South Korea’s Personal Information Protection Commission Issues a Major Privacy Fine

On November 25, 2020, South Korea’s Personal Information Protection Commission, a new agency tasked with protecting personal information, issued a $6 million fine against Facebook Ireland Ltd. and sought a criminal investigation over the company sharing users’ personal information with third parties without consent.

According to the Commission, its investigation revealed that between 2012 and 2018, the personal information of at least 3.3 million of the 18 million Facebook users in Korea was provided to as many as 10,000 third party operators without the users’ knowledge.  Specifically, when users logged in into another operator’s service through Facebook’s log-in, the personal information of their Facebook friends was shared with the other operators without their consent.  This conduct allegedly violated the country’s data protection law.

The personal information that was shared included names, addresses, dates of birth, work experience, hometowns, and relationship statuses.  However, the exact amount of shared information remains unclear as Facebook allegedly declined to provide relevant documentation.

The Commission also plans to refer Facebook Ireland Ltd. to the country’s prosecutors for a criminal investigation.

Even though the focus of privacy professionals has been primarily on the GDPR fines issued by the data protection authorities in Europe, the penalty issued by the South Korean agency is a reminder that regulators in other countries will not hesitate to issue substantial fines under their newly enacted laws.  Companies that ignore these emerging regulatory requirements face potential administrative fines, consumer litigation, and damage to their reputation and standing on the market.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653