South Korea Fines Meta $15 Million for Illegal Data Collection on Facebook Users
In a landmark ruling on Tuesday, South Korea’s privacy watchdog imposed a hefty fine of 21.6 billion won (approximately $15 million) on Meta, the parent company of Facebook, Instagram, and WhatsApp, for unlawfully collecting sensitive personal data from Facebook users. This fine stems from the company’s illegal gathering of data, including details about users’ political views, sexual orientation, and religion, and subsequently sharing this data with thousands of advertisers.
This marks the latest in a series of increasing penalties against Meta by South Korean authorities, highlighting the nation’s growing scrutiny of how global tech giants handle user data. The investigation, which spanned over four years, involved an in-depth review of Meta’s data collection practices from 2018 to 2022, with findings that have sparked a fierce debate over privacy rights in the digital age.
The Illegal Data Collection and Sharing Scandal
According to the South Korean Personal Information Protection Commission (PIPC), Meta illegally gathered sensitive information from approximately 980,000 Facebook users. The data included sensitive personal beliefs such as political views, religious affiliations, sexual orientation, and other details about users’ personal lives. The company then shared this data with about 4,000 advertisers who used it for targeted advertising campaigns.
The violation came at a time when global concerns over user privacy and the security of personal information have intensified. South Korea’s privacy laws, which are some of the strictest in the world, explicitly prohibit the processing or use of sensitive data such as religious beliefs, political views, and sexual orientation without the specific, informed consent of the individuals involved.
The commission noted that Meta did not obtain explicit consent for the use of such data but instead relied on analyzing users’ activity on Facebook, such as the pages they liked or the advertisements they interacted with. Through this analysis, Meta was able to categorize users based on various sensitive topics, such as support for certain political parties, issues related to sexual orientation, and even causes like North Korean defector rights.
“While Meta collected this sensitive information and used it for individualized services, they made only vague mentions of this use in their data policy and did not obtain specific consent,” said Lee Eun Jung, a director at the PIPC who led the investigation.
The watchdog’s report stressed that the company’s handling of such sensitive data violated both the letter and spirit of South Korea’s privacy protection laws, which emphasize transparency and explicit user consent for data collection, particularly when it concerns sensitive topics.
The Privacy Breach and Inadequate Security Measures
In addition to collecting and misusing sensitive information, the PIPC’s investigation uncovered significant security lapses at Meta, which led to data breaches that affected several Facebook users in South Korea. Meta failed to remove inactive pages or block them properly, which left Facebook accounts vulnerable to hacking.
Hackers exploited these inactive pages, using them to forge identities and request password resets for other users’ accounts. Meta approved these requests without adequately verifying the legitimacy of the requests, which ultimately led to data breaches involving at least 10 South Korean Facebook users.
This security breach has raised alarm bells about Meta’s ability to safeguard user data. The PIPC highlighted that Meta’s failure to implement basic security protocols, like removing or blocking dormant accounts, put the privacy of Facebook users at serious risk. The tech giant's inability to protect its users from such breaches is likely to result in even greater scrutiny from regulators globally, especially as concerns over cyberattacks and data vulnerabilities increase.
Global Privacy Violations: A Pattern of Penalties
This fine comes at a time when Meta is already facing a series of global privacy-related penalties. In September, European regulators imposed over $100 million in fines on Meta for a 2019 security lapse, in which user passwords were exposed in an unencrypted form. This was part of a larger trend of growing accountability for Meta, as regulators across the world scrutinize its data practices.
Back in 2022, South Korea imposed a combined 100 billion won ($72 million) fine on Meta and Google for tracking consumers’ online behavior across different websites and services without user consent. Both companies were accused of violating South Korea’s privacy laws by not clearly informing users or obtaining their consent for the collection of data across third-party sites. As a result of this ruling, Meta and Google were ordered to adopt more transparent data collection practices, including providing an “easy and clear” consent process for users to control the data they share.
In 2020, Meta was slapped with another fine in South Korea, this time amounting to 6.7 billion won ($4.8 million), for sharing user information with third parties without obtaining explicit consent. This further established a pattern of Meta being penalized for its data practices, indicating that the company’s efforts to comply with privacy laws globally have been far from sufficient.
Meta Responds
In response to the latest fine, Meta’s South Korean office acknowledged the ruling but refrained from providing a detailed comment, stating that it would “carefully review” the commission’s decision. The company’s reluctance to respond directly to the specifics of the ruling could indicate its ongoing struggles to navigate the complex web of global data privacy regulations.
Meta has yet to clarify whether it intends to appeal the fine, but it is likely that the company will face continued scrutiny and additional penalties in other jurisdictions as concerns over its data practices persist. The global conversation about data privacy has reached a fever pitch, and companies like Meta are under increasing pressure to demonstrate a clear commitment to user privacy and security.
Related: Meta's Stellar Earnings Report: Strong Revenue Boost Overshadowed by User Growth Concerns
Why This Matters for Users and Advertisers
The PIPC’s ruling is an important reminder of the growing importance of privacy protections in an era of digital advertising and data-driven business models. As social media platforms like Facebook, Instagram, and WhatsApp continue to be integral to daily life, the risks associated with unauthorized data collection and improper handling of personal information become more pronounced.
For users, this fine serves as a wake-up call to be more cautious about the information they share online and to ensure that they fully understand the privacy policies of the platforms they use. With regulatory authorities tightening the reins on tech giants, it is crucial for individuals to stay informed about how their data is being collected and used, particularly on platforms that rely on targeted advertising.
For advertisers, the ruling underscores the risks associated with relying on third-party platforms for user data. As Meta and other companies face increasing scrutiny, advertisers may find it more challenging to navigate the evolving landscape of digital advertising while ensuring compliance with local privacy laws.
The Future of Digital Privacy: A Wake-Up Call for Big Tech
The fine against Meta in South Korea is part of a larger trend of increasing regulatory scrutiny on tech giants’ handling of user data. As governments around the world strengthen their data protection laws and hold companies accountable for their actions, the digital advertising landscape may undergo significant changes. Meta’s legal battles are likely to continue as privacy regulations become more stringent, and other tech companies may soon find themselves facing similar challenges.
In light of this, Meta and other global tech giants must adapt quickly to the evolving privacy landscape by taking stronger measures to protect user data and ensuring that their practices align with local regulations. For consumers, the outcome of this case serves as an important reminder that their personal information is valuable and must be handled responsibly by the companies that collect it.
As South Korea and other countries continue to tighten their data protection laws, the future of digital privacy will likely depend on the willingness of tech companies to prioritize transparency, user consent, and security.