ICO takes cautious approach as TikTok faces £27m fine

The Information Commissioner’s Office has warned TikTok it faces a £27m fine following an investigation that found the company “may have” breached UK data protection law, failing to protect children’s privacy when using the platform.

The threat comes in an ICO “notice of intent” issued to TikTok Inc and TikTok Information Technologies UK, which sets out the regulator’s provisional view that TikTok breached UK GDPR between May 2018 and July 2020.

While the ICO falls short of going in all guns blazing – notice of intent monetary penalties against British Airways, Marriott International and ClearView all ended up being substantially reduced – the regulator’s investigation found the company “may have” processed the data of children under the age of 13 without appropriate parental consent; failed to provide proper information to its users in a concise, transparent and easily understood way, and; processed special category data, without legal grounds to do so.

The Commissioner is at pains to point out that the findings in the notice are only provisional, adding that “no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed. We will carefully consider any representations from TikTok before taking a final decision”.

Information Commissioner John Edwards said: “We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.

“I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary. In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.”

The first sign that TikTok was under investigation by the ICO came in 2019, when then Information Commissioner Elizabeth Denham told Parliament that the social media giant was facing a probe.

At the time, Denham said: “We are looking at the transparency tools for children. We’re looking at the messaging system, which is completely open, we’re looking at the kind of videos that are collected and shared by children online. We do have an active investigation into TikTok right now, so watch this space.”

Since then, despite numerous ongoing investigations, the company has only been fined in South Korea and the Netherlands, although it was forced to pay compensation in the US.

TikTok has also managed to swerve a potentially damaging High Court data protection class action after former children’s commissioner for England Anne Longfield decided to withdraw her legal action, citing the financial risks for the parents of those involved.