil monetary penalty of up to £17m or 4% of global turnover on data controllers that fail to follow the regulations.
The ICO’s Enforcement Action
In its ruling on 4 April 2023, ICO found that TikTok had breached the UK GDPR between May 2018 and July 2020 by:
- Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers;
- Failing to provide proper information to people using the platform about how their data is collected, used and shared in a way that is easy to understand; and
- Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner
The ICO estimated that TikTok allowed ‘up to 1.4m UK children’ under the age of 13 to use its platform in 2020, contrary to its own terms of service. Further, it was found that concerns had been raised internally about children under the age of 13 using the platform, to which TikTok did not adequately respond.
In its ruling, the regulator concluded that TikTok may have used children’s data to track or profile them and potentially directed children to harmful or inappropriate content. The Information Commissioner, John Edwards, was highly critical of the platform, stating that ‘TikTok should have known better. TikTok should have done better’.
Even so, having considered representations from TikTok, the ICO declined to pursue its provisional finding that the video-sharing platform had processed ‘special category’ data unlawfully. As a result, the ICO reduced the monetary penalty from £27m (as indicated in the original notice of intent) to £12.7m.
Overall, the severity of the ICO’s criticism and the size of the fine imposed on TikTok demonstrates the ICO’s commitment to enforcing compliance with the UK GDPR. For companies providing internet services that children may access, caution is key.
Please contact Danny Preiskel if you have any questions regarding the above.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.