News & Insights

TikTok is issued with a notice of intent by the ICO

The popular social media app could be forced to pay a fine of £27 million after an investigation by the Information Commissioner’s Office (ICO) discovered they may have breached UK data protection law.

TikTok has been issued a notice of intent (a legal document that is given before having to pay a potential fine) where the ICO set out their intent to fine the platform £27 million pounds for breaching UK data protection law between May 2018 and July 2020. Within this time frame TikTok may have been guilty of the following:

  • Processing data of children under the age of 13 without parental consent.
  • Not providing proper information to its users in an easily understood way.
  • Processing special category data without legal basis.

This investigation is one of a widescale search from the ICO in order to ensure technology companies are complying with the Children’s Code. This code is a relatively new set of rules designed to protect children when using social media and other online platforms. It aims to prioritise the best interest of the child and only collect and retain the minimum amount of personal data needed to provide the relevant service. It also makes it clear that it is unacceptable to share children’s data unless there is a compelling reason to do so, and the child should be given age-appropriate information on their data usage and where they might be being monitored.

Processing data of children – Article 8 UK GDPR

Article 8 sets out the age at which a child can consent to their personal data being processed in the context of an information society service (ISS).

It sets out the following:

  • Where an ISS is offered directly to a child, the processing of personal data shall be lawful if the child is 16 years old or above.
  • The controller of the service must make reasonable efforts to verify that consent is given and authorised by whoever holds parental responsibility.
  • Children can consent to processing of their personal data in the context of an ISS from the age of 13 years.
  • An adult with parental responsibility must give consent if the child is under 13 years of age.

Privacy information – Article 13 UK GDPR

Article 13 requires certain privacy information to be provided when collecting personal information from individuals, in summary:

  • Who is collecting the information and contact details.
  • Purpose of the processing of personal data, and the “lawful basis” for doing so.
  • Whether any automated decisions will be made using the personal data.
  • Third parties with whom the personal data may be shared with.
  • Where the data will be stored and whether it may be transferred overseas.
  • How long the data will be retained.
  • The individual’s rights in relation to their data.
  • How complaints may be made.

Although good practice is to provide this information in a “plain English” style, information provided in website privacy policies can still be quite lengthy and difficult to read, which may act as a barrier to ensuring that individuals are properly informed. This issue can be compounded where the information has to be provided to young people accessing information services on mobile phones – in practice, what information is actually coming to their attention?

Special Category Data – Article 9 UK GDPR

Special category data is personal data that requires particularly careful protection because it relates to sensitive or private characteristics of an individual, including something that could be used to identify a person. It includes information relating to an individual’s physical or mental health, sexual orientation, racial or ethnic origin, and political beliefs. This are more stringent rules about how this information should be protected, in summary anyone collecting/processing this information must:

  • Identify an article 6 basis for processing.
  • Meet one of the specific conditions for processing set out in Article 9 (most notably that the individual has consented to the information being processed).
  • Identify whether an “appropriate policy document” is required.

A data processing impact assessment (or DPIA) may also need to be carried out, for example if large scale processing, or processing of genetic or biometric data, is planned

What does this all mean?

At this stage the ICO’s findings are still provisional and TikTok will be given the chance to represent themselves before a final decision is made. However, if TikTok is required to pay this fine, it will be the largest fine ever issued by the ICO and will represent the most severe level of penalty that can be imposed by UK GDPR (4% of annual turnover).

It is a stark reminder that of the consequences of failure to comply with UK data protection law, and the challenges which can arise when trying to apply the complex rules to user friendly technology.

If you need any assistance ensuring that your company is complying with the current GDPR requirements, please contact: [email protected]