Facebook paper logo lies with wooden judge gavel showing privacy violation of user consent

South Korean Regulator Fines Facebook for Privacy Violations; Social Media Giant Shared Personal Data Without User Consent

South Korea’s information protection regulator has fined Facebook the equivalent of $6.1 million for privacy violations, concluding an investigation that began in 2018. The regulator says that Facebook shared the personal information of 3.3 million residents of the country with third parties without collecting proper user consent and in violation of laws protecting personal information, with the breach window running from May 2012 to June 2018.

Six-year Facebook privacy violation shared user contact information, work and relationship status

The fine of ₩6.7 billion was issued by South Korea’s Personal Information Protection Commission (PIPC). The Korea Communications Commission had initiated the investigation in 2018, handing it off to the PIPC to conclude this year.

The agencies determined that Facebook shared names, addresses, dates of birth, work experience, hometowns and relationship statuses of South Koreans without collecting user consent; the information was shared automatically while users were logged into their accounts. The PIPC believes that this information may have been shared with as many as 10,000 companies without user consent or knowledge.

The personal information was provided to certain third-party apps in the background when run concurrently with logged-in Facebook accounts. While these apps were required to notify users that this information would be collected, they did not properly notify that the app would also collect the contact information of the user’s friends as well. The user’s friends were never notified of this data collection, which was in violation of the country’s user consent requirements. The information was used to create profiles for the purposes of delivering targeted ads, and Facebook was paid by the third parties for providing it.

A Seoul-based Facebook spokeswoman issued the following statement: “We have been cooperating as much as possible throughout the investigation process, we regret that the Personal Information Protection Commission has sought a criminal investigation.”

The PIPC said that Facebook had indeed cooperated with the privacy violation investigation, and the social media giant is now reviewing its conclusions before issuing any further statements. However, this may cause more trouble for the company in Ireland. The PIPC referred the case to Ireland’s data protection authority for a potential criminal investigation.

Facebook’s user consent issues

The involuntary tracking of the contact information of Facebook friends echoes the infamous Cambridge Analytica scandal, in which the platform allowed friend information to be scooped up by users of the “This Is Your Digital Life” app. It’s estimated that only about 27,000 people ever installed the app, but its ability to jump through friend networks gathering contact information led to a privacy violation that involved over 87 million people. That issue ultimately saw Mark Zuckerberg hauled before the US Congress and a fine of $5 billion in the US as well as smaller fines in other countries.

The amount of information accessed in this current privacy violation does not seem to be quite as expansive, mostly consisting of user profile information that is generally unavailable to the outside world but is made visible to users approved as friends. Aside from general contact information, the most intrusive elements are the relationship status and information about where the data subject works.

The 2019 Cambridge Analytica fines were Facebook’s biggest single consequence in terms of privacy violations and user consent issues, but the company now has a long string of issues of this nature behind it. These date back over 10 years at this point, with a 2009 investigation into the platform’s handling of information marked “private” leading to a 2011 settlement with the FTC that required it to implement a consent decree. 2013 saw a similar incident of friend information sharing without user consent, as a bug that affected six million accounts saw address books shared via friend networks. The company has also had repeated incidents with scraping of its pages and abuse of its search tool in recent years, and it has been questioned about its relationships with other tech giants (such as Apple and Microsoft) in terms of information sharing of users of their devices.

Facebook has also had multiple struggles with the provisions of the GDPR and privacy violations since it went into effect in 2018. In addition to the fine for the Cambridge Analytica incident, Facebook has received two fines from the Italian data authorities for its misleading user consent policies. Ireland’s data regulator is still weighing its first major cross-border decision against the company, with its probes into several potential types of privacy violation bogged down by a massive caseload and the unexpected onset of the coronavirus pandemic. Facebook is also facing a new challenge from the Schrems II decision, which has effectively prohibited it from transferring the personal data of EU residents overseas to the United States. It is unclear if the information provided by the South Korean regulators or the country’s decision will contribute to the ongoing probes of Facebook in Europe.