South Korea’s data protection agency has fined Meta Platforms, Facebook’s parent company, approximately $15 million for collecting sensitive user data and sharing it with advertisers without proper legal grounds. The Personal Information Protection Commission reported that Meta gathered information on around 980,000 South Korean Facebook users, including details on their religion, political beliefs, and sexual orientation, without obtaining their consent. Additionally, the commission noted that Meta failed to protect the personal information of users who did not consent to this data collection.
Meta said in a statement that it was disappointed by the decision. “At a time when privacy concerns are high, it is important that we work to continue to earn people’s trust,” the statement said. “Our business model relies on processing personal data to deliver personalized content and services.” It said that the EDPB decision clarified that it cannot rely solely on the legal grounds of the contract and must obtain explicit consent to use personal information. It said changes have already been made in the EU to reflect these findings.
The EC’s decision could have significant implications for other online advertising platforms that rely on behavioral ads. These include Google’s advertising service, which uses a combination of data from the search engine and its other properties to target advertising at individuals. Unlike Meta, Google requires its customers to agree to use this data to get personalized advertisements.
Neither Meta nor the EC commented further on Monday’s decision. However, the Irish data protection authority that oversees the company has expressed skepticism about relying on the legal grounds of contract and legitimate interest to justify tracking people as they move around the internet. It has been pushing for more stringent rules to protect people’s data control rights.
Last year, it began an investigation of Meta’s use of European user data when it was found that the social media giant had not safeguarded its systems against hackers, leading to the publication on hacker forums of names and other details stolen from the company’s website. It ordered Meta to change its processes within the EU and limit the amount of personal data it transfers to the U.S. The EDPB’s binding decisions clarify that it cannot rely on a contractual relationship as a reason to process personal data for behavioral advertising, which it did not have in this case.