Facebook fined 6.7 billion in South Korea for sharing user data
The Personal Information Protection Commission (PIPC) said the US company shared data of at least 3.3 million out of its 18 million users in Korea to other companies without their consent between May 2012 to June 2018.
The commission said it would also file a criminal complaint against Facebook for breaking local personal information laws. Information shared by Facebook included users’ names, academic history, job history, hometown, and relationship statuses.
When users were logged into other third-party apps using their Facebook accounts, their information and those of their friends was shared with the services they were using, the PIPC said. These friends were unaware that their information was being shared with those services without their permission, it said.
“A user agreed to share their information with a particular service when they logged in with their Facebook accounts. However, the user’s friends didn’t, and they were unaware that their data were also being shared,” the commission said.
These third-party apps then used the data provided by Facebook without users’ permission to make customised advertisements to display on the social media service. Facebook ultimately made unfair profits by sharing user data without their consent, the PIPC said.
Facebook also stored user password data without encryption, and didn’t regularly notify users when the company accessed their data, it added.
The commission also said Facebook turned in false or incomplete documents during the investigation. This made determining the precise scope of the company’s violations difficult and hampered investigations, it said. Facebook was fined an additional 66 million won for these obstructions.
Facebook said it had fully cooperated with PIPC’s investigation. While the criminal complaint filed by the commission was “regrettable”, it said it will respond after fully reviewing the commission’s decision.
The investigation against the US tech giant started in 2018 by the Korea Communication Commission, the country’s telecommunication regulator, in the wake of the Cambridge Analytica scandal. The regulator handed the case to PIPC.