A large fine to TikTok but ICO's power doesn't end there

Published: April 4, 2023

The ICO has issued another headline-grabbing fine to a social media company – this time to TikTok, who have been fined £12.7 million for misusing children’s data, in particular by processing personal data of children aged under 13 without parental consent and taking insufficient steps to check the age of those using their platform and removing those underage.

It is often the big fines that are quoted when trying to explain why compliance with data protection laws is important – and of course, monetary penalties (which can be up to £17.5 million of 4% of total annual global turnover in the preceding financial year, whichever is higher) are significant. However, it is important to remember that issuing monetary penalties is not the only power available to the ICO.

Under the UK GDPR, the ICO has wide-ranging investigative and corrective powers, which include the ability to carry out investigations (including obtaining access to all information, personal data, and even the premises of a controller or processor), and to issue warnings, reprimands, orders to do certain things (such as complying with data subject rights) and even to impose a temporary or permanent ban on processing of personal data. These, in particular the restriction of processing or sharing of data with third countries or international organisations, could seriously inhibit a company’s ability to carry out its normal functions, even without a monetary penalty being issued.

If you have any concerns about your compliance with data protection laws, please contact a member of our data protection team.