TikTok – Data privacy considerations from personal use bans to representative actions

TikTok – Data privacy considerations from personal use bans to representative actions

TikTok’s prevalence in the media regarding the implications the platform has on user privacy has increased in recent months.  This article will provide a brief overview of the current developments facing the entertainment platform in both the US and the UK and consider the privacy implications such developments bring.

US efforts to ban the use of TikTok

Dialogue surrounding the ban of TikTok for personal use in the US has become ever more commonplace in recent times.  Following an order, signed by President Biden, which prohibited TikTok from being used on government devices, a natural consideration stemming from this was for U.S. States (“States”) to reflect upon whether a personal user ban for the app would be necessary or, indeed feasible.  With heightened concerns surrounding national security, stemming from potential user surveillance, the stage was set for States to contemplate a ban on individual use of TikTok.  The State of Montana has become the first to commence the implementation of a personal ban for the app with Bill SB 419 (the “Bill”), passed in the State House by a vote of 54-43 in April and approved by Governor Greg Gianforte in May 2023.  The now approved Bill displays the extent State law may go to regarding user privacy regulation generally.  Concerns surrounding the challenges in enforcement are already being discussed by supporters and critiques alike, with the availability of VPNs being noted as one likely method users could engage in to circumvent a ban of this nature.  While a watch this space attitude towards the Bill’s impact and enforcement concerns are prevalent, one thing remains clear, the US continues to regard State and personal user privacy as drivers for policy development in this space.

UK Regulator Enforcement and Representative Actions Against TikTok

Moving to the UK, the Information Commissioner's Office (“ICO”) recently handed down a substantial GPB 12.7 million fine for TikTok’s misuse of children’s data.  The ICO commented that more than one million children under the age of 13 were estimated to have used the platform in 2020.  This fine is not only significant in terms of its magnitude but is also timely as it follows a proposed representative action, since withdrawn, against the platform that commenced in 2022.  While there is no class action regime per se for privacy actions in the UK, there are avenues under the UK’s Civil Procedure Rules for such a suit to be taken.  Under the Civil Procedure Rules, a proposed class action against TikTok was given the green light to proceed in early 2022 concerning the breach of children’s data privacy rights on the platform (“2022 TikTok Matter”).  This ruling appeared to provide hope to claimants in the wake of the 2021 Lloyd v Google case in which the UK Supreme Court held that a class action was not permissible as damage would require proof of financial loss or mental distress.  In the 2022 TikTok Matter, a loss of control of data was not held to satisfy this. Furthermore, proof of loss suffered by the class in question under the Data Protection Act 1998 required an individual assessment. Such an assessment diverged from the principles of representative claims in which each claimant in the class has the ‘same interest’. 

Interestingly the 2022 TikTok Matter was ultimately withdrawn.  Some commentary surrounding the withdrawal cited the ruling in Lloyd v Google as the reason for this, thus, reinforcing the uncertain nature of representative actions in the UK and the risk of failure in seeking to bring this type of action.  Nevertheless, arguments were accepted by the court in the 2022 TikTok Matter that the current UK GDPR regime, which was updated to include non-material damage, is differentiated from the former data protection regime in the Lloyd case.  It is possible that a court will consider this distinction in applicable laws in a future decision but given that Lloyd took place at the Supreme Court level in the UK, this appears an uphill battle.  In addition, the significance of the ICO fine in this respect cannot be understated as, until such a time that UK precedent supports data privacy representative actions for a loss of non-material damage, fines handed down from the ICO appear to be the only avenue to reprimand breaches of data privacy against social media platforms.

How Will Regulators Address TikTok Data Privacy Concerns?

Following the above developments, TikTok faces continued scrutiny in the US, a significant user base for the app, and risks further personal bans should other State’s follow Montana’s lead. However, enforcement concerns associated with Montana’s recent Bill are already evident and the impact of a personal ban in practice is awaited.  In the UK, future developments surrounding representative actions in this space are welcomed to provide clarity for businesses and claimants alike.  For now, despite several countries outside of the US also having implemented bans of the app on government devices, the platform remains one of the leading personal entertainment apps and this position has not been impacted by recent developments.