SEOUL, South Korea — On Tuesday, the South Korean privacy enforcement agency imposed a fine of 21.6 billion won (approximately $15 million) on social media giant Meta for the unlawful collection of sensitive personal data from Facebook users. This data included information concerning users’ political affiliations and sexual orientations, which was then distributed to thousands of advertisers.
This penalty marks the latest development in a series of enforcement actions taken against Meta as South Korean authorities intensify their investigations into how the company, which operates Instagram and WhatsApp, manages user privacy.
After a lengthy, four-year examination, the Personal Information Protection Commission of South Korea determined that Meta had inappropriately gathered sensitive data from around 980,000 Facebook users between July 2018 and March 2022. This included details about their religions, political perspectives, and information on same-sex partnerships. The gathered data was reportedly shared with approximately 4,000 advertisers.
Under South Korean privacy legislation, stringent safeguards are in place to protect information associated with personal belief systems, political views, and sexual conduct. The law explicitly prohibits companies from processing or utilizing such data without obtaining the explicit consent of the individuals concerned.
The commission uncovered that Meta compiled this sensitive information by scrutinizing the pages that Facebook users liked and the advertisements they interacted with. The company categorized advertisements to find users interested in particular subjects, including different religious affiliations, issues surrounding the LGBTQ+ community, and matters related to North Korean defectors, as explained by Lee Eun Jung, a director at the commission who led the inquiry into Meta.
According to Lee, “While Meta collected this sensitive information and leveraged it for tailored services, they only vaguely referenced this practice in their data policy and did not secure explicit consent from users.”
Lee also noted that Meta compromised the privacy of Facebook users by neglecting to carry out essential security protocols, such as eliminating or restricting access to inactive accounts. This oversight allowed hackers to exploit these dormant accounts to impersonate users and request password resets for other Facebook accounts. Meta approved these reset requests without adequate verification measures, leading to data breaches affecting at least ten South Korean Facebook users, as reported by Lee.
In September, European regulators penalized Meta with fines exceeding $100 million following a 2019 incident where user passwords were temporarily exposed in an unencrypted format.
A representative from Meta’s South Korean division stated that they would “carefully review” the commission’s ruling, although further comments were not provided at that time.
In 2022, the commission levied a record 100 billion won (around $72 million) fine against both Google and Meta for tracking user behavior across the internet without obtaining their consent. This ruling represented the most significant penalties ever issued in South Korea for breaches of privacy laws.
At that time, the commission criticized the two companies for failing to adequately inform users or get their permission to gather data while they navigated other websites or services apart from their own platforms. The agency mandated that these companies establish a simpler and clearer consent process to allow users greater control over sharing details about their online activities.
Additionally, Meta faced a fine of 6.7 billion won (approximately $4.8 million) in 2020 for disclosing users’ personal information to third parties without their consent.
