This site is the official e-Government website of the Republic of Korea.
Notice / Press Release
| Title | PIPC Sanctions against Meta for Collection and Use of Sensitive Data without Lawful Basis of Processing | ||
|---|---|---|---|
| Department | Date | 2024.11.07 | |
| Attachment | press release PIPC Sanctions against Meta for Collection and Use of Sensitive Data without Lawful Basis of Processing.pdf | ||
| Page URL | https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2698 | ||
| Contents |
Press Release PIPC Sanctions against Meta for Collection and Use of Sensitive Data without Lawful Basis of Processing - Along with another round of administrative sanction for rejecting access without legitimate reasons and non-compliance with putting in place safeguards
November 5, 2024 (This is an unofficial translation of a press release, originally prepared in Korean.)
The Personal Information Protection Commission (“PIPC”) held its 18th plenary meeting and reached a resolution to impose a penalty surcharge and administrative fine of KRW 21.6232 billion with correction orders on Meta Platforms, Inc. (hereinafter “Meta”) for its failure to comply with the Personal Information Protection Act (“PIPA”) on November 4, 2024.
The PIPC found that Meta has been collecting and using sensitive data without obtaining consent from users and launched investigations against the company. Over the course of investigations, the PIPC got civil complaints saying the company rejected a request to access personal information without legitimate reasons and a report of its data breaches caused by hackers. The data protection supervisory authority also launched investigations into these cases as well.
1. Collection and Use of Sensitive Data without Lawful Basis of Processing
The investigations showed that Meta collected sensitive data that includes religious and political views and beliefs, same-sex marital status, etc., of about 980,000 domestic users. The company then provided advertisers with such data, resulting in around 4,000 advertisers taking advantage of it. Put simply, Meta analyzed users’ behavioral data, including the pages they hit the ‘Like’ button, ads they clicked on Facebook, etc., to create and operate advertising topics associated with sensitive data (specific religious affiliations, homosexuality, whether a user is a transgender or North Korean defector) collected from the users.
The PIPA stipulates that the processing of sensitive data is prohibited, in principle, including the data revealing ideology, political opinions, religious beliefs, and the data concerning a person’s sex life, etc. Processing of such data is only allowed for a lawful basis when obtaining separate consent from a data subject under the PIPA.
However, Meta failed to do so as well as put additional safeguards in place for the collection and use of sensitive data for running tailored services. Meta displayed this practice in its data policy in a not explicit manner. During the investigations, the company took a self-regulatory action to stop collecting sensitive data from users’ profiles in August 2021, and destruct the advertising topics associated with such sensitive data in March 2022.
2. Rejecting Access to Personal Data without Legitimate Rationale
Meta rejected the request from users to access personal data, such as the period for processing personal data, the provision status of personal data through a log-in feature on Facebook, a lawful basis, and consent status for collecting users’ activities outside Facebook, citing that the request did not fall under the purview of the PIPA.
However, the Enforcement Decree of the PIPA sets out that personal data processors shall render access to the period for retaining and using personal information, status of personal information provided to a third party, and the fact that the data subject has given consent to the processing of his or her personal information and the content. In this regard, the PIPC saw that Meta’s rejection to grant access to personal information has no legitimate rationale pursuant to Korea’s privacy law.
3. Personal Data Breaches
Meta should have taken safeguards to delete or block the websites not in service but failed to remove pages for account recovery for them. Hackers took advantage of this loophole to request resetting passwords of others’ account by submitting fake IDs on the page for account recovery, leading Meta to approve the requests without sufficient authentication procedures to check whether ID was counterfeited. The company ended up letting data breaches of 10 domestic users take place.
4. Administrative Sanctions
As a result of investigations against Meta, the PIPC decided to levy a penalty surcharge and administrative fine on the company for non-compliance with the PIPA associated with the provisions regarding restrictions on the processing of sensitive data and other failures. Meanwhile, the data protection authority issued correction orders on Meta to have a lawful basis for the processing of sensitive data and take remedial actions to put safeguards in place. Moreover, the company is required to enable access to personal information upon request from its users.
The sanctions hold significance that foreign business operators providing services across the globe must adhere to the duties for processing sensitive data as stipulated in the PIPA, and they must uphold the rights of data subjects, such as allowing them to access his or her personal information.
Going forward, the PIPC will keep an eye on whether Meta is in compliance with the correction orders and spare no efforts to promote data privacy for the people through law enforcement for global businesses offering services to domestic users in a fair and impartial manner.
* A PDF file, formatted for better readability, is attached.
|
||