Personal Information Protection Commission concludes that Facebook furnished personal data of over 3.3 million users, without their consent, to 3rd parties during 6-year span starting in 2012.
November 25, 2020 findings also include failure to observe data encryption and evasion of investigative requests.
Fines are believed to be largest sanctions in Korea ever imposed for data privacy violations.
The decision – which seems likely to be appealed by Facebook – includes referral of case for possible criminal prosecution.
The Personal Information Protection Commission (PIPC), Korea’s main data privacy regulator, has imposed administrative fines totaling some KRW 6.8 billion on Facebook, primarily for non-consensual sharing of user data with 3rd parties during a 6-year period (straddling the 2016 US Presidential election), as well as non-compliance with user notification requirements and data encryption rules, and non-cooperation with investigative efforts. The PIPC’s announcement of its November 25, 2020 decision notes that the agency has also referred the case to the prosecutors’ office, for investigation towards possible criminal charges.
The decision stems from an investigation started in March 2018, by the Korea Communications Commission (the PIPC’s predecessor), following news reports that Facebook user information had been illegally shared and used (including with the firm Cambridge Analytica) in connection with the 2016 U.S. Presidential election. As the main conclusion of the nearly 3 year investigation, the PIPC determined that Facebook had furnished personal information of at least 3.3 million Korean users (of a total of 18 million Koreans on Facebook), without their consent, to other companies between May 2012 to June 2018.
According to the PIPC announcement, during that 6-year period, Facebook used its Graph API (V1, V2), an API (application programming interface) to facilitate interactions between multiple programs, enabling 3rd party service providers to receive Facebook user personal information for purposes of providing their (the 3rd parties’) own services. However, when Facebook users, with their Facebook accounts, logged onto the services of these 3rd parties (numbering possibly up to 10,000 service providers), personal information of their Facebook “friends” was (without their consent) passed to the 3rd parties via the Graph API (especially V1). This included information such as names, education, work experience, relationship status and interests.
In addition to the years-long violation of restrictions on transfer of personal data, the PIPC concluded that Facebook also breached user notice and data encryption requirements, and submitted misleading and deficient responses to investigative requests. These violations are cited for a smaller part of the total fines, but in principle could likewise be alleged basis for criminal charges.
The PIPC’s findings and sanctions – which are subject to possible (and likely) appeal by Facebook – comprised the following:
- Facebook furnished personal information to 3rd parties without data subjects’ consent: On one of the key questions, the PIPC determined that, while the transfer of personal information occurred via the Graph API, this fell within “third party provision” of the data (basically, furnishing of data to 3rd parties for those parties’ own purposes), requiring the data subjects’ consent. Along with an order to rectify the problem, the PIPC imposed KRW 6.7 billion in administrative fines, calculated pursuant to a provision for fines of up to 3% of “sales related to the violation” under applicable rules (certain provisions of the IT Networks Act that were in effect at relevant times, till superseded recently, in August 2020).
- Facebook failed to provide periodic (at minimum annual) notice to users on how their personal information was being used:On this basis the PIPC imposed an administrative fine of KRW 50 million (around USD 45,000), calculated as KRW 10 million per year for a total of 5 years.
- Facebook stored users' passwords without encryption:The PIPC determined that Facebook also violated encrypted storage requirements, and imposed a KRW 10 million (USD 9,000) administrative fine.
- Facebook impeded investigation by submitting false and/or incomplete data: It was determined that Facebook engaged in false submission of data, regarding the issue of when it ceased to provide (without due consent) personal information to 3rd parties, and only provided the necessary supplemental data when the PIPC presented contrary evidence, more than 20 months into the investigation. In addition, the PIPC found, Facebook at first only submitted data on the number of users directly affected, rather than the number of Facebook “friends” who were also affected, complicating the PIPC’s task of ascertaining the scope of the violation. These violations were cited for an administrative fine of KRW 6 million.
In addition, the PIPC has announced that, taking into account the gravity of the violations, the agency has referred the case to the prosecutor’s office for criminal investigation of Facebook. The possible implications include up to 5 years’ imprisonment or a criminal fine of up to KRW 50 million (around USD 45,000).
Considering the nature of the findings as well as scale of sanctions, it would seem quite probable that Facebook will challenge the result, which it can do by filing an administrative lawsuit against the PIPC.
In any event, the PIPC decision demonstrates that the agency is intent on monitoring and policing offshore service providers, continuing the approach of its predecessor, the Korea Communications Commission. The PIPC took over as data privacy regulator from the KCC in August 2020, and a question has been to what extent the agency will continue the KCC’s relatively aggressive stance toward offshore businesses. The present decision is the first instance in which the PIPC has imposed administrative sanctions of this scale, and the first instance in which it has referred an offshore service provider for criminal investigation. The result suggests that the PIPC is committed to actively enforcing Korea’s data protection rules, to offshore services as well as local ones, and thus the situation may be seen as a call for diligent, renewed care when it comes to compliance with Korea’s data protection rules, including the fairly rigorous requirements for consent from data subjects.