TikTok to face a potential £27 million fine from the ICO
Xcina Blog

TikTok to face a potential £27 million fine from the ICO

In an age of constant technological and digital innovation, increasing regulatory requirements, and unprecedented fines, it is more crucial than ever for businesses to uphold their obligations to protect children’s privacy and safety online.

In this week’s issue of Data Protection – In Perspective, Natasha King, examines a potential fine of £27 million from the ICO against TikTok, after an investigation found that it may have violated UK data protection law by failing to protect children’s privacy. She also takes a look at several reprimands from the ICO against organisations for failing to respond subject access requests, as well as the latest guidance from the ICO on getting the basics right when handling requests within your own organisation.

ICO announces possible fine of £27 million on TikTok for failing to protect children’s privacy

What happened

  • An ICO investigation determined that TikTok may have violated UK data protection law by failing to protect children’s privacy when using the TikTok platform, and it may be subject to a £27 million fine.
  • The ICO has issued TikTok Inc and TikTok Information Technologies UK Limited with a “notice of intent”. The notice sets out the ICO’s provisional view that TikTok breached UK data protection law between May 2018 and July 2020.
  • According to the findings of the ICO investigation, Tiktok may have:
    • Processed children’s data under the age of 13 without obtaining the necessary parental consent;
    • Failed to provide users with accurate information in a clear, understandable manner; and
    • Processed special category data without having a valid legal basis for doing so.
  • The conclusions in the notification from the Commissioner are provisional. It states that no inferences should be made at this time indicating that there has a violation of data protection legislation or that a fine will ultimately be imposed.
  • Before making a final judgement, the ICO states that it will carefully evaluate any arguments made by TikTok.
  • TikTok has stated that they do not agree with the ICO’s preliminary findings and that they intend to respond formally to the findings in due course.

Why it matters

  • If TikTok were to receive this fine, it would be the highest in the ICO’s history, surpassing the previous record fine of £20 million given to British Airways two years ago, following a cyber-attack in 2018 in which hackers stole the personal data of more than 400,000 staff and customers.
  • The Information Commissioner, John Edwards, said: “We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place but our provisional view is that TikTok fell short of meeting that requirement.”
  • The ICO is presently investigating how more than 50 different online services are adhering to the Children’s Code, Edwards added in the same statement.
  • He continued by saying that the ICO was looking into a number of digital service providers who, in his opinion, weren’t taking their obligations to protect children seriously enough.
  • TikTok is not the first social media platform to come under fire from regulators for failing to safeguard children’s privacy. As previously reported by Xcina Consulting, the Irish Data Protection Commission last month fined Instagram €405 million (£349 million) for allowing children to create profiles that showed their contact details to the public.

As the ICO reprimands seven organisations for not responding to subject access requests, how can you get the basics right?

What happened

  • Seven UK organisations have been reprimanded by the ICO for failing to respond to requests from the public for access to personal information held on them.
  • As set out in data protection legislation, organisations are required to respond to Subject Access Requests (SARs) within one to three months. However, an ICO investigation revealed that seven organisations from both the public and commercial sectors regularly violated this statutory timescale.  
  • This has resulted in regulatory action including reprimands, as well as practice recommendations issued under the Freedom of Information Act 2000 (FOIA) in some cases.
  • According to the ICO, the organisations in question came to the attention of the ICO after receiving numerous complaints from individuals about their repeated failures to comply with requests for copies of the personal data they had collected and processed, either in a timely manner or at all, in violation of the UK GDPR and Data Protection Act.
  • The seven organisations the ICO has reprimanded, along with details of each violation are linked below:
  • The ICO has ordered these organisations to make improvements within three to six months or face further possible enforcement action.

Why it matters

  • The ICO have said that it will “continue to support” organisations in meeting their obligations to individuals and last week, the ICO published a blog entitled ‘Subject Access Requests: Getting the basics right’.
  • According to the ICO’s blog, it receives over 35,000 complaints from people each year against organisations, the vast majority of which relate to difficulties in obtaining personal data.
  • The blog goes on to examine the common themes emerging in organisations handling subject access requests and how to overcome them. Some of the key takeaways are:
    • Keep customers informed,

      Customers value clear communication and are less inclined to file complaints (which frequently need additional administrative work to investigate and address) with the ICO if they receive suitable assurances that their requests are being handled and are kept informed of developments, particularly where there are delays. 

    • Seek clarification if the request is unclear

      The ICO see a lot of requests made for all information held when actually the requester only wants information relating to a specific incident. Although organisations cannot ask requesters to narrow the scope of their request, they can ask them to give more information to help locate the relevant material, such as the context in which the information may have been processed and the likely dates when the processing happened.

    • Being proactive 

      If an organisation is dealing with a complex or particularly large SAR, consider sending out information in batches and provide a timeframe for this, rather than delaying the entire request.

    • Explain exemptions if they apply

      Explaining why information wasn’t shared will help individuals better understand the rationale for withholding certain information. Organisations should maintain a record of any decision to withhold information, so  that it can be shared with the ICO if they are asked to investigate it.

    • Use plain English

      Avoid use of legal jargon in any communications and explain things in a way that is easily understandable.

    • Transparency is key

      A significant number of complaints arise from a situation where an individual’s data was used in a way they didn’t expect or understand. Organisations should keep their privacy policies up to date, accessible and easy to understand, to reduce the likelihood of a complaint arising. 

We’d love to hear from you

Natasha is an experienced privacy professional with a proven ability to implement and manage successful data protection compliance programmes. Prior to joining Xcina Consulting, Natasha gained extensive knowledge and experience in dealing with complex privacy challenges across various sectors including the insurance industry, healthcare, education, and local government. She is a member of the International Association of Privacy Professionals (IAPP), holding a CIPP/E accreditation and is a certified BCS Practitioner in Data Protection.

To discuss how the areas highlighted in this post, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at info@xcinaconsulting.com. We’d love to hear from you.

Natasha King

Data Protection Consultant

Speak to me directly by Email, or
Telephone: +44 (0)20 3745 7826

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>