Meta, the U.S. tech giant behind Facebook, faces a hefty fine of $15 million from South Korea's privacy watchdog, the Personal Information Protection Commission (PIPC), after illegally collecting sensitive personal data from nearly a million South Korean Facebook users and sharing it with advertisers. The PIPC said Meta violated South Korean privacy laws by gathering information on users' political views, religious beliefs, and sexual orientation without explicit consent-a violation that prompted concerns about the company's practices.
The fine follows a four-year investigation by the PIPC, which found that Meta collected sensitive data on approximately 980,000 Facebook users in South Korea between July 2018 and March 2022. Meta's ad-targeting algorithms reportedly analyzed user behaviors, such as pages liked and ads clicked, to identify users with specific interests. These profiles, which included preferences around LGBTQ+ themes and North Korean defectors, were then used for customized advertising.
Eun Jung Lee, who led the PIPC investigation, stated, "Meta collected this sensitive information and used it for individualized services," while offering only vague references to these practices in its data policy. Lee added that Meta did not obtain specific consent from users to process this data. As a result, the company exposed users to potential misuse of their personal information.
The PIPC stated that Meta's approach disregarded South Korea's strict data privacy rules, which mandate specific user consent for processing data on personal beliefs, political affiliations, and sexual orientation. Additionally, Meta failed to implement adequate security measures, leading to potential breaches. Hackers reportedly exploited inactive accounts on Facebook to forge identities and request password resets, affecting at least 10 South Korean users. "Meta approved these requests without proper verification," said Lee, underscoring security vulnerabilities in Meta's systems.
The PIPC's actions reflect South Korea's increasingly aggressive stance on digital privacy rights, especially with major U.S. tech companies. Meta's response was measured, with the company saying it would "carefully review the decision document once we receive it." Yet, this latest fine adds to previous penalties Meta has incurred in South Korea. Last year, the PIPC fined Meta and Google a combined $72 million for tracking users' online activity without consent. In 2020, Meta also faced a $4.8 million fine for sharing user data with third parties without proper authorization.
Meta's actions highlight the company's interest in targeted advertising in niche markets. Analysts speculate that its use of LGBTQ+ interest data in South Korea, where same-sex marriage is not recognized and anti-LGBTQ+ sentiment remains strong, points to a rising demand for identification within the LGBTQ+ market. Vladimir Tikhonov, a professor of Korean studies at the University of Oslo, noted that "LGBT partnerships are increasingly common in South Korea" despite societal challenges, and the niche market "grows fast."
The targeting of the LGBTQ+ community has become a significant factor in Meta's business strategy globally, yet it also attracts scrutiny from regulators concerned about privacy and social discrimination. In South Korea, a July court ruling granted same-sex couples legal grounds to access shared health insurance benefits, a decision that advocates believe could lay the foundation for broader recognition of LGBTQ+ rights.
PIPC has further directed Meta to establish legal grounds for handling sensitive data, implement stronger security measures, and promptly address users' requests for data access. The commission underscored the importance of upholding South Korea's privacy laws for international companies providing digital services within the country. "This decision is significant in that it ensures foreign operators...must comply with the obligations set forth in [South Korea's] Protection Act," said the PIPC.