South Korea fines Meta $15 million for illegally collecting sensitive data from Facebook users

South Korea’s privacy watchdog, the Personal Information Protection Commission (PIPC), has fined Meta 21.6 billion won (approximately $15 million) for illegally collecting and sharing sensitive personal information from Facebook users, Associated Press reported. This marks the latest in a series of penalties against the social media giant as South Korean authorities intensify scrutiny of how it handles user data.

The fine stems from a four-year investigation that concluded Meta unlawfully gathered sensitive information about around 9,80,000 Facebook users between July 2018 and March 2022. As per the reports, the data included highly personal details such as users' political views, religious beliefs and sexual orientation, as well as whether they were in same-sex unions. The company then shared this information with around 4,000 advertisers.

South Korea’s strict privacy law protects personal information related to beliefs, political views and sexual behavior, prohibiting companies from processing or using such data without obtaining explicit consent from the individuals involved. The commission found that Meta collected this sensitive information through its tracking of user activity, including liked pages and clicked advertisements. The company categorized ads to target users based on themes such as religion, LGBTQ+ issues and North Korean escapees.

Reportedly, PIPC Director Lee Eun Jung, who led the investigation, criticized Meta for not obtaining specific consent from users to collect and use their sensitive data. “While Meta collected this sensitive information and used it for individualized services, they made only vague mentions of this use in their data policy,” Lee said.

The investigation also highlighted a security lapse on Meta’s part. The commission found that Meta failed to take basic security measures, such as removing inactive user pages, which made Facebook users vulnerable to identity theft and password reset fraud. Hackers were able to exploit inactive accounts to gain access to other users’ accounts, leading to data breaches affecting at least 10 South Korean users.

This fine adds to a series of legal challenges Meta has faced in South Korea over its handling of personal data. In 2022, the PIPC fined Meta and Google a combined 100 billion won ($72 million) for tracking consumer behavior across the web without proper consent, marking the largest privacy-related penalties ever imposed in South Korea.

Prior to this, Meta was fined 6.7 billion won ($4.8 million) in 2020 for sharing users' personal information with third parties without consent.

Meta has stated that it will “carefully review” the commission’s decision but did not offer additional comment at this time.

This latest penalty follows significant fines imposed on Meta by European regulators as well. In September, European authorities fined the company more than $100 million over a 2019 security incident where user passwords were briefly exposed in an unencrypted form.

As global regulators continue to focus on data privacy, this fine underscores the growing challenges Meta faces in complying with increasingly stringent data protection laws around the world.