The TikTok GDPR Fine

In recent months, TikTok has been accused of aggressive data harvesting and poor security issues. A number of governments have now taken a view that the video sharing platform represents an unacceptable risk that enables Chinese government surveillance. In March, UK government ministers were banned from using the TikTok app on their work phones. The United States, Canada, Belgium and India have all adopted similar measures. 

On 4th April 2023, the Information Commissioner’s Office (ICO) issued a £12.7 million fine to TikTok for a number of breaches of the UK General Data Protection Regulation (UK GDPR), including failing to use children’s personal data lawfully. This follows a Notice of Intent issued in September 2022.

Article 8(1) of the UK GDPR states the general rule that when a Data Controller is offering an “information society services”  (e.g. social media apps and gaming sites) directly to a child, and it is relying on consent as its lawful basis for processing, only a child aged 13 or over is able provide their own consent. For a child under 13, the Data Controller must seek consent from whoever holds parental responsibility. Article 8(2) further states:

“The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”

In issuing the fine, the ICO said TikTok had failed to comply with Article 8 even though it ought to have been aware that under 13s were using its platform. It also failed to carry out adequate checks to identify and remove underage children from its platform. The ICO estimates up to 1.4 million UK children under 13 were allowed to use the platform in 2020, despite TikTok’s own rules not allowing children of that age to create an account.

The ICO investigation found that a concern was raised internally with some senior employees about children under 13 using the platform and not being removed. In the ICO’s view TikTok did not respond adequately. John Edwards, the Information Commissioner, said:

“TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”

In addition to Article 8 the ICO found that, between May 2018 and July 2020, TikTok breached the following provisions of the UK GDPR:

  • Article 13 and 14 (Privacy Notices) – Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
  • Article 5(1)(a) (The First DP Principle) – Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner. 

Notice of Intent

It is noticeable that this fine is less than half the amount (£27 million) in the Notice of Intent. The ICO said that it had taken into consideration the representations from TikTok and decided not to pursue its provisional finding relating to the unlawful use of Special Category Data. Consequently this potential infringement was not included in the final amount of the fine.

We have been here before! In 2018 British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine in July 2020 was for £20 million. Marriott International Inc was fined £18.4 million in 2020; much lower than the £99 million set out in the original notice. Some commentators have argued that the fact that fines are often substantially reduced (from the notice to the final amount) suggests the ICO’s methodology is flawed.

An Appeal?

In a statement, a TikTok spokesperson said: 

“While we disagree with the ICO’s decision, which relates to May 2018 to July 2020, we are pleased that the fine announced today has been reduced to under half the amount proposed last year. We will continue to review the decision and are considering next steps.”

We suspect TikTok will appeal the fine and put pressure on the ICO to think about whether it has the appetite for a costly appeal process. The ICO’s record in such cases is not great. In 2021 it fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients. The Cabinet Office appealed against the amount of the fine arguing it was “wholly disproportionate”. A year later, the ICO agreed to a reduction to £50,000. Recently an appeal against the ICO’s fine of £1.35 million issued to Easylife Ltd was withdrawn, after the parties reached an agreement whereby the amount of the fine was reduced to £250,000.

The Children’s Code

Since the conclusion of the ICO’s investigation of TikTok, the regulator has published the Children’s Code. This is a statutory code of practice aimed at online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children. The code sets out 15 standards to ensure children have the best possible experience of online services. In September, whilst marking the Code’s anniversary, the ICO said:

“Organisations providing online services and products likely to be accessed by children must abide by the code or face tough sanctions. The ICO are currently looking into how over 50 different online services are conforming with the code, with four ongoing investigations. We have also audited nine organisations and are currently assessing their outcomes.”

With increasing concern about security and data handling practices across the tech sector (see the recent fines imposed by the Ireland’s Data Protection Commission on Meta) it is likely that more ICO regulatory action will follow. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.  

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates

Law Firm Fined For GDPR Breach: What Went Wrong? 

On 10th March the Information Commissioner’s Office (ICO) announced that it had fined Tuckers Solicitors LLP £98,000 for a breach of GDPR.

The fine follows a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Clearly this was a personal data breach, not just for the fact that data was released on the dark web, but because of the unavailability of personal data (though encryption by the attacker) which is also cover by the definition in Article 4 GDPR. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media

The ICO found that between 25th May 2018 (the date the GDPR came into force) and 25th August 2020 (the date on which the Tuckers reported the personal data breach), Tuckers had contravened Article 5(1)(f) of the GDPR (the sixth Data Protection Principle, Security) as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The ICO found its starting point for calculating the breach to be 3.25 per cent of Tuckers’ turnover for 30 June 2020. It could have been worse; the maximum for a breach of the Data Protection Principles is 4% of gross annual turnover.

In reaching its conclusions, the Commissioner gave consideration to Article 32 GDPR, which requires a Data Controller, when implementing appropriate security measures, to consider:

 “…the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.

What does “state of the art” mean? In this case the ICO considered, in the context of “state of the art”, relevant industry standards of good practice including the ISO27000 series, the National Institutes of Standards and Technology (“NIST”), the various guidance from the ICO itself, the National Cyber Security Centre (“NCSC”), the Solicitors Regulatory
Authority, Lexcel and NCSC Cyber Essentials.

The ICO concluded that there are a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate in the following respects:

Lack of Multi-Factor Authentication (“MFA”)

MFA is an authentication method that requires the user to provide two or more verification factors to gain access to an online resource. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack e.g. a code from a fob or text message. Tuckers had not used MFA on its remote access solution despite its own GDPR policy requiring it to be used where available. 

Patch Management 

Tuckers told the ICO that part of the reason for the attack was the late application of a software patch to fix a vulnerability. In January 2020 this patch was rated as “critical” by the NCSC and others. However Tuckers only installed it 4 months later. 

Failure to Encrypt Personal data

The personal data stored on the archive server, that was subject to this attack, had not been encrypted. The ICO accepted that encryption may not have prevented the ransomware attack. However, it would have mitigated some of the risks the attack posed to the affected data subjects especially given the sensitive nature of the data.

Action Points 

Ransomware is on the rise. Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place:

  1. Conduct a cyber security risk assessment and consider an external accreditation through Cyber Essentials. The ICO noted that in October 2019, Tuckers was assessed against the Cyber Essentials criteria and found to have failed to meet crucial aspects. The fact that some 10 months later it had still not resolved this issue was, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.
  2. Making sure everyone in your organisation knows the risks of malware/ransomware and follows good security practice. Our GDPR Essentials e learning solution contains a module on keeping data safe.
  3. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop

More useful advice in the ICO’s guidance note on ransomeware and DP compliance.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.

advanced_cert

GDPR Fine for Charity E Mail Blunder

A Scottish charity has been issued with a £10,000 monetary penalty notice following the inadvertent disclosure of personal data by email. 

On 18th October, HIV Scotland was found to have breached the security provisions of the UK GDPR, namely Articles 5(1)(f) and 32, when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. 

The Information Commissioner’s Office (ICO) is urging organisations to revisit their bulk email practices after its investigation found shortcomings in HIV Scotland’s email procedures. These included inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy (bcc) and an inadequate data protection policy. It also found that despite HIV Scotland’s own recognition of the risks in its email distribution and the procurement of a system which enables bulk messages to be sent more securely, it was continuing to use the less secure bcc method seven months after the incident.

On the point of training, HIV Scotland confirmed to the ICO that employees are expected to complete the “EU GDPR Awareness for All” on an annual basis.  The ICO recommended that staff should receive induction training “prior to accessing personal data and within one month of their start date.” Act Now’s e learning course, GDPR Essentials, is designed to teach employees about the key provisions of GDPR and how to keep personal data safe. The course is interactive with a quiz at the end and can be completed in just over 30 minutes. Click here to watch a preview. 

HIV Scotland was also criticised for not having a specific policy on the secure handling of personal data within the organisation. It relied on its privacy policy which was a public facing statement covering points such as cookie use, and data subject access rights; this provided no guidance to staff on the handling of personal and what they must do to ensure that it is kept secure. The Commissioner expects an organisation handling personal data, to maintain policies regarding, amongst other things, confidentiality (see our GDPR policy pack).

This is an interesting case and one which will not give reassurance to the Labour Relations Agency in Northern Ireland which had to apologise last week for sharing the email addresses and, in some cases ,the names of more than 200 service users. The agency deals confidentially with sensitive labour disputes between employees and employers. It said it had issued an apology to recipients and was currently taking advice from the ICO.

Interestingly the ICO also referenced in its ruling, the fact that HIV Scotland made a point of commenting on a similar error by another organisation 8 months prior. In June 2019, NHS Highland disclosed the email addresses of 37 people who were HIV positive. It is understood the patients in the Highlands were able to see their own and other people’s addresses in an email from NHS Highland inviting them to a support group run by a sexual health clinic. At the time HIV Scotland described the breach as “unacceptable”. 

The HIV Scotland fine is the second one the ICO has issued to a charity in the space of 4 months. On 8th July 2021, the transgender charity Mermaids was fined £25,000 for failing to keep the personal data of its users secure. The ICO found that Mermaids failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Charities need to consider these ICO fines very carefully and ensure that they have polices, procedures and training in place to avoid enforcement action by the ICO. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in January.

First ICO GDPR Fine Reduced on Appeal

photo-1580971266928-ff5d40c194a7

The first GDPR fine issued by the Information Commissioner’s Office (ICO) has been reduced by two thirds on appeal.

In December 2019, Doorstep Dispensaree Ltd, a company which supplies medicines to customers and care homes, was the subject of a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. Following an investigation, the ICO ruled that the company had left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The ICO launched its investigation after it was alerted by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the company.

The unsecured documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The ICO held that this gave rise to infringements of GDPR’s security and data retention obligations. It also issued an Enforcement Notice after finding, amongst other things, that the company’s privacy notices and internal policies were not up to scratch.

On appeal, the First Tier Tribunal (Information Rights) ruled that the original fine of £275,000 should be reduced to £92,000. It concluded that 73,719 documents had been seized by the MHRA, and not approximately 500,000 as the ICO had estimated. She also held that 12,491 of those documents contained personal data and 53,871 contained Special Category Data.

A key learning point from this appeal is that data controllers cannot be absolved of responsibility for personal data simply because data processors breach contractual terms around security. The company argued that, by virtue of Article 28(1) of GDPR, its data destruction company (JPL) had become the data controller of the offending data because it was processing the data otherwise than in accordance with their instructions. In support of this argument it relied on its contractual arrangement with JPL, under which JPL was only authorised to destroy personal data in relation to DDL- sourced excess medication and equipment and must do so securely and in good time. 

The judge said:

“The issue of whether a processor arrogated the role of controller in this context must be considered by reference to the Article 5(2) accountability principle. This provides the controller with retained responsibility for ensuring compliance with the Article 5(1) data processing principles, including through the provision of comprehensive data processing policies. Although it is possible that a tipping point may be reached whereby the processor’s departure from the agreed policies becomes an arrogation of the controller’s role, I am satisfied that this does not apply to the facts of this case.” 

This case shows the importance of data controllers keeping a close eye on data processors especially where they have access to or are required to destroy or store sensitive data. Merely relying on the data processor contract is not enough to avoid ICO enforcement. 

Our  GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.

%d bloggers like this: