In an age of constant technological and digital innovation, increasing regulatory requirements, and unprecedented fines, it is more crucial than ever for businesses to uphold their obligations to protect children’s privacy and safety online.
In this week’s issue of Data Protection – In Perspective, Natasha King, examines a potential fine of £27 million from the ICO against TikTok, after an investigation found that it may have violated UK data protection law by failing to protect children’s privacy. She also takes a look at several reprimands from the ICO against organisations for failing to respond subject access requests, as well as the latest guidance from the ICO on getting the basics right when handling requests within your own organisation.
ICO announces possible fine of £27 million on TikTok for failing to protect children’s privacy
What happened
- An ICO investigation determined that TikTok may have violated UK data protection law by failing to protect children’s privacy when using the TikTok platform, and it may be subject to a £27 million fine.
- The ICO has issued TikTok Inc and TikTok Information Technologies UK Limited with a “notice of intent”. The notice sets out the ICO’s provisional view that TikTok breached UK data protection law between May 2018 and July 2020.
- According to the findings of the ICO investigation, Tiktok may have:
- Processed children’s data under the age of 13 without obtaining the necessary parental consent;
- Failed to provide users with accurate information in a clear, understandable manner; and
- Processed special category data without having a valid legal basis for doing so.
- The conclusions in the notification from the Commissioner are provisional. It states that no inferences should be made at this time indicating that there has a violation of data protection legislation or that a fine will ultimately be imposed.
- Before making a final judgement, the ICO states that it will carefully evaluate any arguments made by TikTok.
- TikTok has stated that they do not agree with the ICO’s preliminary findings and that they intend to respond formally to the findings in due course.
Why it matters
- If TikTok were to receive this fine, it would be the highest in the ICO’s history, surpassing the previous record fine of £20 million given to British Airways two years ago, following a cyber-attack in 2018 in which hackers stole the personal data of more than 400,000 staff and customers.
- The Information Commissioner, John Edwards, said: “We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place but our provisional view is that TikTok fell short of meeting that requirement.”
- The ICO is presently investigating how more than 50 different online services are adhering to the Children’s Code, Edwards added in the same statement.
- He continued by saying that the ICO was looking into a number of digital service providers who, in his opinion, weren’t taking their obligations to protect children seriously enough.
- TikTok is not the first social media platform to come under fire from regulators for failing to safeguard children’s privacy. As previously reported by Xcina Consulting, the Irish Data Protection Commission last month fined Instagram €405 million (£349 million) for allowing children to create profiles that showed their contact details to the public.
As the ICO reprimands seven organisations for not responding to subject access requests, how can you get the basics right?
What happened
- Seven UK organisations have been reprimanded by the ICO for failing to respond to requests from the public for access to personal information held on them.
- As set out in data protection legislation, organisations are required to respond to Subject Access Requests (SARs) within one to three months. However, an ICO investigation revealed that seven organisations from both the public and commercial sectors regularly violated this statutory timescale.
- This has resulted in regulatory action including reprimands, as well as practice recommendations issued under the Freedom of Information Act 2000 (FOIA) in some cases.
- According to the ICO, the organisations in question came to the attention of the ICO after receiving numerous complaints from individuals about their repeated failures to comply with requests for copies of the personal data they had collected and processed, either in a timely manner or at all, in violation of the UK GDPR and Data Protection Act.
- The seven organisations the ICO has reprimanded, along with details of each violation are linked below:
- The ICO has ordered these organisations to make improvements within three to six months or face further possible enforcement action.
Why it matters
- The ICO have said that it will “continue to support” organisations in meeting their obligations to individuals and last week, the ICO published a blog entitled ‘Subject Access Requests: Getting the basics right’.
- According to the ICO’s blog, it receives over 35,000 complaints from people each year against organisations, the vast majority of which relate to difficulties in obtaining personal data.
- The blog goes on to examine the common themes emerging in organisations handling subject access requests and how to overcome them. Some of the key takeaways are:
- Keep customers informed,
Customers value clear communication and are less inclined to file complaints (which frequently need additional administrative work to investigate and address) with the ICO if they receive suitable assurances that their requests are being handled and are kept informed of developments, particularly where there are delays.
-
Seek clarification if the request is unclear
The ICO see a lot of requests made for all information held when actually the requester only wants information relating to a specific incident. Although organisations cannot ask requesters to narrow the scope of their request, they can ask them to give more information to help locate the relevant material, such as the context in which the information may have been processed and the likely dates when the processing happened.
-
Being proactive
If an organisation is dealing with a complex or particularly large SAR, consider sending out information in batches and provide a timeframe for this, rather than delaying the entire request.
-
Explain exemptions if they apply
Explaining why information wasn’t shared will help individuals better understand the rationale for withholding certain information. Organisations should maintain a record of any decision to withhold information, so that it can be shared with the ICO if they are asked to investigate it.
-
Use plain English
Avoid use of legal jargon in any communications and explain things in a way that is easily understandable.
-
Transparency is key
A significant number of complaints arise from a situation where an individual’s data was used in a way they didn’t expect or understand. Organisations should keep their privacy policies up to date, accessible and easy to understand, to reduce the likelihood of a complaint arising.
- Keep customers informed,