TikTok Faces £27m Fine in UK for Privacy Violations

September 27, 2022 | 5 minutes read

On Monday, September 26, 2022, it was reported that the Chinese short-form video hosting service and social media platform TikTok was facing a £27m ($29 million) fine for violating the UK’s data protection law. More specifically, TikTok is accused of collecting and processing the personal information of children under the age of 13 between May 2018 and July 2020, a clear violation of the EU’s landmark General Data Protection Regulation (GDPR). For reference, despite the fact that the UK left the EU in January 2020, the provisions of the GDPR were still in full effect within the nation prior to the country’s exit from the supranational political and economic union.

Under the provisions of the GDPR, businesses and organizations that serve customers within EU member states are prohibited from collecting the personal data of children under the age of 13 without the consent of the parents or guardians of said children. Nevertheless, the inherent nature of social media can make these rules difficult to abide by, as virtually all social media websites allow users to enter their own age when creating an account. In spite of this, however, many nations across Europe have made a point to punish social media companies that fail to adhere to the provisions of the GDPR, as evidenced by the recent enforcement decisions that have been made within the nations of Ireland and Luxembourg respectively in the last calendar year alone.

The UK’s Information Commissioner’s Office (ICO)

In terms of the particulars of the allegations that have been raised against TikTok this week, an article written by the British daily newspaper the Guardian has stated that “The ICO issued TikTok with a “notice of intent”, a precursor to handing down a potential fine, which could be up to £27m. The regulator’s “provisional view” is that TikTok may have processed the data of children under the age of 13 without parental consent, and failed to provide proper information to its users in a “concise, transparent and easily understood way.”

What’s more, the ICO has also accused TikTok of collecting and processing the special category data of children within the UK. For context, the GDPR also establishes various categories of personal data that are supposed to be protected by a higher standard than what is afforded to less sensitive forms of personal data. Examples of personal information that is considered to be special category data under the GDPR include data pertaining to religious beliefs, political opinions, biometric and healthcare data, genetic data, and trade union membership, among other things.

Notice of intent

To this last point, the notice of intent that the UK’s ICO issued TikTok this week sets the stage for a heft fine. Likewise, John Edwards, the current commissioner of the ICO, was quoted as saying that “Companies providing digital services have a legal duty to put those protections in place but our provisional view is that TikTok fell short of meeting that requirement.” Subsequently, while the ICO is still reportedly determining whether or not TikTok did, in fact, violate the GDPR between May 2018 and July 2020, a monetary penalty of £27m would be the highest fine to ever be imposed against a business in the history of the ICO, as the highest fine as of 2022 was a record £20m penalty that was levied against British Airlines in response to a 2018 data breach.

TikTok’s data collection practices

The allegations that have been aimed at TikTok this week by the UK’s ICO are just another one of many privacy violations that the social media company is accused of engaging in during the course of the past few years. To illustrate this point further, a report that was released by Australian-US cybersecurity firm Internet 2.0 in July of this year exposed various inconsistencies in the manner in which TikTok collects personal data from its millions of users. As stated by Robert Potter, co-CEO of Internet 2.0 and one of the editors of the report, “When the app is in use, it has significantly more permissions than it really needs. It grants those permissions by default. When a user doesn’t give it permission … [TikTok] persistently asks.”

Given this background information, the notion of TikTok collecting the personal information of underaged users of their platform without the appropriate level of parental guidance or consent is not difficult to imagine. This being said, Potter goes on to state that “The application can and will run successfully without any of this data being gathered. This leads us to believe that the only reason this information has been gathered is for data harvesting.” While the accusations of TikTok harvesting the personal information of online users would exceed even those that were imposed by the ICO this week, it is clear that TikTok is collecting and processing personal data in a fashion that is not consistent with data privacy legislation.

In addition to the claims that were raised against TikTok in the UK this week, the social media company was also accused of changing its privacy policy last year, after consumers and privacy advocates alike raised concerns about the manner in which the social media platform had been collecting the biometric data of its users. Moreover, leaked audio recordings that were exposed in June of this year also confirmed that TikTok employees based in China had been permitted to access the personal data of U.S. citizens, in accordance with accusations made by various politicians in the past few years, including the former U.S. President Donald Trump, among others. For these reasons, TikTok will have to reexamine the fashion in which the social media platform collects personal data, or face the consequences of failing to comply with the world’s various data privacy laws.