South Korea’s Personal Information Protection Commission fined Meta Platforms, Facebook’s parent corporation, 21.62 billion won ($15.67 million).
The penalty was imposed after an inquiry revealed that Meta gathered sensitive user data without legal authorization and shared it with advertisers.
The commission discovered that Meta obtained personal information, such as religious views, political viewpoints, and sexual orientation, from around 980,000 South Korean Facebook users without their knowledge.
These sensitive data points were then leveraged by around 4,000 advertisers to target users more effectively.
According to the commission’s statement on Tuesday, Meta analyzed users’ Facebook behaviour, such as pages they liked and ads they clicked, to develop advertising themes based on their sensitive information.
The profiling included labelling users as North Korean defectors, members of specific religious groups, or individuals identifying as transgender or gay.
Additionally, the commission highlighted Meta’s refusal to honour users’ requests for access to their personal data and its failure to prevent a data breach that exposed information of about 10 South Korean users to hackers. Meta Korea has declined to comment on the ruling.
Global data privacy concerns
The case in South Korea is not an isolated incident, as global scrutiny over tech giants’ data privacy violations continues to intensify.
In a separate but related matter, the Irish Data Protection Commission (DPC) recently fined LinkedIn €310 million.
The professional networking platform was found guilty of breaching the General Data Protection Regulation (GDPR) by handling user data for behavioural analysis and targeted advertising.
The French Data Protection Authority initiated an investigation into LinkedIn’s practices, which highlighted issues related to the lawfulness, fairness, and transparency of the company’s data processing activities.
The DPC’s ruling, finalized on October 22, 2024, resulted in a hefty fine and mandated LinkedIn align its data processing operations with GDPR standards.
