South Korea Slaps Meta with $15.6 Million Penalty for Privacy Violations Over Sensitive Data Use

Meta Platforms, Inc. is facing a serious financial and regulatory reckoning in South Korea. In a decisive move, the country’s Personal Information Protection Commission (PIPC) has fined Meta $15.6 million for a series of data privacy violations, including unauthorized handling of sensitive personal data, refusal to grant legitimate data access to users, and a failure to implement necessary security safeguards.

The trouble started with complaints from South Korean users, who reported that Meta had been quietly collecting highly sensitive details about them—ranging from religious beliefs and political leanings to sexual orientation. This wasn’t a minor oversight; the PIPC’s investigation revealed that Meta gathered this information from nearly a million South Korean users, only to then share it with around 4,000 advertisers eager to capitalize on these insights.

Meta’s methods for gathering data were subtle and embedded within ordinary interactions on Facebook. Users who clicked certain ads, liked specific pages, or engaged in other routine actions found themselves profiled based on deeply personal traits. But South Korea’s Personal Information Protection Act (PIPA) requires explicit user consent before any company can process such sensitive data—consent that Meta had not sought or obtained.

Blocking Users from Accessing Their Own Data

Beyond the unauthorized data collection, Meta was also found to have stonewalled user attempts to gain insight into how their data was managed. Korean law provides users with the right to know specifics about their personal data, such as how long it’s stored, whether it’s shared with third parties, and the justification for its collection. Meta, however, rejected requests from South Korean users seeking access, claiming these inquiries fell outside the scope of PIPA. The PIPC disagreed, asserting that the law explicitly entitles users to this transparency.

The investigation also uncovered significant security shortcomings, with Meta’s inadequate safeguards leading to data breaches. The PIPC found that Meta failed to deactivate outdated account recovery pages, which hackers exploited by using forged IDs to initiate password resets. Minimal verification protocols enabled unauthorized access to the accounts of ten South Korean users, exposing Meta’s failure to properly secure user data.

To its credit, Meta eventually made some changes. By August 2021, it had stopped collecting sensitive information directly from user profiles, and by March 2022, it dismantled ad categories built around such data. However, these adjustments came only after investigations were underway. The PIPC, taking a firm stance, emphasized that global tech giants like Meta must respect South Korea’s privacy regulations from the outset, not after complaints or legal action.

The PIPC isn’t stopping with the penalty. It has ordered Meta to establish lawful grounds for processing sensitive data, strengthen its security measures, and ensure that users have access to their data upon request. The commission will continue to monitor Meta’s actions closely, determined to uphold South Korea’s rigorous privacy standards and protect citizens from privacy abuses—regardless of a company’s global reach or influence.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.