Publication of the National Assembly Legislative Research Office Report
[Asia Economy Reporter Cha Min-young] Big tech companies that hold a massive share of the global online advertising market are being criticized for secretly collecting users' personal information. Although Google and Meta (formerly Facebook) were hit with fines totaling 100 billion KRW last month for violating South Korea's 'Personal Information Protection Act,' this incident has prompted calls for the government to strengthen user protection and review the process of collecting behavioral information. Overseas, big tech platform companies are also being restricted in their collection of personal data for targeted advertising.
On the 2nd, the National Assembly Research Service pointed out these issues in a report titled "Protection of Behavioral Information in Online Targeted Advertising," citing cases involving Google and Meta.
Earlier, Google and Meta were fined a total of 100 billion KRW by the Personal Information Protection Commission on September 14 for collecting third-party behavioral information without domestic user consent and using it for online targeted advertising, violating the Personal Information Protection Act. According to the commission, Google hid the option to view more by requiring users to click an 'Option More' button and set the default to 'Agree,' while Meta presented its data policy, which spanned 14,600 characters and 694 lines, in a narrow screen showing only five lines at a time, obtaining blanket consent without separately notifying users about the collection and use of third-party behavioral information.
The report states that third-party behavioral information poses a problem because data subjects find it difficult to predict what information about them is being collected. When linked to account information, behavioral data accumulated from all devices accessed by that account can continuously build up, raising concerns about the creation of sensitive information.
Meta recently attempted to update its service to restrict access for users who did not consent to providing personal information but withdrew the plan following strong user backlash. This highlights the risk that the form of consent can be exploited to force users into broad data collection. South Korea's Personal Information Protection Act, under Article 3, Paragraph 1, mandates that personal information be collected minimally within the necessary scope for the intended purpose. Additionally, Article 39, Paragraph 3 prohibits information and communication service providers from refusing service solely because users do not provide personal information beyond what is minimally necessary.
France Made a Similar Ruling to the Korean Commission in 2019
Abroad, governments and legislatures are actively curbing indiscriminate personal data collection and targeted advertising by big tech companies. In France, a similar ruling to the Korean commission's decision was made in 2019. At that time, Google required French users to click 'Option More' to see related content during the consent process for targeted advertising and set 'Agree' as the default. The French government fined Google 50 million euros (approximately 64.2 billion KRW at the time), stating that Google violated the transparency principle of the GDPR (General Data Protection Regulation) by not sufficiently explaining the purpose of data use during the consent procedure.
Germany also banned Facebook in 2019 from collecting and combining user behavioral information across affiliated services like Instagram and third-party websites. Belgium issued a corrective order in February this year, stating that the European Online Advertising Alliance's targeted advertising solutions provide consent notices that are general and ambiguous, making it difficult for users to understand the nature and scope of personal data processing.
As much behavioral information is collected through users' web browser cookies, regulations on cookie usage are also tightening. The EU's so-called 'Cookie Law' classifies cookies by duration, source, and purpose, requiring prior user consent for all cookies except essential ones. The U.S. California Consumer Privacy Act also specifies cookies as a type of unique identifier or unique personal identifier. In France, rejecting cookie use was made a complex procedure distinct from consent, resulting in fines of 150 million euros (approximately 203.2 billion KRW at the time) for Google and 60 million euros (approximately 81.3 billion KRW at the time) for Facebook.
National Assembly Research Service Calls for Strengthening Compliance with the Minimum Collection Principle
The National Assembly Research Service emphasizes the need to strengthen compliance with the 'minimum collection principle' to prevent personal information infringement by big tech companies. There are cases where platform companies completely prohibit service use if users do not consent to behavioral information collection, effectively forcing consent. The report stresses, "The government should verify whether businesses collect only the information essential for performing the core functions of their services and explore ways to minimize collected information by segmenting service and third-party types, thereby enhancing checks on companies' adherence to the minimum collection principle."
The report also calls for reviewing the regulatory framework for behavioral information. South Korea's Korea Communications Commission issued the 'Online Targeted Advertising Personal Information Protection Guidelines' in 2017, outlining compliance requirements for handling behavioral information, but it does not specify types of behavioral information or usage areas and methods. The report explains, "It is necessary to examine the need for protection according to behavioral information types, usage areas, and methods, and establish a regulatory framework for behavioral information through legislation."
Finally, the report suggests restricting the use of behavioral information by big tech platform companies. The EU's 'Digital Markets Act,' scheduled to take effect in 2023, is a representative example. This law, in its final legislative stage, prohibits "using collected personal information for targeted advertising, combining it with personal data collected by other means, or cross-using it with other services." The report notes, "Big tech platform companies collect vast amounts of behavioral information from many users, increasing the risk of personal information infringement," and concludes that "separate regulations on targeted advertising for big tech platform companies are necessary."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
