Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

TikTok has been fined £12.7m by the Information Commissioner’s Office for breaches of data protection law

April 13, 2023By Preiskel & Co

On 4 April 2023, the Information Commissioner’s Office (ICO) announced that it had issued a £12.7m fine to the video-sharing platform TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a number of breaches of data protection law. This is one of the largest fines that the ICO has issued.

Background to the ICO’s Ruling

Under the UK General Data Protection Regulation (GDPR), businesses have specific legal responsibilities when processing the data of children, as set out in Recital 38 of the UK GDPR: ‘Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data’.

The rules governing the processing of children’s data are dispersed throughout the UK GDPR regulation, but the crucial principle is contained in Articles 8 (1) and (2): ‘the processing of the personal data of a child shall be lawful where the child is at least 13 years old. Where the child is below the age of 13 years, processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child … The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child’.

According to the ICO guidance, this principle should be implemented through a cautious approach and ‘privacy by design’. The cost of non-compliance can be high: the ICO has the power to enforce a civil monetary penalty of up to £17m or 4% of global turnover on data controllers that fail to follow the regulations.

The ICO’s Enforcement Action

In its ruling on 4 April 2023, ICO found that TikTok had breached the UK GDPR between May 2018 and July 2020 by:

  • Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers;
  • Failing to provide proper information to people using the platform about how their data is collected, used and shared in a way that is easy to understand; and
  • Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner

The ICO estimated that TikTok allowed ‘up to 1.4m UK children’ under the age of 13 to use its platform in 2020, contrary to its own terms of service. Further, it was found that concerns had been raised internally about children under the age of 13 using the platform, to which TikTok did not adequately respond.

In its ruling, the regulator concluded that TikTok may have used children’s data to track or profile them and potentially directed children to harmful or inappropriate content. The Information Commissioner, John Edwards, was highly critical of the platform, stating that ‘TikTok should have known better. TikTok should have done better’.

Even so, having considered representations from TikTok, the ICO declined to pursue its provisional finding that the video-sharing platform had processed ‘special category’ data unlawfully. As a result, the ICO reduced the monetary penalty from £27m (as indicated in the original notice of intent) to £12.7m.

Overall, the severity of the ICO’s criticism and the size of the fine imposed on TikTok demonstrates the ICO’s commitment to enforcing compliance with the UK GDPR. For companies providing internet services that children may access, caution is key.

 

Please contact Danny Preiskel if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

Leave Comment

Cancel reply

Your email address will not be published. Required fields are marked *

clear formSubmit

Latest Preiskel & Co blog posts
  • Apple’s Vision Pro Mixed Reality Headset Unveiled
    June 8, 2023
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue
    June 7, 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report
    May 30, 2023
  • Important EU Court decision for publishers and AdTech suppliers 
    May 18, 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling
    May 17, 2023
  • GDPR-compensation for non-material damage not automatic, CJEU confirms
    May 17, 2023
  • Overview of the UAS Ofcom Drone Licence
    May 16, 2023
  • French watchdog directs Meta to change its “discriminatory” ad verification criteria
    May 11, 2023
  • Competition authorities around the world versus dominance in digital markets
    May 3, 2023
  • EDPB clarifies personal data breach notification requirements for non-EU controllers
    April 25, 2023
  • CMA probe spurs Google to change billing practices
    April 19, 2023
  • OpenAI’s ChatGPT banned in Italy
    April 18, 2023

The Preiskel Blog

  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue 7 Jun 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report 30 May 2023
  • Important EU Court decision for publishers and AdTech suppliers  18 May 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling 17 May 2023

Preiskel news

  • Preiskel & Co participating as co-sponsor of Corum Group’s upcoming London Merge Briefing event
  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, a panelist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
Preiskel tweets
  • Apple’s Vision Pro Mixed Reality Headset Unveiled. Find out more here: https://t.co/ifWRgSMY1ryesterday
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue. Find out more here: https://t.co/1SrcVUKUDB2 days ago
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report findings. Please find out m… https://t.co/7jJApBSkm210 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy