A string of major fines from South Korea’s data protection regulator continues with a new ₩21.6 billion (about $15 million) penalty to Meta for Facebook data collection taking place since 2018.
The fine continues a trend of active pursuit and substantial penalties in recent years. South Korea’s present data protection law, the Personal Information Protection Act (PIPA), has been on the books since 2011. However, amendments in 2020 and 2023 aimed at achieving parity with Europe’s GDPR gave it much sharper teeth and has led to Meta, Google and others experiencing a new wave of fines.
Data collection fine tackles gathering of sensitive information without consent
The Meta fine comes as the result of a four-year investigation into Facebook’s data collection practices between 2018 and 2022. Meta was found to have collected user information about sexual orientation, political views and religion among other items, doing so without express user awareness or consent. This data was shared with about 4,000 of the company’s advertising partners during this time.
The sensitive data was collected indirectly by observing ads that users clicked on or content that they interacted with (such as clicks of the “Like” button). The terms of PIPA require that users provide express consent for information classified as sensitive to be collected in this way, which the company’s consent mechanism and privacy policy fell short of. The documentation of this data collection was described as “vague,” and between that and failure to collect consent it is reasonable to assume the average Facebook user was not aware that they were being profiled for third-party advertisers in this way.
About 980,000 South Korean Facebook users are impacted. In addition to turning sensitive personal data categories over to advertisers, Facebook was apparently flagging interactions with items that would be of interest to North Korean refugees and providing those to its partners.
Meta’s South Korean office has thus far only said that it plans to review the data collection fine.
Meta also taken to task for security failings
PIPA has quickly become known as having some of the world’s most stringent privacy terms with its most recent updates, backed by the enshrinement of data privacy as a human right in the country’s constitution. The courts have also ruled separately that control of one’s personal information is an inalienable right beyond the terms of the constitution.
The 2020 amendment established the Personal Information Protection Commission (PIPC) as the country’s data watchdog, and the 2023 addition both strengthened data subject rights and toughened up the consent requirements for all data controllers. Those latter amendments entered force in mid-September of last year. PIPA consent requirements are now considered on par with those of the GDPR, though the act’s maximum fine totals are considerably smaller.
Meta has been weathering fines in the country since the first round of PIPA amendments was introduced. It has already been hit with a set of penalties totaling ₩100 billion ($72 million) in 2022, also pertaining to data collection for advertising purposes and failure to collect proper consent. In 2020 it was additionally fined 6.7 billion won ($4.8 million) for transferring personal data to advertisers without consent.
The PIPC’s current action is not limited to data collection. It also cited a security failure in which hackers were able to gain access to inactive pages, taking them over from the legitimate owners. The agency said that Meta approved these requests without proper verification and that it was insufficient in its efforts to remove or block inactive pages. These breaches impacted at least 10 Facebook users in the country. Credentials to log into these pages are often obtained from data breaches or some other source, and once the attackers have access they use them to attempt to phish other Facebook users.
The PIPC has also previously taken on Google over similar concerns, issuing fines of ₩69.2 billion (about $50 million) in 2022. Google was also penalized for its consent practice and for “dark patterns” that prompted users to agree to terms while hiding other available options. That fine still stands as the largest single PIPC penalty. The PIPA terms cap out at the equivalent of 2.2 million per incident or 3% of global annual turnover.
The South Korean government is also in the midst of updating its antitrust law with a focus on tech companies, something that sent shockwaves through the big tech world when it was announced earlier this year. The act that was initially proposed in early 2024 was similar to the EU Digital Markets Act in labeling tech companies of a certain size as “gatekeepers” who would face harsher new antitrust terms. However, that effort receded into the background during a contentious midyear election period and appears to have been shelved as of September; the government is now focusing on amending its existing antitrust law with a collection of similar terms.