The Personal Information Protection Commission (PIPC) of South Korea has fined Meta Platforms, Inc. ₩21.63 billion (roughly $16 million USD) for unauthorized collection and use of sensitive data from Korean users without their explicit consent.
In a meeting yesterday, the commission concluded that Meta had violated South Korea's Personal Information Protection Act by mishandling sensitive user information and issued corrective orders alongside the financial penalty.
The investigation revealed that Meta collected sensitive data from approximately 980,000 Korean Facebook users — such as religious beliefs, political views, and LGBTQ+ status — without proper consent and shared this data with about 4,000 advertisers to target ads based on users' online interactions. This included analysis of user behaviors like “likes” and ad clicks to create advertising categories focused on sensitive topics, including specific religious affiliations, LGBTQ+ identities, and political stances.
Under South Korean law, such data is classified as sensitive and requires explicit consent from users before it can be collected or shared, but Meta had only vaguely referenced these practices in its data policy without obtaining clear user consent.
In addition to data misuse, Meta allegedly ignored user requests to access personal data related to their Facebook activity. Despite several users requesting transparency over how their data was used — such as the length of data retention, records of third-party sharing, and login details — Meta denied these requests, stating that these data points were not within the scope of information that must be provided under Korean law. However, the PIPC confirmed that under Article 41 of the Enforcement Decree of the Personal Information Protection Act, Meta was indeed obligated to provide this information.
The investigation also uncovered a security breach tied to Meta's failure to adequately manage unused account recovery features. In one incident, hackers were able to exploit outdated account recovery pages by submitting fake identification to reset user passwords, resulting in the exposure of personal information of ten Korean users.
In response, PIPC imposed the following measures on Meta:
- A fine of ₩21.63 billion (about $16 million USD) for violations.
- Orders to develop appropriate consent mechanisms for sensitive data collection.
- Requirements to improve data security measures.
- A directive to fully comply with legitimate requests from users seeking access to their personal data.
This action underscores South Korea's commitment to enforcing data protection regulations on global tech companies operating within its borders. PIPC Chairperson Ko Hak-soo highlighted that the commission would continue monitoring Meta's compliance with the imposed measures and take additional steps to ensure that foreign companies respect South Korean data protection standards.
Leave a Reply