South Korea’s Personal Information Protection Commission (PIPC) has sanctioned Meta Platforms, Inc. with a fine of KRW 21.6 billion (approximately $15 million USD) for collecting and using sensitive personal information without a legal basis. During its 18th plenary session on November 4, the PIPC ruled that Meta, which owns Facebook, violated the nation’s Personal Information Protection Act by collecting and using data on users’ religious beliefs, political views, and same-sex marital status without proper consent. The sanctions include a corrective order, requiring Meta to take immediate steps to ensure compliance.
The investigation revealed that Meta collected sensitive data from about 980,000 South Korean Facebook users and provided it to approximately 4,000 advertisers. The company analyzed users’ behavior, including the pages they liked and ads they clicked on, to create targeted advertising topics related to sensitive information, such as religion, sexual orientation, and even North Korean defector status.
Under the South Korean Personal Information Protection Act, certain categories of personal information—such as political views, religious beliefs, and sexual orientation—are classified as sensitive and subject to strict protection. Processing this information is only permitted when there is a clear legal basis, such as explicit user consent. Meta, however, failed to obtain specific consent from users for these activities, instead providing only general information about data collection in its Data Policy.
Meta had begun making voluntary adjustments during the investigation, ceasing the collection of sensitive data in August 2021 and deleting sensitive advertising topics in March 2022. However, these steps did not prevent the imposition of fines and corrective measures by the PIPC.
Additionally, the PIPC found that Meta had refused to fulfill users’ requests to view certain personal data, including the retention period of their information and details of consent history for activities beyond Facebook. The commission cited Article 41 of the Protection Act’s Enforcement Decree, which mandates that users have the right to inspect such information. Meta’s refusal to allow access was deemed unjustifiable, further violating South Korean data protection laws.
Another issue raised in the investigation was a security oversight that allowed hackers to access users’ accounts. The unused account recovery page on Facebook remained vulnerable to manipulation, allowing hackers to submit fake IDs and request password resets for other users’ accounts. Meta failed to prevent these breaches, resulting in the unauthorized access of ten South Korean Facebook accounts.
The PIPC’s ruling carries significant implications for global companies operating in South Korea. PIPC Chair Koh Hak-soo emphasized the importance of multinational corporations adhering to local data protection standards, stating that global services operating within South Korea must comply with national data laws, especially regarding the handling of sensitive information and ensuring user rights to access their personal data.
The commission has issued a corrective order to Meta, demanding it establish a legal basis for processing sensitive information, implement safety measures to protect personal data, and respond appropriately to user requests regarding personal information access. Moving forward, the PIPC pledged to continue monitoring Meta’s compliance with these corrective measures and to apply stringent data protection laws to global companies serving South Korean users.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
