July 27, 2023
(This is an unofficial and modified translation from a Korean-language press release.)On July 26, the Personal Information Protection Commission (“PIPC”) held a plenary meeting and reached a decision to impose administrative fines of approximately KRW 6.5 billion (approx. USD 5.1 million) against Meta Platforms, Ireland Limited (“Meta Ireland”) and KRW 886 million (approx. USD 700,000) against Instagram LLC (“Instagram”) for collecting and using behavioral data from third-party sources without obtaining proper consent from users for purposes including running targeted advertisements.
Separately, the PIPC decided to grant a grace period to Meta Platforms, Inc. (“Meta Inc”), which was found to have been collecting third-party behavioral data without notifying users and service providers of the practice by integrating a data collection tool in the “Sign in with Facebook” feature. Meta Inc has officially submitted a plan before the PIPC and expressed its intention to take a self-regulatory action. The company is expected to report the results of its corrective action within three months.
Meta Ireland and Instagram
In September 2022, the PIPC imposed a fine, along with corrective orders, against Meta Inc for collecting and using third-party behavioral data without obtaining proper user consent, and for combining such data with users’ identifiable data for purposes of providing targeted advertisements. It was decided at that time that further investigations would take place on Meta Ireland and Instagram regarding similar data processing practices during the period not covered by the 2022 case, i.e., the period up to July 14, 2018.The follow-up investigation showed that, Meta Ireland and Instagram, the companies responsible for providing Facebook and Instagram services to Korean users, respectively, prior to July 14, 2018, did not meet the legal requirements to obtain proper consent from users while they utilized the behavioral data collected from third-party sources for purposes of serving targeted advertisements.
Since Meta Ireland displayed the full text of its Data Policy in a small box that had to be scrolled down numerous times in order to be viewed when users created an account, it was exceedingly difficult for users to consider the Data Policy and to provide an informed agreement about the collection of their behavioral data from third-party sites at the time of account creation.
Meanwhile, Instagram considered users to have agreed to its Terms of Service and Privacy Policy when they created an account to use the Instagram service, without offering a proper procedure for obtaining explicit consent. In particular, the Privacy Policy did not include provisions about the collection of third-party behavioral data.
Such practices were in violation of Article 22 (1) of the Act on Promotion of Information and Communication Network Utilization and Information Protection (“IC Network Act”). (Provisions on data privacy contained in the IC Network Act were subsequently merged into the Personal Information Protection Act.) Article 22 (1) of the IC Network Act required any provider of information and communications services intending to collect personal information to notify users certain details and obtain consent prior to the collection of personal data. The requisite details include: the purpose of collecting and using data, the types of data collected, and the retention period.
Meta Inc
On the other hand, it was found that Meta Inc collected and transmitted behavioral data of users from third-party websites and apps during the process of providing the “Sign in with Facebook” feature, which is typically used to simplify the log-in process for a third-party service. The “Sign in with Facebook” feature had a built-in data collection mechanism that is unnecessary for purposes of providing a log-in service, but was nevertheless automatically installed when users signed in to third-party websites and apps using this feature. Virtually no end users and third-party service providers appear to have been aware of the existence of this built-in data collection mechanism.The PIPC evaluated the possibility of filing a formal complaint against Meta Inc on the grounds that it had been collecting personal data in an illegal manner – by hiding from both users and third-party service providers that the “Sign in with Facebook” feature included a mechanism for automatically collecting and transmitting user behavioral data from third-party websites and apps to Meta Inc. However, Meta Inc delivered its intention to the PIPC describing its plan of voluntarily correcting this practice within three months.
The PIPC determined to grant Meta Inc an opportunity to redress the issue on its own. The PIPC intends to follow up on Meta Inc’s pledge by monitoring and verifying the implementation of the corrective action.
The PIPC stated, “Since our organization was launched with a full investigative and administrative authority for data privacy matters in August 2020, we have exerted consistent efforts to enforce the PIPA against domestic as well as global businesses. Some of the cases include: the 2020 case against Facebook regarding illegitimate third-party data transfer; the 2021 case against Facebook, Netflix and Google regarding these companies’ failure to comply with the consent requirements; and the 2022 case against Google and Meta regarding their unlawful data practices for targeted advertisements.”
“We hope today’s decision will provide an extra push for service providers to take the issue of data privacy more seriously, so they would limit the collection and use of data to what is indeed needed, and increase transparency in their data processing activities.”
*A PDF version of this article can be found at https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do#none
Source: PIPC