ICO Warns TikTok Of Possible £27m Fine

British data protection watchdog says TikTok’s failed to protect children’s privacy and may have breach UK data protection laws

The Information Commissioner’s Office (ICO) has issued TikTok with a warning it could be fined millions of pounds.

The UK’ data protection watchdog announced on Monday that TikTok could face a £27 million fine after an investigation found it may have breached UK data protection law, for failing to protect children’s privacy when using the TikTok platform.

TikTok is hugely popular among the young, but security worries surround the platform, which is owned by China-based ByteDance. A number of MPs in August warned that TikTok data “is routinely transferred to China.”


Possible fine

China-based firms are legally obliged under the Chinese ‘2017 Intelligence Security law’ to hand over data to Beijing if requested.

TikTok has previously insisted it has never provided user data to the Chinese government, and its user data is stored in the US and Singapore – moving to Ireland in 2023 when its new data centre opens.

But this week after an investigation, the UK’s ICO has issued TikTok Inc and TikTok Information Technologies UK Limited (‘TikTok’) with a ‘notice of intent’ – a legal document that precedes a potential fine.

The notice sets out the ICO’s provisional view that TikTok breached UK data protection law between May 2018 and July 2020.

The ICO investigation apparently found the company may have:

  • processed the data of children under the age of 13 without appropriate parental consent;
  • failed to provide proper information to its users in a concise, transparent and easily understood way, and;
  • processed special category data, without legal grounds to do so.

The ICO did however state that its findings in the notice are provisional, and no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed.

It said it would carefully consider any representations from TikTok before taking a final decision.

Fell short?

“We all want children to be able to learn and experience the digital world, but with proper data privacy protections,” said Information Commissioner, John Edwards. “Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”

“I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary,” said Edwards.

“In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough,” said Edwards.

Companies who breach the UK GDPR and/or the Data Protection Act can be fined up to £17.5 million or 4 percent of the company’s annual global turnover, whichever is higher