• 3 min read

Data Protection Quarterly News Roundup (April to June 2023)


This is our second quarterly news update of 2023 and as always seems to be the case in the world of data protection it has been another busy quarter. Our highlights are set out below: 

ICO issues £12.7m fine against TikTok

The Information Commissioner’s Office (ICO) issued its first UK GDPR fine of the year against TikTok for £12.7m. The focus of this investigation was on the use of TikTok by children under 13, meaning that personal data about them was being collected by TikTok without parental consent. TikTok’s rules state that children under 13 are not permitted to use the platform but TikTok was found, in the relevant period under investigation, not to have done enough to enforce this rule.  The ICO also found that TikTok breached the UK GDPR between May 2018 and July 2020 by:

  • Failing to provide proper information to people using the platform about how their data was collected, used, and shared in a way that was easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
  • Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.

Inevitably TikTok are already in the process of appealing this decision but it reminds us of the importance of privacy notices being comprehensive but also easy for the general public to understand (including children where the service could be used by them).

Irish data protection authority issues fine against Meta

Another huge fine was announced, this time against Meta (aka Facebook), by the Irish data protection authority, see our news alert here. The more recent news on this decision is that Meta have been granted an interim stay by the Irish courts which pauses their obligation to do anything as a result of the decision and it seems that the new EU-US adequacy decision will be implemented within the month which may well ease a lot of Meta’s problems.

Fines handed down for unlawful marketing calls

The ICO also continued its regular handing down of fines under PECR (the Privacy and Electronic Communications Regulations), this time fining two organisations a total of £180,000 for making hundreds of thousands of unlawful marketing calls. This decision is a good reminder to organisations who make marketing calls to either individuals or organisations that telephone numbers must be checked against the Corporate Telephone Preference Service (CTPS) and the Telephone Preference Service (TPS) “do not call” registers unless the recipient has provided specific consent to your organisation to receive the call.

Data protection reforms on their way

Linked to the above, the UK data protection reforms are still making their way through parliament. These reforms propose to bring PECR fines in line with the huge potential fines which can be issued for breaches of the UK GDPR so now is the time for all organisations to ensure they are familiar with the requirements of PECR, particularly around direct electronic marketing. 

Growing AI concerns sparks move towards regulation

Artificial intelligence (AI) remains at the forefront of data protection specialists minds. See our news alert article from May here. More recently we are seeing a move by the government towards a more regulation focused approach to AI given growing concerns about its use.

UK/US data bridge for processing personal data

As we await news on final approval of the EU / US adequacy decision we received news in June that the UK and the US have committed in principle to establish a data bridge (the UK’s new name for adequacy decisions / regulations) which once implemented would allow for the free flow of personal data between the two countries. Although likely some way off this would be good news for organisations wishing to use US suppliers to process personal data as it would remove the need for appropriate safeguards and transfer risk assessments.

ICO resources for DSARs requests

Finally, the ICO has issued new resources for employers dealing with data subject access requests (DSARs) received from current and former employees. Employee DSARs are becoming a common element of grievance and disciplinary processes and employment tribunal proceedings and dealing with DSARs in an already contentious situation must be done carefully and lawfully. You can access the new resources here and here.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away

Make an enquiry