South Korea has quietly developed one of the more robust sets of data protection regulations in the world, and the country recently brought these terms to bear on three of the biggest online platforms and service providers. Facebook, Google and Netflix are facing fines and actions for privacy violations, with Facebook assessed the second-largest amount in the country’s history for its treatment of facial recognition templates created without user consent.
Privacy violations bring substantial fine for Facebook
The Personal Information Protection Commission (PIPC), South Korea’s national data protection watchdog, has issued the tech giants various fines and corrective actions for privacy violations in the wake of a major privacy audit conducted in 2020.
Facebook faces the harshest penalty for privacy violations, ordered to pay 6.46 billion won (about $5.5 million) for its use of facial recognition templates between April 2018 and September 2019. The company allegedly used the personal images of about 200,000 platform users to create these templates without notifying them or obtaining their consent. There was also a smaller unrelated fine (26 million won, or about $22,000) for collecting social security numbers when not allowed by law and also violating a variety of more minor terms regarding management of personal information.
The company will also be required to destroy the facial information and identity numbers it collected and to disclose any migration of this information to third parties to the affected users. The primary fine amount is the second largest for privacy violations in South Korea’s history; Facebook already holds the #1 slot with a fine for about $5.7 million in November 2020 for unauthorized transfer of personal data to third parties.
Smaller penalties for Google and Netflix
Netflix and Google faced smaller penalties for their privacy violations. Netflix was assessed about $188,000 for collecting personal information from about five million people without proper consent, and an additional $2,700 for failing to disclose international transfer of that data. Google will not pay any fines, but has been advised to tune up the language used in its legal notices for clarity and to make some changes to the way in which it processes personal data.
The PPIC also issued a statement saying that its investigations into privacy violations will continue, indicating that more fines may be forthcoming. The agency has been on something of a campaign of scrutinizing big tech platforms since 2020, having issued a small fine to Microsoft (over the leak of about 119,000 email addresses) in addition to the prior large fine to Facebook.
South Korea’s PIPA is a fusion of three prior personal information processing statutes, with the terms going into effect in August of last year. Regulators have been quick to make use of this new power, almost immediately ordering a broad range of probes with a focus on big tech platforms. The law is among the world’s strongest: it applies to all organizations that process personal information regardless of size or industry (and to both data processors and controllers), it has provisions for foreign companies that target residents of South Korea with advertising, it has comprehensive categories of sensitive personal data subject to strong protection from privacy violations, and it has strong minimization principles and consent requirements. Violators are also subject to up to five years of “imprisonment with labor” or maximum fines of up to 50 million won (about $43,248), and as the Facebook and Netflix cases show there can be multiple counts.
Numerous fines issued for privacy violations
The law provides for either incarceration or a fine for privacy violations, and thus far there have not been any executives carted off to jail. However, the PPIC has been very busy issuing fines. But though fines have been frequent thus far, they have also tended to be small. While the cumulative amount of about $12 million Facebook has been ordered to pay thus far is substantial, it’s also a drop in the bucket next to the company’s estimated $86 billion in annual revenue. Microsoft was only fined the equivalent of $14,700 for its privacy violations, though in that case only 144 of the email addresses that were leaked belonged to South Korean citizens (the company was also fined for taking 11 days to publish a notification in Korean, something that is supposed to be done within 24 hours under PIPA).
The early pattern of PIPA fines seems to indicate that company size and revenue is a strong consideration; for example, a small South Korean outfit called Ground X (a subsidiary of internet service provider Kakao was assessed a fine of only $5,400 specifically for its mismanagement of passwords. Though there has yet to be a criminal conviction for privacy violations under the current iteration of PIPA, the privacy officer of a tour company faced charges under the previous iteration for a 2017 data breach; an eight-month sentence was considered, but ultimately the courts chose to impose a fine of about $8,600 instead. It is generally expected that active fraud would have to be involved for a criminal conviction to be seriously considered.