South Korea Hits Meta with Major Privacy Fine

In a major step to uphold privacy rights, South Korea’s data privacy agency, the Personal Information Protection Commission (PIPC), has fined Meta Platforms Inc., the parent company of Facebook, 21.62 billion won, equivalent to approximately $15.67 million. The hefty fine comes after investigations found Meta collecting and sharing sensitive personal information of South Korean Facebook users with advertisers without securing explicit user consent.

Meta’s Alleged Unauthorized Data Collection and Sharing

The PIPC has accused Meta of improperly gathering private data from an estimated 980,000 Facebook users across South Korea. According to the commission, this data included deeply personal information, such as individuals’ religious beliefs, political views, and details of marital status, particularly for same-gender couples. The PIPC’s findings revealed that Meta distributed this sensitive information to around 4,000 advertisers, potentially exposing users to targeted ads based on their intimate personal details without their knowledge or permission.

You might be interested in: North Korean IT Workers Extort Western Firms

The commission explained that Meta’s data collection extended beyond simple demographics and behaviors. Meta reportedly analyzed user activity on the platform, tracking actions such as which pages users liked and which ads they engaged with. This behavioral data was then used to build highly personalized advertising categories based on sensitive characteristics. For instance, users were categorized based on religious affiliations, LGBT+ identity, political perspectives, and, in some cases, whether they were defectors from North Korea.

Security Loopholes: Inadequate Protection for Inactive Accounts

Beyond data sharing concerns, the PIPC also identified serious gaps in Meta’s security measures. One particular issue was a lack of sufficient safeguards for inactive accounts. Due to weak protections, these dormant accounts became easy targets for bad actors, who were able to request password resets by submitting false identification information. Because Meta reportedly did not thoroughly verify these requests, it inadvertently allowed unauthorized access to the personal data of 10 South Korean users.

This breach exposed the vulnerability of Meta’s account protection protocols, particularly for users who had not accessed their accounts in some time. It raises broader questions about the security standards of tech companies and their commitment to user safety, especially for accounts that are not actively monitored by users.

Ongoing Oversight by South Korean Authorities

The PIPC has indicated that it will continue to monitor Meta’s activities closely, ensuring that the company fully complies with South Korean privacy laws going forward. According to the agency, this fine represents only one step in a broader effort to hold global companies accountable when they fail to protect user information. The commission has expressed its commitment to applying the same data protection standards to any foreign company providing services in South Korea, emphasizing the importance of enforcing user privacy without exceptions.

In response, Meta issued a statement acknowledging the PIPC’s ruling and affirming that it will “carefully review” the decision. However, Meta has yet to publicly commit to any specific changes in its data-handling or security policies following the incident.

Broader Implications for Global Data Privacy Practices

The South Korean fine against Meta is part of a growing trend worldwide, where governments are holding large tech companies accountable for how they collect, share, and protect user data. This case highlights the importance of transparent data practices and robust security measures, especially as more users entrust social media platforms with sensitive information. Increasingly, users and governments alike are demanding greater accountability and compliance with privacy standards that prioritize user control over personal data.

For Meta, this case serves as a reminder of the consequences of neglecting user consent and security. With South Korea promising continued oversight and international scrutiny rising, this fine may only be the beginning of tighter regulations on how big tech companies handle sensitive data, regardless of where their users reside.