On November 5, 2024, the Personal Information Protection Commission (PIPC) published its decision in which it imposed a fine of KRW 21.6 billion (approx. $15.6 million) on Meta Platforms Inc. for violations of the Personal Information Protection Act (PIPA).

Background to the decision

The PIPC outlined that it had received complaints of users being denied access to their personal information and that there have been reports of personal information being leaked through hacking.

Findings of the PIPC

The PIPC found that Meta violated Articles 23, 29, and 35 of the PIPA by collecting and using sensitive personal information, including religious and political views and the same-sex marital status of approximately 980,000 users. Particularly, the PIPC found that behavioral information, such as users' liked Facebook pages and the advertisements they clicked on, was analyzed and shared with advertisers for customized services, which was vaguely stated in its privacy policy. Additionally, the PIPC found that Meta did not obtain separate consent and did not take any additional protective measures.

Outcomes

In light of the above, the PIPC imposed a fine of KRW 21.6 billion (approx. $15.6 million) on Meta. Furthermore, the PIPC issued a corrective order for Meta to establish a legal basis for the processing of sensitive information, to take measures to ensure the safety of personal data and to respond to users' requests to view their personal information.

You can read the press release, only available in Korean, here.