Staff Reporters
Nov 7, 2024

South Korea fines Meta $15 million over data breach

Meta faces the multi-million dollar penalty for funnelling sensitive user data to advertisers, as South Korea tightens its privacy laws.

South Korea fines Meta $15 million over data breach

South Korea’s Personal Information Protection Commission (PIPC) has imposed a fine of 21.6232 billion won (approximately USD $15.67 million) on Meta Platforms, Facebook's parent company, citing major breaches of the country’s Personal Information Protection Act (PIPA).

The ruling underscores a global trend toward stricter enforcement of data privacy, emphasising the regulatory responsibilities tech giants face when handling sensitive user information across borders.

In a statement shared on their website, the PIPC investigation said it found that Meta collected highly sensitive information from about 980,000 South Korean users, including details on political and religious beliefs, as well as same-sex marital status. According to the PIPC’s official statement, Meta shared this data with around 4,000 advertisers, who used it for targeted advertising based on topics like religious affiliations, gender identities, and affiliations with groups such as North Korean defectors.

The commission highlighted that South Korean law restricts the use of such sensitive information without explicit consent, a standard Meta did not meet. Although Meta had broad mentions of data collection in its policies, the PIPC found this insufficient, noting that the data was collected and processed without specific user authorisation. In response to the investigation, Meta halted sensitive data collection from profiles in August 2021 and removed related advertising topics in March 2022.

Additionally, Meta denied users’ requests to view their personal data, including information on data retention and details of third-party access. The PIPC clarified that under South Korean law, users have the right to access personal information collected about them, including details of retention periods and third-party access. The commission deemed Meta’s refusal unjustified and non-compliant with South Korean data access rights.

Furthermore, Meta’s security practices were called into question when a data leak affecting 10 users was traced back to an unmonitored account recovery page. Hackers exploited this inactive page to submit fake identification and gain unauthorised access, leading to a data breach. The PIPC criticised Meta for failing to properly secure outdated platform sections, underscoring the platform's lapses in basic security measures.

In addition to the fine, the PIPC issued a corrective order requiring Meta to establish a legal basis for processing sensitive information, improve its security infrastructure, and respond promptly to user data requests. PIPC Chairman Koh Hak-soo emphasised that this ruling sets an important precedent for international tech companies to adhere to local data protection standards. The commission will continue monitoring Meta’s compliance to ensure alignment with South Korean law.

This ruling aligns with regulatory actions across the globe. In Europe, Meta received a record €1.2 billion ($1.2 billion) fine in 2023 for unlawfully transferring European user data to the US, breaching the General Data Protection Regulation (GDPR). Other tech giants face similar scrutiny. The European Union has warned that X (formerly Twitter) could face heavy fines for alleged violations of the Digital Services Act (DSA). Regulators are even considering basing fines for X on revenues from owner Elon Musk’s other ventures, such as SpaceX and Neuralink. X’s relationship with EU regulators has worsened after Musk withdrew from the EU’s Code of Practice on disinformation, spotlighting the platform’s approach to data management.

Meanwhile, Google is still facing an antitrust trial outcome in the US examining its control over digital advertising and potential anti-competitive practices. In Asia, markets like China are enforcing stringent data privacy requirements on companies such as Didi and Alibaba, who have faced government-imposed restrictions and penalties for improper handling of personal data.

Source:
Campaign Asia

Related Articles

Just Published

2 hours ago

Agency of the Year 2024 SEA winners: Indonesia, ...

Check out the complete winners list from Campaign's inaugural event in Jakarta, featuring several Southeast Asian regional awards, along with entrants across seven SEA markets.

6 hours ago

Big night for Leo Burnett across multiple Southeast ...

Publicis Groupe stole the spotlight at Campaign’s inaugural Southeast Asia Agency of the Year Awards gala in Jakarta, with Leo Burnett leading the charge across creative and digital in multiple markets.

6 hours ago

McCann, Famous Innovations lead the charge at South ...

Also imparting a memorable mark: FCB Kinnect, Havas Media India, OMD, and White Rivers Media with their impressive wins showcasing gold, glory, and game-changing creativity.

11 hours ago

Can retail media compensate for weaknesses in ...

Following reports on declines in performance media earnings, Campaign explores what strategies marketers can employ to navigate this changing landscape—including the promise of retail media.