The UK regulator of data protection, the Information Commissioner’s Office (ICO) has announced this week that the social media giant TikTok could be fined £27 million following an investigation which has found that TikTok may have breached UK data protection laws by failing to protect children’s privacy.

Under data protection legislation, the ICO has the power to fine an organisation £17.5 million or 4% of the worldwide turnover.

It’s important to stress that at this stage, this is a preliminary view and TikTok will have an opportunity to make representations to the ICO which means that the position could change.

At a time when the Online Safety Bill is progressing through Parliament, tech and social media giants are under the spotlight. In its media release, the ICO has confirmed that it is investigating 50 different online services.

Back in July 2019 when the ICO responded to the Government’s Online Harms White paper it confirmed that it was investigating TikTok in relation to how TikTok obtains and uses children’s personal data. At that time, the ICO also mentioned that the Federal Trade Commission (FTC) had already fined TikTok. Back in February 2019, the FTC confirmed that TikTok had agreed to pay $5.7 million.

In 2019, the ICO confirmed that it would be “examining how the app meets the GDPR requirements for better protections of children’s personal data.”

At around the same time, TIkTok had stated that it was equipped with a “robust array” of “industry-leading safety features” such as a gate which requires EU users (which includes UK) to be over the age of 13 to create an account on TikTok, digital wellbeing tools to limit screentime a 12+ rating and in-app reporting tools.

The subsequent ICO investigation found that between May 2018 and July 2020 the company may have:

• processed the data of children under the age of 13 without appropriate parental consent,
• failed to provide proper information to its users in a concise, transparent and easily understood way, and
• processed special category data, without legal grounds to do so.

Article 8 of the UK GDPR states that a data controller may only process personal data of a person under the age of 13 with the consent of a parent and therefore, in the absence of consent – data controllers should not be processing personal data.

The next stage is for TikTok to make representations to the ICO and it remains to be seen if a £27 million fine is imposed, or indeed if TikTok will make representations. It does seem a drink in the ocean for an organisation estimated to have a worldwide turnover of $4.6 billion. The outcome of the ICO’s investigation may have wider implications for data controllers who process the data of those under 13 years old.