The UK’s privacy watchdog has cleared a major hurdle in its long-running bid to fine TikTok over alleged UK GDPR infringements, after a tribunal ruled in its favor.

The “First-tier Tribunal” decision confirmed that the Information Commissioner’s Office (ICO) did in fact have the power to issue a monetary penalty notice (MPN) to the Chinese social media giant.

The original £12.7m ($17.3m) fine was issued by the ICO for multiple infringements of the UK GDPR – notably Articles 8, 12, 13 and 5(1)(a).

It said that:

In 2020, an estimated 1.4 million children under 13 used TikTok, contrary even to the firm’s rules

Personal data belonging to those children was used to offer them services, without TikTok first gaining parental consent

TikTok didn’t do enough to check who was using its platform or identify and remove children under 13

TikTok had argued in the tribunal hearing that its data processing in this context was for artistic purposes, so the “special purposes” provisions of the GDPR applied. These place restrictions on ICO enforcement, meaning the regulator issued the MPN without legal authority, TikTok’s lawyers claimed.

However, the tribunal found that the MPN was primarily concerned with the processing of personal information of children under 13, and so the special purposes provision didn’t apply.

A Long Way to Go

UK information commissioner, John Edwards, welcomed the decision.

“It is a significant step forward in our being able to hold TikTok, and other similar platforms, to account for how they use people’s information, particularly children’s, when providing their online services,” he said.

“This isn’t just a successful outcome for the ICO – it’s a win for the public and allows us to continue to safeguard and protect children across the digital world.”

However, there still some way to go. TikTok has the right to appeal to the Upper Tribunal, and even if that fails, it will then proceed to “a full hearing on the substantive issues raised in TikTok’s appeal,” according to the ICO.

The fine was originally issued in 2023, highlighting the long time frames involved in such cases. It’s a common concern of privacy advocates – that big-pocketed tech firms tie up MPN rulings in lengthy legal battles that sometimes see fines quashed.

This has led some to question the efficacy of issuing fines to enforce compliance and whether a better approach could be to hold senior management personally liable for failings.

In the meantime, the ICO in March launched another investigation into TikTok and other tech firms over the use of children’s personal information.