On November 5, 2024, South Korea's Personal Information Protection Commission (PIPC) fined Meta Platforms (referred to as "Meta") 21.6232 billion KRW for collecting and processing sensitive personal information without a legal basis, unjustifiably refusing users' requests to access their personal information, and causing a personal information leak. The PIPC also ordered Meta to implement corrective measures.
1. Enforcement Analysis
1. Collection and Processing of Sensitive Personal Information Without Legal Basis
According to Article 23, Paragraph 1 of South Korea's Personal Information Protection Act (referred to as the "Act"), “sensitive personal information” includes data that could seriously infringe on the privacy of data subjects, such as information on beliefs, union membership, political opinions, health, or sexual behavior. Data processors are prohibited from processing sensitive personal information unless they (1) separately obtain the data subject’s consent, or (2) have legal permission to process sensitive data. Article 23, Paragraph 2 of the Act further requires data processors to adopt necessary security measures to ensure information security when handling sensitive personal data.
Meta collected sensitive information from approximately 980,000 Korean users through their Facebook profiles, including religious information, political views, and stances on same-sex marriage, and provided this information to around 4,000 advertisers. Specifically, Meta generated and managed ad themes related to sensitive information (e.g., particular religions, homosexuality, transgender identities) by analyzing user interactions on Facebook, such as page likes and ad clicks. However, Meta only vaguely referenced these practices in its privacy policy, did not separately obtain user consent, and took no protective measures.
2. Unjustified Refusal of User Requests to Access Personal Information
Article 35 of the Act grants data subjects the right to access their personal information. Article 41 of the Personal Information Protection Act Enforcement Decree (referred to as the "Enforcement Decree") further clarifies the types of information subjects may access, including (1) the types and contents of personal information, (2) purposes for collecting and using personal information, (3) periods of retention and usage, (4) circumstances of providing personal information to third parties, and (5) details of consent given for personal information processing. According to Article 35, Paragraph 4 of the Act, data processors may only limit or refuse access if they notify users of the reason and it falls under the following three scenarios: (1) access is restricted by law, (2) access could harm others' life or body, or improperly infringe others' property or interests, or (3) granting access would seriously hinder public agency work.
Meta denied users' requests to access personal information on matters such as retention periods, personal information provided through Facebook logins, grounds for collecting activity data outside Facebook, and details of user consent. Meta argued that this information was outside the scope defined by the Act. However, the requested information falls under items (3), (4), and (5) of Article 41 of the Enforcement Decree. Therefore, Meta's refusal was unjustified.
3. Personal Information Leak
Article 29 of the Act mandates that data processors adopt necessary technical, administrative, and physical measures to ensure data security. Meta was supposed to delete or block inactive or deactivated pages but failed to remove the restoration page for deactivated accounts. Hackers exploited this page to submit forged identification documents and request password resets for others' accounts, and Meta approved these requests without sufficiently verifying the documents, leading to the leak of personal information for 10 Korean users.
As a result, the PIPC decided to fine Meta 21.6232 billion KRW and ordered Meta to establish a legal basis for processing sensitive information, ensure data security, and respond adequately to user requests for personal information access. Going forward, the PIPC will continue monitoring Meta's compliance with the corrective orders.
2. Compliance Insights
Meta's experience serves as a warning for businesses operating internationally regarding data compliance.
Firstly, companies should be cautious when collecting and processing sensitive personal information. They must understand the definitions and legal bases for handling sensitive data in each country and process it according to local compliance requirements.
Secondly, companies should establish comprehensive data protection measures, including data encryption, access management, security monitoring, and regular vulnerability assessments. Data security management should cover all aspects, including deleting or blocking deactivated pages.
Lastly, companies must protect users' rights as data subjects by establishing easy-to-use access and response mechanisms. Companies should promptly respond to user inquiries about personal information processing and complete feedback within a reasonable time to avoid accusations of infringing user rights through delays or refusals.