South Korea’s data protection agency, the Personal Information Protection Commission (PIPC), has imposed a fine of 21.6 billion won (approximately $15 million) on Meta for the illegal collection of sensitive personal information from nearly one million Facebook users. This action is part of a broader trend, as Meta has faced repeated fines for privacy violations both in South Korea and across Europe.
The PIPC’s investigation, spanning four years, revealed that between July 2018 and March 2022, Meta unlawfully gathered and utilized sensitive data from about 980,000 Facebook users in South Korea. The information collected included users’ political opinions, religious beliefs, and sexual orientation, which Meta subsequently shared with around 4,000 advertisers without obtaining explicit consent from the users.
The commission noted that Meta collected sensitive personal data by analyzing the pages users “liked” or the advertisements they engaged with. This data was then used to categorize audiences according to specific topics, such as religion and LGBT issues, thereby allowing Meta to enhance its targeted advertising services. However, this practice was not transparently communicated in the company’s data policy, nor was consent explicitly sought from users.
Ms. Lee Eun Jung, the director of PIPC overseeing the investigation, highlighted that Meta had inadequately implemented essential security measures to safeguard user data. She pointed out that the company did not effectively delete or disable inactive pages, which created vulnerabilities that hackers could exploit to impersonate users and initiate password resets for other accounts. This negligence has resulted in data breaches affecting at least ten Facebook users in South Korea.
Before this fine, Meta faced a penalty exceeding $100 million from European regulators for disclosing user passwords in an unencrypted format in 2019. In 2022, South Korea also fined Meta and Google a combined total of 100 billion won (around $72 million) for tracking user behavior to serve advertisements without explicit user consent. This was the largest fine ever imposed in South Korea for violations of information security laws. In response, the PIPC mandated that technology companies enhance clarity and comprehensibility in their consent processes, enabling users to have more control over the sharing of their personal information when accessing various websites and services.
In 2020, Meta was also fined 6.7 billion won (approximately $4.8 million) in South Korea for sharing users’ personal information with third parties without their consent. A representative from Meta stated that the company would “carefully consider” PIPC’s decision but did not elaborate further on the matter.