Ofcom Opens Formal Investigation Into TikTok's Online Safety Act Compliance
The UK's communications regulator Ofcom has launched a formal investigation into TikTok, one of the world's most widely used social media and digital content platforms, to determine whether it has failed to meet obligations set out under the Online Safety Act. The TikTok Online Safety Act investigation specifically targets TikTok Information Technologies UK Limited — the British incorporation of the platform operated by Chinese technology firm ByteDance — and marks a significant escalation in the UK's enforcement of its landmark internet safety legislation.
For developers, privacy professionals, and IT decision-makers who track platform regulation and compliance risk, this investigation signals that the Online Safety Act is moving firmly into active enforcement territory. The Act, which received Royal Assent and came into force after years of parliamentary debate, places broad duties on platforms to proactively identify, assess, and mitigate risks of harm to users — with particular emphasis on protecting children from harmful content. Ofcom, empowered as the Act's lead regulator, can issue substantial fines and, in the most serious cases, seek court orders to block non-compliant services entirely.

What the Online Safety Act Actually Requires of Platforms Like TikTok
The Online Safety Act imposes a tiered set of obligations on platforms operating in the UK, depending on their size and the nature of the content they host. For large platforms with significant UK user bases — a category TikTok undeniably falls into — the requirements are extensive. These include conducting and publishing risk assessments covering illegal content and content harmful to children, implementing robust age verification or age assurance mechanisms, enforcing terms of service consistently, and providing clear and accessible reporting and complaints mechanisms for users.
The Act also requires platforms to act against a defined list of priority illegal content — including child sexual abuse material, terrorism-related content, and content facilitating fraud — without waiting for user reports. Critically, the regime is not reactive; platforms must build systems capable of proactively suppressing harm rather than simply responding to it after the fact. According to Ofcom's published guidance on platform duties, failure to implement adequate systems and processes — even in the absence of a specific harmful incident — can constitute a breach. This systems-based approach mirrors frameworks familiar to information security professionals: it is about demonstrable control architecture, not just outcomes.
The regulatory architecture is broadly analogous to what GDPR introduced for data protection — a shift from voluntary self-regulation to mandatory accountability, with regulators empowered to audit, investigate, and fine. Privacy professionals and compliance officers will recognise the structural similarities: documented risk assessments, accountability frameworks, and the burden of proof falling on the platform to demonstrate compliance rather than on the regulator to prove breach.
TikTok's Long History of Regulatory Scrutiny in Europe and Beyond
This Ofcom investigation does not emerge in a vacuum. TikTok and its parent company ByteDance have faced sustained regulatory pressure across multiple jurisdictions, making this investigation part of a broader pattern rather than an isolated incident. In the European Union, the Irish Data Protection Commission — acting as TikTok's lead GDPR supervisory authority given its European headquarters are in Dublin — has conducted multiple investigations into the platform. A landmark DPC decision resulted in a €345 million fine against TikTok for violations related to children's data privacy, including failures in default privacy settings for minor accounts and inadequate parental consent mechanisms, as reported by the Irish Examiner and confirmed by the DPC's own published records.
In the United States, TikTok has faced Congressional scrutiny and executive action over national security concerns related to its Chinese ownership structure, with debates centring on potential access to American user data by the Chinese government. The platform has invested heavily in infrastructure localisation — its "Project Texas" initiative aimed at routing US user data through Oracle servers — in an attempt to satisfy regulators. The UK Ofcom investigation will inevitably raise similar questions about data flows, governance structures, and the degree to which TikTok UK operates with genuine independence from its Beijing-linked parent, as privacy researchers at organisations like the Electronic Frontier Foundation have long scrutinised.
TikTok has also previously faced Ofcom scrutiny in the UK, and the Information Commissioner's Office issued the platform a £12.7 million fine for misusing children's data — including processing data of children under 13 without appropriate parental consent. This established enforcement precedent matters: Ofcom's latest investigation arrives in a regulatory environment where TikTok's compliance track record is already under the microscope.
"Platforms of TikTok's scale have a legal and ethical responsibility to build safety into their systems architecture, not bolt it on as an afterthought. Regulators across Europe are increasingly treating compliance failures not as oversights, but as structural choices."
— Senior digital policy analyst, UK tech regulatory advisory sectorWhat This Investigation Means for Platform Compliance and Privacy Teams
For compliance officers, developers, and IT decision-makers working within or alongside platforms subject to the Online Safety Act, the Ofcom-TikTok investigation carries several concrete implications worth tracking closely.
First, it demonstrates that Ofcom is prepared to investigate category-leading platforms with substantial legal and lobbying resources — this is not an enforcement strategy targeting only smaller or less sophisticated actors. The regulator's willingness to formally investigate TikTok should be read as a signal that no platform can rely on size, market position, or prior engagement with regulators as a substitute for documented compliance. As the Guardian has reported on the broader Online Safety Act rollout, Ofcom has been building its enforcement capacity and is expected to escalate investigations across multiple platform categories in the coming period.
Second, the investigation underscores the importance of audit-ready documentation. Under the Online Safety Act's accountability model, platforms need to be able to produce evidence of their risk assessments, their systems for identifying harmful content, their age assurance implementations, and their internal governance processes. This is an area where the discipline of information security — with its emphasis on documented controls, access logs, and demonstrable process — directly maps onto regulatory compliance requirements.

Third, for small business owners and entrepreneurs who build on top of TikTok infrastructure — whether through advertising integrations, creator commerce tools, or API-dependent applications — regulatory instability around the platform creates business continuity risk. Any enforcement action significant enough to impact TikTok's UK operations could affect the ecosystem of third-party developers and businesses that depend on it. Diversification of platform dependency is a risk management posture that this investigation makes more, not less, relevant.
| Jurisdiction | Regulator | Action Taken | Key Issue |
|---|---|---|---|
| European Union | Irish DPC | €345M GDPR fine | Children's data privacy, default settings |
| United Kingdom | ICO | £12.7M fine | Processing children's data without consent |
| United Kingdom | Ofcom | Formal investigation launched | Online Safety Act compliance duties |
| United States | Congress / Executive | Divestiture legislation passed | National security, data sovereignty |
| European Union | European Commission | DSA investigation opened | Algorithmic transparency, minor protection |
Digital Sovereignty, Platform Accountability, and the Bigger Regulatory Picture
The Ofcom TikTok investigation sits within a broader geopolitical and policy context that privacy professionals and policy specialists will find significant. The UK's Online Safety Act represents one national approach to platform regulation; the EU's Digital Services Act (DSA) represents another. Both frameworks share a common philosophy — that large platforms must actively govern the content and behaviours they enable, not merely host them — but they differ in scope, enforcement mechanism, and the degree to which they address data sovereignty concerns.
TikTok's position as a platform owned by a Chinese-domiciled parent company adds a dimension that purely domestic platforms do not face. Questions about where user data is stored, who can access it under Chinese law — particularly under provisions like the National Intelligence Law — and how governance decisions made in Beijing may influence UK operations are not hypothetical. They are the kinds of questions that Ofcom's investigation may surface, even if the formal focus remains on content safety obligations rather than national security. As Wired has documented in its coverage of TikTok's data governance challenges, the structural separation between TikTok and ByteDance is contested territory, with regulators and security researchers reaching different conclusions about how meaningful that separation actually is.
For advocates of data sovereignty and European-aligned digital infrastructure, this investigation reinforces a familiar argument: that dependence on platforms whose ownership, data practices, and algorithmic operations are not subject to transparent, enforceable democratic oversight carries systemic risk. The Online Safety Act, whatever its limitations and implementation challenges, is an assertion of jurisdictional authority over digital spaces — a claim that what happens on platforms serving UK users is subject to UK law, regardless of where the corporate entity ultimately sits.