On 4 April 2023 the Information Commissioner’s Office (the ICO) issued a fine of £12.7 million to TikTok Information Technologies UK Limited and TikTok Inc. (TikTok) as the consequence of multiple breaches of UK GDPR between May 2018 and July 2020. The breaches relate in particular to i) the processing of children’s personal data without parental consent; and ii) the failure by TikTok to provide its users with proper and easily understandable information about how their data is used. More details about the TikTok decision can be found on the ICO website: ICO fines TikTok £12.7 million for misusing children’s data | ICO.
While it is worth noting that this fine is less than half of the sum proposed in the ICO’s original notice of intent to issue a fine (which advised an intended fine of £27m), and that the sum may yet be reduced further if TikTok makes a successful appeal, it remains the case that this is one of the largest fines handed down by the ICO to date.
Regulation of so-called “big tech” organisations is a significant political talking point within the UK at present and is a relevant consideration for the UK Online Safety Bill which is currently making its way through Parliament. Against such a background, this latest fine from the UK regulator provides an indication of the direction the ICO plans to take with its interpretation and enforcement of the UK GDPR, as well as of data protection legislation more generally within the UK. It demonstrates that the ICO is clearly willing to take a firm stance over the protection of children’s personal data, especially as these breaches by TikTok and the subsequent investigation both pre-date the implementation of the ICO’s statutory “Children’s code” code of practice for age-appropriate design of online services. It is not impossible to conceive that a fine imposed on an organisation for similar breaches which occur after the advent of the “Children’s code” could be even more substantial.
Even though the magnitude of the TikTok fine likely reflects the fact that the breaches involved the personal data of children and not just adults, it still provides a useful reminder to all organisations processing any personal data that the UK GDPR imposes a duty to ensure that their users are always provided with clear and transparent information about how their data will be processed, and that their users are able to make an informed choice before interacting with the organisation’s services. Relevant information should be given upfront to users (and potential users), and data controllers will always have ultimate responsibility to ensure that appropriate consent is obtained, particularly where children are involved.
The good news is that most organisations should be able to address this duty through the timely use of appropriately accessible and understandable privacy notices, but it highlights the importance of preparing these documents carefully. Organisations processing personal data should also make sure they have robust consent and record-keeping mechanisms in place to achieve and to help demonstrate their compliance. If your organisation’s privacy policies and procedures haven’t been reviewed recently, now may be a good time to review your policy documents to make sure they are up-to-date and suitable.
For further information, please contact:
David Baines, Hill Dickinson
david.baines@hilldickinson.com
