In the latter part of September, it was reported that Tik Tok may be facing a fine of up to $29 million for breaching data protection law in the period of May and July 2018. The alleged breach relates to the processing of data of children under the age of 13 without appropriate consent from parents and failing to provide proper privacy notices in a way that is concise, transparent and easily understood.
The Information Commissioner’s Office (“ICO”) has thus far issued a notice of intent. A notice of intent is issued before a penalty and serves to notify an organisation that the ICO intends to hand down a penalty. The organisation or person will be allowed at least 21 calendar days to make representations.
This is not the first time that the social media platform has been fined. In 2019, Musical.ly, the operators of the platform now known as TikTok, agreed to pay a fine of $5.7 million to settle federal charges that it had violated the federal children’s online privacy law in the United States. Tik Tok may also be facing a class action lawsuit after a 12-year-old girl instituted a damages claim for breaking EU and UK data protection laws.
What is evident is that international authorities are taking a strict approach to the personal information of children and child safety, this is particularly so because children are vulnerable members of society.
Considering the local context, how does South Africa protect the personal information of children?
In terms of the Protection of Personal Information Act, 4 of 2013 (“POPIA”), organisations are prohibited from processing the personal information of children unless certain circumstances apply. A child is defined as a natural person under the age of 18.
In terms of POPIA, personal information of a child may only be processed if:
- it is carried out with the prior consent of a parent or guardian;
- it is necessary for the establishment, exercise or defence of a right or obligation in law;
- it is necessary to comply with an obligation of international public law;
- for historical, statistical or research purposes to the extent that:
- the purpose serves a public interest and the processing is necessary for the purpose concerned; or
- it appears to be impossible or would involve a disproportionate effort to ask for consent,
and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
- personal information has deliberately been made public by the child with the consent of the parent or guardian.
Notably, POPIA is stricter than the GDPR because of the higher age limit which is 18 whereas the GDPR allows processing of children’s personal information if a child is at least 16 years old. The GDPR also makes scope for lowering the age to 13 years old.
This means that social media platforms offering services in South Africa may only process the personal information of children if they have obtained parental consent. Although not an explicit requirement in terms of POPIA and unlike the GDPR, there is no requirement for the responsible party to make efforts to verify that consent is given by the parent/guardian. However, since children are vulnerable members of society, it is good business practice that organisations ensure that it takes reasonable measures to verify parental consent.
Since POPIA is new, we have yet to see to any action from the Information Regulator concerning the personal information of children. Ultimately, we hope that the Information Regulator adopts a strict approach, especially since the personal information of children requires extra protection.
Contact us for more good, clear, precise advice.