[Asia Economy Reporter Eunmo Koo] Overseas online platform operators who violated personal information protection regulations by generating and using facial recognition information capable of identifying individuals without user consent have been subjected to corrective measures, including fines totaling approximately 6.6 billion KRW.
The Personal Information Protection Commission (PIPC) held its 14th plenary session on the 25th and announced that it imposed total fines of 6.66 billion KRW and penalties of 29 million KRW on three operators?Facebook, Netflix, and Google?and resolved corrective actions such as orders for correction, improvement recommendations, and public announcements.
This investigation was initiated as a follow-up to a National Assembly audit last year, prompted by the criticism from Assemblyman Min Byung-duk of the Political Affairs Committee regarding issues in the consent methods for personal information collection by overseas operators.
The PIPC, together with the Korea Internet & Security Agency, conducted focused analysis, inspection, and investigation on whether the consent methods of these operators were lawful, based on previous media reports, civil society complaints, and civil petitions. As a result, violations by Facebook, Netflix, and Google were identified, and deficiencies in personal information protection practices were confirmed.
Facebook had the highest number of violations, with six items. From April 2018 to September 2019, for about one year and five months, it generated and collected ‘facial recognition templates’ without user consent, resulting in a fine of 6.44 billion KRW. Additionally, it was fined 26 million KRW for unlawful collection of resident registration numbers, failure to notify changes in personal information controllers, non-disclosure of personal information consignment and overseas transfer details, and failure to submit data. The PIPC issued correction orders regarding the unauthorized collection of facial information and recommended improvements for unclear statutory notifications during additional personal information collection and inadequate personal information processing practices.
Netflix was found to have two legal violations. It was fined 220 million KRW and issued a correction order for collecting personal information without consent before the completion of the service subscription process, and fined 3.2 million KRW for failing to disclose information related to overseas transfer of personal information.
Lastly, Google was not found to have legal violations but was recommended to improve personal information processing practices due to unclear statutory notifications when collecting additional personal information such as payment information, occupation, career, and education, as well as insufficient specific disclosure of personal information items transferred overseas.
The PIPC stated that this investigation into overseas operators’ personal information collection consent methods is not yet complete and that further fact-finding and legal reviews will continue as necessary.
Song Sang-hoon, Director of the Investigation and Coordination Bureau at the PIPC, said, “It is a fundamental principle of personal information protection that operators collect and use personal information only after obtaining explicit consent from users. We hope this action will serve as an opportunity for overseas operators to collect and use personal information in accordance with domestic laws by obtaining user consent and faithfully fulfilling statutory obligations.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![Clutching a Stolen Dior Bag, Saying "I Hate Being Poor but Real"... The Grotesque Con of a "Human Knockoff" [Slate]](https://cwcontent.asiae.co.kr/asiaresize/183/2026021902243444107_1771435474.jpg)
