In a significant move against Meta, the parent company of Facebook, Instagram, and WhatsApp, South Korea’s privacy watchdog has imposed a hefty fine of 21.6 billion won, roughly $15 million. The fine was imposed after an investigation found that Meta had been illegally collecting sensitive information from Facebook users, including their political views, religion, and even their sexual orientation. This information was then shared with thousands of advertisers without the users’ specific consent.
This penalty is part of a growing trend of strict actions by South Korean authorities against Meta for mishandling user data. It also highlights the increasing concerns around privacy and how big tech companies are collecting and using personal information.
Meta Collected Sensitive Data Without Consent
The South Korean Personal Information Protection Commission (PIPC) conducted a four-year investigation into Meta’s practices and found that the company had illegally collected personal and sensitive information from Facebook users. From July 2018 to March 2022, the company gathered data from nearly 980,000 users without asking for their explicit permission. This information included highly personal details such as users’ political beliefs, religious preferences, and whether they were in same-sex relationships.
How did Meta collect this information? The company analyzed the pages that users liked and the ads they interacted with on Facebook. For instance, if someone liked posts related to a certain political party or a religious group, Meta could gather data on their political and religious views. Similarly, interactions with ads focused on LGBTQ+ issues could signal a user’s sexual orientation.
The PIPC stressed that South Korea’s privacy laws provide strong protection for personal beliefs and behaviors. According to these laws, companies must get clear and specific consent from users before they can collect or use sensitive information. Meta’s actions went against these rules by failing to ask for the proper permissions from users.
Once the company collected this sensitive data, it shared it with around 4,000 advertisers. This is where the problem deepens. Advertisers use this information to target specific groups of people with tailored ads. For example, someone who is interested in certain political causes or specific religious groups may be shown ads related to those issues. However, Meta failed to notify users that their data was being shared with such a wide group of advertisers.
Meta Faces €91 Million Fine from Ireland Over GDPR Violation
According to Lee Eun Jung, a director at the PIPC who led the investigation, Meta used the data to provide individualized services and better-targeted ads but made only vague mentions of how it used this sensitive data. This is a clear violation of the law, as users were not asked for specific consent to have their personal information shared in this manner.
In addition, the PIPC found that Meta’s vague policies made it difficult for users to understand what data was being collected or how it was being used. The lack of transparency about data usage is a major concern for privacy advocates and regulators around the world.
Security Failures Led to Data Breaches
Meta’s issues didn’t stop at illegally collecting and sharing data. The PIPC also found that the company’s failure to properly secure Facebook accounts led to data breaches. The investigation revealed that the company failed to take simple security measures, such as deleting or blocking inactive pages. As a result, hackers exploited these inactive accounts to forge identities and request password resets on other Facebook users’ accounts.
In some cases, Meta approved these password reset requests without properly verifying the requests, leading to data breaches. This breach affected at least 10 Facebook users in South Korea, potentially exposing their private information to hackers.
This failure in security was another reason behind the fine. The PIPC pointed out that Meta’s inability to secure its platform and protect users’ data put individuals’ privacy at serious risk.
Previous Penalties
This isn’t the first time Meta has faced penalties from South Korean authorities. In 2022, the country imposed a combined fine of 100 billion won (about $72 million) on Google and Meta for collecting consumers’ data without consent. The two companies were found to be tracking users’ online activities across websites and using the data for targeted advertising.
Furthermore, in 2020, it was fined 6.7 billion won ($4.8 million) for sharing users’ personal information with third parties without their consent. This pattern of fines suggests that Meta’s practices around user privacy have been a continuing concern for regulators in South Korea.
In light of these past violations, the PIPC’s latest penalty reinforces its stance on protecting users’ personal information and ensuring companies follow strict privacy laws. With increasing scrutiny from governments worldwide, it’s clear that companies like Meta will need to rethink how they handle user data.
