Refusal to Disclose Personal Information Without Reason
Concurrent Sanctions for Violation of Safety Measures Obligation
The Personal Information Protection Commission announced on the 5th that it has decided to impose a fine and penalty of 21.6232 billion KRW on Meta for collecting and using sensitive information such as religion and sexual identity without user consent.
According to the investigation by the Personal Information Protection Commission, Meta collected sensitive information such as the religious views, political views, and same-sex marriage status of approximately 980,000 domestic users through Facebook profiles. It was confirmed that about 4,000 advertisers used this information provided to them.
Specifically, Meta analyzed behavioral information such as pages users 'liked' on Facebook and ads they clicked on to create and operate advertising topics related to sensitive information (specific religions, homosexuality, transgender individuals, North Korean defectors, etc.).
The Personal Information Protection Act strictly protects sensitive information concerning thoughts, beliefs, political opinions, sexual life, etc., and restricts its processing. It can only be processed with lawful grounds, such as obtaining separate consent from the data subject.
However, Meta only vaguely stated this in its data policy while collecting and using sensitive information and did not obtain separate consent. It also did not take additional protective measures.
Furthermore, Meta refused users' requests to access their personal information, such as the period of personal data processing and provision status, citing reasons such as not being subject to access requests under the Personal Information Protection Act. The Personal Information Protection Commission judged this as an unjustified action. The Enforcement Decree of the Personal Information Protection Act stipulates that the retention and use period of personal information, provision status, and facts and contents of consent to personal information processing are subject to access.
It was also confirmed that the personal information of 10 Korean users was leaked. Meta did not remove the account recovery page for unused accounts. As a result, hackers submitted forged identification cards on that page to request password resets for other users' accounts. Meta approved this without sufficient verification procedures for the forged IDs, leading to the personal information leak.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
