TikTok: Why the ICO fined them £12.7m

On 4 April 2023, the ICO fined TikTok Ltd and TikTok Inc £12.7 million for breaching the UK GDPR. This represents over a 50% reduction from the £27m fine included in their September 2022 notice of intent.

The ICO’s press release explains this reduction was because it didn’t pursue its provisional finding in relation to TikTok's unlawful use of special category data. This therefore appears to evidence the ICO’s commitment to be “more deliberate about what [they] investigate […] [to] provide the most benefit and certainty to the public and organisations ” (outlined in the Commissioner’s March 2023 speech).

The ICO’s final monetary penalty notice, published over a month after announcing the fine, provides particularly long and detailed explanations for the fine and thereby provides guidance in several important areas for other organisations.

(Joint) Controllers rather than processor relationship

The ICO found that TikTok Inc and TikTok Ltd were both controllers in respect of the personal data of the platform’s UK users, rather than TikTok Ltd being a processor. The factors the ICO considered included that TikTok Ltd had decision making powers in relation to data processing, e.g. by conducting activities such as sales operations and marketing, and that TikTok’s head of child safety public policy Europe was employed by TikTok Ltd, whose role was to provide “strategic guidance to internal teams.”

Although the notice suggests the ICO considered TikTok Ltd and TikTok Inc to be joint controllers, disappointingly the ICO did not provide details of its assessment on this, which would have been of use to others given the uncertainty in this area.

Contract cannot be used as legal basis for processing

Although TikTok’s T’s&C’s restrict use of the platform to those aged 13+, the ICO estimated there were 1.1 to 1.4 million TikTok users under 13 during the relevant period. Organisations directly offering information society services to children under 13 must collect parental consent. However, the ICO found that TikTok neither sought parental consent nor made reasonable efforts to prevent the children from accessing its platform.

The ICO concluded that TikTok could not rely on contractual necessity for its processing as it had failed to “justify the necessity of its processing by reference to the fundamental and mutually understood contractual purpose”. In any event, the ICO stated that children lack the capacity to enter a contract and so there was no binding contract that could be relied upon.

The ICO’s interpretation of contractual necessity therefore appears to align with the EDPB’s stance in the Irish DPC’s Facebook and Instagram decisions, where the EDPB decided behavioural advertising is not necessary for the performance of a contract with Facebook and Instagram users.

Inadequate information in privacy notice 

The ICO also found that TikTok did not comply with its transparency obligations, as it failed to provide the necessary information in a concise, transparent, intelligible and easily accessible form. For example, the ICO held that TikTok’s privacy notice didn’t provide:

• links between the category of personal data, the purpose of its processing and the legal basis relied upon for that processing,
• a full list of categories and named third party recipients with whom personal data was shared, and
• information about data subjects’ rights in relation to their personal data.

The ICO concluded that these failings meant that users, particularly children, were unlikely to be able to make an informed choice about providing their personal data to TikTok.

Undoubtedly informed by the context, the ICO put forward an absolutist line on the need for controllers to comply with the requirements of completeness and intelligibility in privacy notices (seemingly countering the more pragmatic view endorsed by the FTT in the recent Experian decision which is under appeal).

While the ICO is positioning itself as a pro-innovation regulator, this judgement makes clear that it will continue to enforce the basics of GDPR compliance, particularly where children’s data is at stake. All organisations should bear this in mind therefore when considering their GDPR compliance.