South Korea’s Personal Information Protection Commission (PIPC) has slapped Meta, the parent company of Facebook, Instagram, and WhatsApp, with a fine of 21.62 billion won ($15.67 million) for unlawfully collecting and sharing sensitive personal data. The investigation, spanning four years, uncovered Meta’s misuse of personal data without users’ consent, impacting privacy standards across the tech industry.
Data Misuse and Security Flaws Revealed
According to the PIPC, Meta had been tracking what users liked on Facebook and which ads they clicked on. This allowed the company to build profiles based on sensitive information and target specific ads. Nearly one million South Korean Facebook users were affected, with data shared with around 4,000 advertisers. Meta’s privacy policy was unclear to users regarding how these data would be used, which South Korean law prohibits.
“While Meta collected this sensitive information and used it for individualized services, they made only vague mentions of this use in their data policy and did not obtain specific consent,” said Lee Eun Jung, a director at the PIPC.
The commission further disclosed that Meta categorized users into specific themes, targeting individuals interested in North Korean defector issues, specific religions, and LGBTQ+ topics.
Alongside privacy violations, Meta’s lacking security protocols also led to a data breach affecting at least ten users. Hackers exploited weaknesses in Meta’s account recovery system. They gained access by using fake IDs to reset passwords on inactive accounts, putting user data at further risk.
A statement from Meta’s South Korean office said they would “carefully review” the decision but did not comment further.
Global Pressure Mounts on Meta
This fine reflects a growing emphasis on holding tech companies accountable for privacy issues. South Korea’s privacy laws have become stricter, protecting users as concerns grow about how big tech companies use personal data. In 2022, South Korea’s PIPC fined Google and Meta 100 billion won ($72 million) for tracking users’ online activity without consent and using their data for targeted ads.
Meta’s data privacy practices have come under fire globally. Meta has faced similar fines in other countries, like a €91 million fine in Ireland for storing passwords in plain text. “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” Meta reported.
The PIPC has ordered Meta to establish a clear legal process for handling sensitive data and improve its security measures to comply with South Korean privacy laws. This decision sends a clear signal that regulatory bodies will continue to hold tech companies accountable, particularly for how they handle and protect users’ data.