South Korea fines Meta $15 million over data breach

South Korea’s Personal Information Protection Commission (PIPC) has imposed a fine of 21.6232 billion won (approximately USD $15.67 million) on Meta Platforms, Facebook's parent company, citing major breaches of the country’s Personal Information Protection Act (PIPA).

The ruling underscores a global trend toward stricter enforcement of data privacy, emphasising the regulatory responsibilities tech giants face when handling sensitive user information across borders.

In a statement shared on their website, the PIPC investigation said it found that Meta collected highly sensitive information from about 980,000 South Korean users, including details on political and religious beliefs, as well as same-sex marital status. According to the PIPC’s official statement, Meta shared this data with around 4,000 advertisers, who used it for targeted advertising based on topics like religious affiliations, gender identities, and affiliations with groups such as North Korean defectors.

The commission highlighted that South Korean law restricts the use of such sensitive information without explicit consent, a standard Meta did not meet. Although Meta had broad mentions of data collection in its policies, the PIPC found this insufficient, noting that the data was collected and processed without specific user authorisation. In response to the investigation, Meta halted sensitive data collection from profiles in August 2021 and removed related advertising topics in March 2022.

Additionally, Meta denied users’ requests to view their personal data, including information on data retention and details of third-party access. The PIPC clarified that under South Korean law, users have the right to access personal information collected about them, including details of retention periods and third-party access. The commission deemed Meta’s refusal unjustified and non-compliant with South Korean data access rights.

Furthermore, Meta’s security practices were called into question when a data leak affecting 10 users was traced back to an unmonitored account recovery page. Hackers exploited this inactive page to submit fake identification and gain unauthorised access, leading to a data breach. The PIPC criticised Meta for failing to properly secure outdated platform sections, underscoring the platform's lapses in basic security measures.

In addition to the fine, the PIPC issued a corrective order requiring Meta to establish a legal basis for processing sensitive information, improve its security infrastructure, and respond promptly to user data requests. PIPC Chairman Koh Hak-soo emphasised that this ruling sets an important precedent for international tech companies to adhere to local data protection standards. The commission will continue monitoring Meta’s compliance to ensure alignment with South Korean law.

This ruling aligns with regulatory actions across the globe. In Europe, Meta received a record €1.2 billion ($1.2 billion) fine in 2023 for unlawfully transferring European user data to the US, breaching the General Data Protection Regulation (GDPR). Other tech giants face similar scrutiny. The European Union has warned that X (formerly Twitter) could face heavy fines for alleged violations of the Digital Services Act (DSA). Regulators are even considering basing fines for X on revenues from owner Elon Musk’s other ventures, such as SpaceX and Neuralink. X’s relationship with EU regulators has worsened after Musk withdrew from the EU’s Code of Practice on disinformation, spotlighting the platform’s approach to data management.

Meanwhile, Google is still facing an antitrust trial outcome in the US examining its control over digital advertising and potential anti-competitive practices. In Asia, markets like China are enforcing stringent data privacy requirements on companies such as Didi and Alibaba, who have faced government-imposed restrictions and penalties for improper handling of personal data.