The Information Commissioner’s Office (ICO) has issued a £12,700,000 fine to TikTok pursuant to Section 155(1) of the Data Protection Act 2018 (DPA).
The ICO carried out an investigation and found that TikTok was in breach of the DPA and the UK General Data Protection Regulation (UK GDPR). Between May 2018 and July 2020, TikTok had acted in breach of Article 8, Article 12, Article 13 and Article 5(1)(a) of the UK GDPR.
Article 8 of the UK GDPR – processing children’s data
Article 8 of the UK GDPR states:
“(1) Where the child is below the age of 13 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
(2) The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”
The ICO found that TikTok had provided its services to children under the age of 13 and had processed their personal data without consent from parents. It was further found TikTok had also failed to identify any other lawful basis for the processing of the data.
In addition, the ICO found that TikTok had failed to make reasonable efforts to ensure that consent was given to underage child users and to prevent children under the age of 13 from accessing its platform.
Article 12 of the UK GDPR – processing data in a transparent manner
Article 12 of the UK GDPR states:
“The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
Under Article 13 of the UK GDPR, a controller is required to provide the data subject with certain information.
The ICO found that TikTok failed to take appropriate measures to provide the information required in a concise, transparent, intelligible and easily accessible form, using clear and plain language. They were therefore in breach of Articles 12 and 13 of the UK GDPR.
Article 5(1)(a) of the UK GDPR – lawfulness, fairness and transparency
Article 5(1)(a) of the UK GDPR states:
“Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject.”
The ICO found that in failing to comply with Articles 8, 12 and 13 of the UK GDPR, they had failed to ensure that the personal data was processed lawfully, fairly and in a transparent manner, in breach of Article 5(1)(a) of the UK GDPR.
Commissioner, John Edwards, commented as follows in relation to the penalty notice:
“There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws.
As a consequence, an estimated one million under 13s were inappropriately granted access to the platform, with TikTok collecting and using their personal data. That means that their data may have been used to track them and profile them, potentially delivering harmful, inappropriate content at their very next scroll.
TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”
How can we help
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us