J
Joshua Fagbemi
Guest
South Korea has imposed a fine of $15.67 million (21.62 billion won) on Facebook’s parent company, Meta, following unauthorized collection of users’ sensitive information. The Asian country’s watchdog, Seoul Data Protection Agency, claimed that Meta gave the data to advertisers without a legal basis.
According to the Personal Information Protection Commission, Meta gathered information from more than 980,000 South Korean Facebook users while failing to seek their consent. data relating to religion, political views, and sexuality were gathered from users’ profiles.
The agency also affirmed that the tech giant provided the information to about 4,000 advertisers.
“Specifically, it has been found that (Meta) analysed user behaviour data such as pages they liked and advertisements they clicked on Facebook and created and managed advertising themes related to sensitive information,” the agency said.
“This included users being categorized for example as being North Korean defectors, following a certain religion, or identifying as a transgender or gay person,” the agency added.
The watchdog also pointed out that the decision to fine Meta for its actions will set a model for other foreign operators within the country. This is to ensure adequate compliance with regulations concerning the processing of sensitive information.
“The decision is significant in that they ensure that foreign operators providing global services must comply with the obligations outlined in (South Korea’s) Protection Act regarding the processing of sensitive information,” it said.
Meta was also accused of unfairly declining a request by users to access personal information while failing to prevent data on about 10 South Koreans from being leaked by hackers.
It added that it “also ordered the company to establish legal grounds for processing sensitive information, implement safety measures, and respond diligently to users’ requests for access to their data”.
The Personal Information Protection Act (PIPA) governs the collection, use, and processing of personal data across the board, covering every type of use, in every sector, and extends to offshore processing of Korean individuals’ data. Personal data is broadly defined to include any data about a living person from which the person is identifiable (directly, or, without difficulty, by combination with other data).
Important adjuncts to the PIPA include the Enforcement Decree, or prime implementing regulation, of the statute, and further rules and standards promulgated by the regulator pursuant to the PIPA, along with further published guidance. The PIPA resembles the GDPR, roughly, in overall structure and reach, but differs in important respects.
Beyond integrating parts of the Network Act and the National Credit Information Act, a notable feature of this PIPA is the vesting of all data protection matters in the Personal Information Protection Commission (PIPC).
The PIPC reports directly to the Prime Minister and is the independent supervisory authority responsible for making data privacy investigations and recommendations while administering and enforcing the PIPA within South Korea.
The PIPA’s extraterritorial reach comes into focus in a variety of situations. Some salient examples would be: (a) leakage of Korean individuals’ data by an overseas business can trigger reporting in Korea; (b) offshore-based services meeting any of certain criteria (such as KRW 1 trillion, around USD 750 million, worldwide sales) must appoint a local representative for compliance oversight purposes; and (c) the regulator continually monitors and investigates data privacy practices of offshore-based services, and is empowered to, and does, impose significant fines for violations.
In 2010 the Wall Street Journal found that many of Facebook’s top-rated apps were transmitting identifying information to “dozens of advertising and Internet tracking companies” like RapLeaf. The apps used an HTTP referrer that exposed users’ and sometimes their friends’ identities.
The Guardian reported in April 2019 that Facebook admitted to unintentionally uploading the address books of 1.5 million users without their consent. Facebook had access to a vast amount of personal data and admitted there were flaws in its password usage. In April 2021, the media organization also found that details from more than 500 million Facebook users had been found available on a website for hackers.
In November 2022, The Irish Data Protection Commission (DPC) fined Meta $277 million for a massive data breach that impacted around 500 million users. The incident involved data scraped from Facebook being posted on a hacker forum in 2019.
In May 2023, the DPC fined Meta (Facebook’s parent company) $1.3 billion — the largest GDPR fine ever — for transferring user personal data to the US and violating GDPR regulations. The European Data Protection Board required Meta to halt future data transfers to the US.
In October 2023, a threat actor named “algoatson” allegedly stole the database from a contractor responsible for managing Facebook’s cloud services. However, the database was only made public in February 2024, leaking 200,000 user records from Facebook Marketplace. This Facebook data leak exposed users’ personal information, including phone numbers and email addresses, on a hacker forum.
In a March 2024 report by Tech. co, a Facebook data breach took place in late February, exposing millions of two-factor authentication (2FA) codes used by Facebook, Google, and other platforms. A vulnerability in the systems of YX International, a company that routes text messages, allegedly caused the breach. This incident allowed unauthorized access to 2FA codes and password recovery details.
The post Facebook parent body, Meta fined $15.6m in South Korea for breaching user privacy first appeared on Technext.
According to the Personal Information Protection Commission, Meta gathered information from more than 980,000 South Korean Facebook users while failing to seek their consent. data relating to religion, political views, and sexuality were gathered from users’ profiles.
The agency also affirmed that the tech giant provided the information to about 4,000 advertisers.
“Specifically, it has been found that (Meta) analysed user behaviour data such as pages they liked and advertisements they clicked on Facebook and created and managed advertising themes related to sensitive information,” the agency said.
“This included users being categorized for example as being North Korean defectors, following a certain religion, or identifying as a transgender or gay person,” the agency added.
The watchdog also pointed out that the decision to fine Meta for its actions will set a model for other foreign operators within the country. This is to ensure adequate compliance with regulations concerning the processing of sensitive information.
“The decision is significant in that they ensure that foreign operators providing global services must comply with the obligations outlined in (South Korea’s) Protection Act regarding the processing of sensitive information,” it said.
Meta was also accused of unfairly declining a request by users to access personal information while failing to prevent data on about 10 South Koreans from being leaked by hackers.
It added that it “also ordered the company to establish legal grounds for processing sensitive information, implement safety measures, and respond diligently to users’ requests for access to their data”.
The South Korean Personal Information Protection Act (PIPA)
The Personal Information Protection Act (PIPA) governs the collection, use, and processing of personal data across the board, covering every type of use, in every sector, and extends to offshore processing of Korean individuals’ data. Personal data is broadly defined to include any data about a living person from which the person is identifiable (directly, or, without difficulty, by combination with other data).
Important adjuncts to the PIPA include the Enforcement Decree, or prime implementing regulation, of the statute, and further rules and standards promulgated by the regulator pursuant to the PIPA, along with further published guidance. The PIPA resembles the GDPR, roughly, in overall structure and reach, but differs in important respects.
Beyond integrating parts of the Network Act and the National Credit Information Act, a notable feature of this PIPA is the vesting of all data protection matters in the Personal Information Protection Commission (PIPC).
The PIPC reports directly to the Prime Minister and is the independent supervisory authority responsible for making data privacy investigations and recommendations while administering and enforcing the PIPA within South Korea.
The PIPA’s extraterritorial reach comes into focus in a variety of situations. Some salient examples would be: (a) leakage of Korean individuals’ data by an overseas business can trigger reporting in Korea; (b) offshore-based services meeting any of certain criteria (such as KRW 1 trillion, around USD 750 million, worldwide sales) must appoint a local representative for compliance oversight purposes; and (c) the regulator continually monitors and investigates data privacy practices of offshore-based services, and is empowered to, and does, impose significant fines for violations.
Facebook and Meta trail of data breaches
In 2010 the Wall Street Journal found that many of Facebook’s top-rated apps were transmitting identifying information to “dozens of advertising and Internet tracking companies” like RapLeaf. The apps used an HTTP referrer that exposed users’ and sometimes their friends’ identities.
The Guardian reported in April 2019 that Facebook admitted to unintentionally uploading the address books of 1.5 million users without their consent. Facebook had access to a vast amount of personal data and admitted there were flaws in its password usage. In April 2021, the media organization also found that details from more than 500 million Facebook users had been found available on a website for hackers.
In November 2022, The Irish Data Protection Commission (DPC) fined Meta $277 million for a massive data breach that impacted around 500 million users. The incident involved data scraped from Facebook being posted on a hacker forum in 2019.
In May 2023, the DPC fined Meta (Facebook’s parent company) $1.3 billion — the largest GDPR fine ever — for transferring user personal data to the US and violating GDPR regulations. The European Data Protection Board required Meta to halt future data transfers to the US.
In October 2023, a threat actor named “algoatson” allegedly stole the database from a contractor responsible for managing Facebook’s cloud services. However, the database was only made public in February 2024, leaking 200,000 user records from Facebook Marketplace. This Facebook data leak exposed users’ personal information, including phone numbers and email addresses, on a hacker forum.
In a March 2024 report by Tech. co, a Facebook data breach took place in late February, exposing millions of two-factor authentication (2FA) codes used by Facebook, Google, and other platforms. A vulnerability in the systems of YX International, a company that routes text messages, allegedly caused the breach. This incident allowed unauthorized access to 2FA codes and password recovery details.
Also Read: Meta can be sued over moderator layoffs, Kenya court rules.
The post Facebook parent body, Meta fined $15.6m in South Korea for breaching user privacy first appeared on Technext.