Spotlight on TikTok – ICO fines TikTok £12.7 million as global concerns relating to the app's security and data privacy practices continue to mount

On 4 April 2023, the ICO announced that it has fined TikTok £12.7 million for various data protection breaches related to the misuse of children's data. The ICO investigation found that between May 2018 and July 2020 TikTok had processed the data of more than one million children under the age of 13 without parental consent. Further, TikTok had been aware that children under the age of 13 were using the platform (in direct contravention of its terms of use), but had not taken any action to remove these users' accounts or to prevent continued use, nor did it do enough to check who was actually using the platform. TikTok also failed to provide proper information to users in a concise, transparent and easy to understand manner.

However, this fine represents over a 50% reduction on the initial penalty amount proposed in the ICO's notice of intent issued in September 2022 (£27 million). According to the ICO, this reduction is a result of its decision not to pursue a provisional finding that TikTok had also unlawfully processed special category data following representations made by TikTok.

The ICO's enforcement action against TikTok comes at a time of increased scrutiny of the Chinese video sharing platform, as international data privacy concerns and security threats remain prevalent. Despite TikTok's success, with over 1 billion users across 154 countries at present, it has failed to adequately address global concerns that it may provide the Chinese government with access to sensitive user personal data (such as, location data and biometric data). As a result, we have seen increasing efforts across the globe to restrict access to TikTok - see our summary of events below.

  • On 16 March 2023, the UK became the latest country to ban the use of TikTok on government devices, joining Belgium, Canada and the United States. Similarly, the European Commission and European parliament have both banned TikTok from official devices. At present, the use of TikTok on government-issued devices in the United States has been banned in 32 states. In addition, the app has been blocked from some US college campus Wi-Fi networks and on US military devices.
  • Shortly following the UK's announcement came news that a group of MPs and members of the House of Lords (representing the Inter-Parliamentary Alliance on China) had written a letter to the UK's Information Commissioner, asking for a full investigation in relation to whether TikTok's handling of personal data complied with UK data protection laws. While the ICO confirmed that the complaint would be reviewed in detail, it remains to be seen if this will result in any further ICO investigation or enforcement action related to TikTok's data protection compliance.
  • TikTok has indicated that it is determined to alleviate concerns regarding security threats and to fight against further action by lawmakers across the globe. It refers to such concerns as being based on misconceptions driven by wider geopolitics and, earlier in March, announced a comprehensive plan to protect European user data – Project Clover. TikTok describes Project Clover as being "a program focused on creating a secure enclave for European TikTok user data", with new measures relating to data access and controls, external oversight, privacy enhancing technologies and local data storage.
  • However, TikTok's announcement of a similar plan in the United States (Project Texas), has seemingly fallen flat as diplomatic tensions between the US and China continue to rise. Lawmakers in the US have now advanced a bill that would allow the government to ban the use of TikTok. In addition, TikTok's chief executive recently appeared before Congress to provide testimony about TikTok's relationship with its parent company and the app's link to China as US lawmakers seek reassurance that TikTok can be trusted to safeguard US users' data.