Class action launched against TikTok – A timely reminder of data breaches and remedies

Readers will have no doubt come across media coverage of the representative claim being brought by Anne Longfield, former Children’s Commissioner for England, against video-sharing app TikTok. In what appears to be a deluge of data protection infringements being committed by technology companies, other technology giants including Facebook, Oracle and Salesforce are also facing large representative claims issued against them for data protection infringements.

What is the TikTok case about?

In December 2020, a legal claim against TikTok and ByteDance was filed in the High Court alleging misuse of private information and unlawful processing of data in breach of the EU General Data Protection Regulation (EU GDPR). Approval to bring a representative claim on behalf of an anonymous 12 year old girl was won by Anne Longfield on 30 December 2020, and the claim is currently being brought as a representative action on behalf of children under the age of 16 (under 13 in the UK) who are resident in the UK or the EEA since 25 May 2018 and who have used the TikTok and/or Musical/ly apps (the latter being TikTok’s predecessor). The case reference is SMO (a child) (by their litigation friend (acting as a representative claimant pursuant to CPR 19.6)) v TikTok Inc and others [2020] EWHC 3589 (QB).

The claim alleges that TikTok and ByteDance have breached UK and EU children’s data protection law (EU GDPR and UK GDPR), by misleading parents on the exposure of their children’s private information when they are using the video-sharing app and subsequently transferring that private information to third parties. The claim argues that TikTok has failed to be transparent on the extent of the children’s data it processes and the purposes for which children’s private information is collected. The information which is collected from children and processed by TikTok includes their date of birth, email address, telephone number, biometric data, profile pictures and/or videos, browsing history and the physical location of a child’s phone or device.

Anne Longfield has indicated that she is seeking a declaration, ‘damages, an injunction, and orders for erasure of data against TikTok Inc’.  Damages are being sought in the thousands of pounds per child, and figures published by Bloomberg and Ofcom would suggest millions of children regularly use TikTok.

What is the current status of the case?

The case is currently stayed pending the outcome of Google’s appeal in the landmark case of Lloyd v Google LLC which was heard by the Supreme Court on 28 and 29 April, and which will undoubtedly have a bearing on how the claim against TikTok is pursued. As mentioned in our recent article (available here), determinations such as the level of damages payable for the misuse of data in breach of the Data Protection Act and the EU Data Directive, and whether all consumers whose data has been misused suffer the same damage will be critical in paving the way forward not only for the TikTok claim but also for other similar cases.

What happens next?

Should the Supreme Court confirm the Court of Appeal’s decision in Lloyd v Google LLC, this could open pandora’s box and allow other data protection infringement claims to proceed within in a plethora of areas:

• Using cookies to collect data, and thereafter sharing that data without the user’s consent. For example, Oracle and Salesforce are currently facing a class action in both the UK and Dutch courts for collecting data via cookies, without user consent, for advertising purposes. Similarly to the TikTok case, the High Court proceedings in this case have also been stayed pending the decision of the Supreme Court in the Google case.
• Substantial cybersecurity incidents will typically result in the compromise of personal data relating to thousands or even millions of individuals. By way of example, British Airways was fined £20,000,000 by the Information Commissioner’s Office for a data breach that took place in 2018 and affected more than 400,000 customers which had their log-in, payment card and travel booking details stolen.
• Harvesting personal data without user knowledge or consent. Readers will no doubt have across news that Facebook is facing a representative action for allowing third-party app to harvest the data of the app user’s ‘friends’ without their connections’ knowledge or consent.

What remedies can be claimed for data protection infringement?

The EU GDPR ceased to apply under UK law as of 31 December 2020. The position from the standpoint of the UK GDPR is that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”, where material damage includes financial losses and non-material damage includes distress. However, damages may also be claimed in other circumstances, for example in Lloyd v Google LLC, where the Court of Appeal concluded that damages were, in principle, capable of being awarded for loss of control of data, even in a situation where there is no financial loss or distress suffered by an individual.

Before issuing a UK GDPR compensation claim, it is also worth remembering that referring a possible infringement to the Information Commissioner’s Office (ICO) can be a useful recourse. Whilst the ICO cannot award compensation, it does have the power to impose significant fines on organisations in breach of their data protection duties. Where the ICO finds evidence of a breach having occurred, this finding may be used to support a compensation claim in the courts. Under the GDPR, the ICO may issue substantial fines, up to €20m or 4% of an organisation’s global annual turnover (whichever is the higher).

Any individuals wishing to pursue a group action in respect of data breaches or generally should note that under the Civil Procedure Rules, the court can direct that where more than one individual has the same interest in a claim, then that claim may be begun or continued by one or more of those individuals as representatives of any other individual who has that interest. Claimants should note that there are a number of hurdles to be overcome before being able to pursue a group action, including finding a law firm that is able to secure litigation funding for the group action and that is willing to represent the action collectively on a conditional fee arrangement basis.

For further information on this topic, or if you are looking to bring a group action as a result of a data protection breach you have suffered, please feel free to contact David Greene or any member of our Class Action Litigation team.

Our Intellectual Property team has previously written about data breaches – these updates are available below:

British Airways fined 20 million for data breaches

Employer liability for employee data breach

The long arm of data privacy – maximum fines for Facebook Ireland and Facebook US

The BA data hack – a summer breach holiday

 

If you aren’t receiving our legal updates directly to your mailbox, please sign up now