Korea’s privacy regulator has ordered Meta to pay 21.6 billion won (€14.4 million) for processing sensitive user data without a valid legal basis.
Shutterstock.com/SergeiElagin
The Personal Information Protection Commission (PIPC) said today that Meta unlawfully collected sensitive information of about 980,000 Facebook users, including data about their political views, religious beliefs and sexual orientation. The big tech company then allegedly shared the information with approximately 4,000 advertisers.
The PIPC said Meta analysed behavioural information, such as the pages users liked and the ads they clicked on, to implement targeted advertising themes based on sensitive data.
The country’s data protection legislation provides strict protection to information on data subjects’ ideas, beliefs, political opinions and sexual life; its processing is restricted to exceptional cases such as when user consent is obtained, the regulator noted.
The watchdog added that the company only “vaguely stated” such use in its data policy, and did not obtain separate consent for the processing.
According to the PIPC, Meta further failed to implement appropriate security measures such as blocking inactive and unused pages. Hackers were able to exploit the unused accounts by submitting fake IDs and requesting password resets, the regulator said, adding that Meta approved the requests without sufficient verification, resulting in a breach of 10 Korean users’ personal information.
The regular further cited a violation related to a data subject’s request for access to personal information.
In addition to the fine, the privacy regulator ordered Meta to establish a legal basis for its processing of sensitive data and take measures to ensure the security of information on its platform. Meta adopted voluntary measures throughout the investigation such as destroying advertising themes that contained sensitive information, the watchdog said.
Korea’s privacy regulator had previously fined Meta for its use of personal user data for targeted advertising. It issued a record 100 billion won (€71.9 million) combined fine against Google and Meta for tracking users’ behaviour without their consent in September 2022.
Meta did not respond to a request for comment.