This article was originally published in The Times, November 2023.
Irish data regulators recently hit TikTok with a €345 million fine in the latest enforcement action by European watchdogs on technology giants for breaches of the EU General Data Protection Regulations.
The sanctions levied on TikTok were the result of a lengthy inquiry by the Irish Data Protection Commission over alleged violations of children’s data privacy. The regulator found that the design of TikTok’s age verification procedures, transparency information for children and privacy settings infringed the rules.
The fine is one of the largest for a data breach issued this year, putting businesses on notice that inadequate or ineffective data privacy processes will not be tolerated. Moreover, there will be severe ramifications for non-compliance with the rules where vulnerable users such as children are affected.
The Irish High Court has since granted TikTok permission to appeal against the IDPC’s decision to issue the fine.
It is not just financial penalties arising from data privacy infringements that businesses need to worry about; the associated litigation risk, including group or class actions, is a growing concern.
The English High Court continues to be tested on its approach to class actions in the data privacy sphere although recent decisions indicate that it remains guarded when it comes to considering whether these actions should proceed. This is mostly the result of claimants and their funders showing a preference to use the “representative actions procedure” to bring data privacy class actions.
Until recently, this procedure was rarely used owing to the strict requirement that each member of the claimant class must demonstrate that it has the “same interest” in the claim — a requirement that has proved contentious in the context of data privacy actions where each claimant seeks compensation for loss of control of personal data, which ultimately requires an individual assessment of loss.
It is not only the UK that is grappling with this. There remains a diverse approach to data privacy litigation across the EU, with some countries taking a more claimant-focused approach, which the European Court of Justice has sought to realign. There is real concern that these decisions could encourage an EU-wide wave of data privacy litigation.
This litigation risk will be exacerbated by the recent implementation of the EU Representative Actions Directive, which facilitates cross-border class actions across the EU, in conjunction with a growing, and at present unregulated, third-party litigation funding market.
These developments sit against a backdrop of a wider crackdown by the EU on the activities of the large technology companies. It has never been more crucial for tech giants - and smaller operations - to keep their data activities in check.