South Korea’s national data protection watchdog has sanctioned Meta the equivalent of more than $15 million after finding that the social media giant had been collecting and sharing sensitive data about users of its Facebook platform.
The data includes religious views, political preferences, and sexual orientation, with users that identify as homosexual or transgender included in a breach that saw data being sold to advertisers.
Meta – which also owns Instagram and WhatsApp – is not unfamiliar with complaints about the way it handles user data, having been subject to fines in different parts of the world for data breaches. Indeed, it fell foul of South Korea authorities to the tune of $72 million for privacy violations in 2022.
980,000 Facebook Users Affected
South Korea’s Personal Information Protection Commission, (PIPC) announced the news that it had imposed a fine and penalty of KRW 21.62 billion (roughly $15.68 million) on Meta for violations of the country’s Personal Information Protection Act.
The English translation of the announcement says that Meta had collected sensitive user information “such as religious and political views and same-sex marital status,” with around 980,000 Korean Facebook users affected.
This just in! View
the top business tech deals for 2024 👨💻
The data in question – which specifically focused on behavioral information like what Facebook pages they had “liked” and the ads they had clicked on – was then provided to an estimated 4,000 advertisers.
This, the PIPC says, was “analyzed to create and operate advertising topics related to sensitive information (specific religions, homosexuality, transgenders, North Korean defectors, etc.).”
Facebook Falls Short on Safety Measures
The PIPC said that these actions amounted to a direct breach of the Personal Information Protection Act, which stipulates that:
“Information on thoughts, beliefs, political views, sexual life, etc. is sensitive information that must be strictly protected.”
In addition to the primary breach, the PIPC also criticized Facebook for failing to take safety measures such as deleting or blocking websites that are out of service or unmanaged but not removing the unused account recovery page.
This, it says, enabled hackers to submit fake IDs for those pages and subsequently request password resets to obtain access. With Meta having approved these requests “without sufficient verification of the fake IDs,” the personal information of 10 Facebook users was leaked.
Facebook Fails, Instagram Insecurities
In addition to the fine, the PIPC also passed a corrective order requiring Meta to “establish a legal basis for the processing of sensitive information, take measures to ensure safety, and faithfully respond to users’ requests to view their personal information.”
This week’s sanctions are far from the first time that Facebook’s owner has been subject to financial and injunctive relief. Just last month, it was hit with a lawsuit accusing Instagram of stoking social media addiction.
Last year, Norway’s Data Protection Authority fined Meta $100,000 a day over privacy breaches, and Facebook was implicated in one of the most famous data breaches of all: the Cambridge Analytica scandal that impacted political campaigns on both sides of the Atlantic in 2016.
