South Korea’s Personal Information Protection Commission has fined Meta 21.61 billion won for leaking the personal information about its users without their consent. That’s $15.5 million at today’s conversion rate. Joong Ang Daily reports:
The Personal Information Protection Commission (PIPC) said Meta had collected such information about 980,000 users located in Korea via their Facebook profiles and handed it over to advertisers between July 2018 and March 2022…. The regulator also issued corrective orders mandating that Meta establish a legal basis for processing sensitive information, implement measures to ensure data security and respond diligently to users’ requests for access to their personal information.
Read more at Joong Ang Daily.
A machine translation of the PIPC’s press release follows:
The Personal Information Protection Commission (Chairman Koh Hak-soo, hereinafter referred to as the “Personal Information Commission”) held its 18th plenary session on Monday, November 4, and decided to impose a fine and penalty of KRW 21.6232 billion and a corrective order on Meta Platforms, Inc. (hereinafter referred to as “Meta”) for violating the Personal Information Protection Act (hereinafter referred to as the “Protection Act”).
The Personal Information Protection Commission has recognized that Meta is collecting and utilizing sensitive information without consent and has begun an investigation. In the process, it has also received complaints that Meta refused to view personal information without a justifiable reason and reports that personal information was leaked through hacking, and has been conducting related investigations.
Collection and use of sensitive information without legal processing basis
The investigation found that Meta had previously collected sensitive information, such as religious and political views and same-sex marital status, of approximately 980,000 domestic users through Facebook profiles, and provided this information to advertisers, which was used by approximately 4,000 advertisers. Specifically, it was found that behavioral information, such as the pages that users ‘liked’ on Facebook and the ads they clicked on, was analyzed to create and operate advertising topics related to sensitive information (specific religions, homosexuality, transgenders, North Korean defectors, etc.).
The Personal Information Protection Act stipulates that information on thoughts, beliefs, political views, sexual life, etc. is sensitive information that must be strictly protected, and in principle restricts its processing. However, it also stipulates that processing of such information is permitted only in exceptional cases where there is a lawful basis, such as when separate consent has been obtained from the information subject.
However, Meta collected such sensitive information and used it for customized services, etc., but only vaguely stated it in the Data Policy and did not obtain separate consent and did not take any additional protective measures.
※ During the investigation process, Meta took voluntary corrective measures, such as stopping the collection of sensitive information from profiles (‘21.8.) and destroying advertising topics corresponding to sensitive information (‘22.3.).
Refusal to view personal information without justifiable reason
Meta rejected the user’s request to view personal information (period of processing personal information, status of personal information provided through Facebook login, basis for collecting information on external Facebook activities and consent history, etc.) on grounds that it is not subject to a request for viewing under the Personal Information Protection Act.
However, since the Enforcement Decree of the Protection Act (Article 41, Paragraph 1) stipulates that the retention and use period of personal information No. 3, the status of provision to third parties No. 4, and the fact and content of consent to the processing of personal information No. 5 are subject to inspection, the Personal Information Protection Commission determined that there was no justifiable reason for Meta to reject the request for inspection.
Personal information leak
Meta should have taken safety measures such as deleting or blocking websites that are out of service or unmanaged, but did not remove the unused account recovery page. As a result, hackers submitted fake IDs on the currently unused account recovery page and requested password resets for other people’s accounts, and Meta approved this without sufficient verification of the fake IDs, resulting in the leak of personal information of 10 Korean users.
Disposition details
Accordingly, the Personal Information Protection Commission imposed fines and penalties on Meta for violating the provisions of the Protection Act related to restrictions on the processing of sensitive information, while issuing a corrective order to establish a legal basis for the processing of sensitive information, take measures to ensure safety, and faithfully respond to users’ requests to view their personal information.
The significance of this investigation and disposition lies in the fact that it ensures that overseas companies operating global services must comply with the obligations stipulated in our protection laws when processing sensitive information, as well as sufficiently guarantee the rights of data subjects, such as providing access to personal information.
Going forward, the Personal Information Protection Commission will continue to monitor whether Meta is complying with its corrective order, and will do its best to protect the personal information of our citizens by applying the protection law without discrimination to global companies that provide services to domestic users.
* Please check the attached file for further details.
– Person in charge: Investigation 1 Team, Myung-Seok Ko (02-2100-3114), Ji-Su Kim (02-2100-3117)