Fines totaling KRW 100 billion, together with corrective orders, handed down by Personal Information Protection Commission (PIPC) on September 14, 2022
PIPC finds that Google and Meta, in gathering their users’ behavioral data from websites via tracking tools distributed by the companies, failed to obtain user consents based on sufficiently clear disclosures
In finding the violations of the Personal Information Protection Act, PIPC rejects argument that responsibility for getting due consents was with the user-visited websites
Fines of KRW 69 billion for Google, and KRW 31 billion for Meta, based on Korean user-derived revenues, represent first instance of sanctions directed to behavioral data collection for personalized advertising (and largest fines ever for data privacy violations) in Korea
Decision exemplifies PIPC’s current focus on data protection in personalized advertising practices; regulator already in preparation of regulations governing such data use
Korea’s chief data protection regulator, the Personal Information Protection Commission (PIPC) has found that Google and Meta (the latter in relation to Facebook and Instagram users) violated the Personal Information Protection Act (PIPA) by collecting and using, without duly obtaining consent, user behavioral data from websites via the tracking tools distributed by the companies. In this first case of sanctions on behavioral data gathering for use in personalized advertising, the PIPC has imposed administrative fines of KRW 69.2 billion (USD 50 million)[1] on Google, and KRW 30.8 billion (USD 22 million) on Meta. The regulator will also order each company to modify its signup and/or consents setup, though specifics are left to be worked out with each company.
According to the regulator’s September 14, 2022 press release ( Korean original online), the PIPC has found that the tech companies were required, but failed, to obtain consents from their signed-up users based on clear, specific disclosures regarding the tracking and use of behavioral data on other websites. Evidently there was not much question about the technical activity, consisting mainly in the companies’ placement of their tools – pixels, SDKs, etc. – on websites, to gather data of the (for the companies) identifiable users. For this purpose, however, the companies had to get their user’s consents and, in doing so, disclose the proposed activity in clear terms, easily seen and understood.
The PIPC ruled that the companies’ consent displays and settings, and accompanying disclosures, were noncompliant in that, basically, (i) Google obscured details concerning collection of behavioral data from other parties, and also put an opt-out (consent affirmation as default) as opposed to opt-in setting; and (ii) Meta requested user consents while making available only a short description of the intended practice (under heading “Information from partners”), embedded and inconspicuous in Meta’s very extensive privacy policy.
In each instance, the disclosures were deemed insufficient largely, or mainly, in view of the nature of the data collection and processing, which is seen as sophisticated and, potentially, pervasive, in ways hard for an average person to grasp or foresee. In its decision, the regulator stresses that the scope and types of data, collected automatically and throughout a user’s online activity (once signed in), will be far from obvious to most people, and can extend across all the user’s devices, potentially even comprising or amounting to sensitive data of the user.
The PIPC press release includes an extended review and discussion of the perceived deficiencies in the Google and Meta sign-up interface and process, including details such as the way in which the Google interface at first obscures the behavioral data-related settings, and, with Meta, comparison of the terse “information from partners” disclosure with the volume of the rest of the privacy policy. Not clear is how helpful the PIPC decision will be for many online services, in assessing possible need for modifications. Obviously there will be differences in the situations. Furthermore, the PIPC corrective order, as released, is “bare bones”, leaving specific modifications to be resolved with each company.
Some noteworthy aspects of argument and analysis. On a threshold issue, the PIPC specifically rejected the companies’ argument that, while the collection of behavioral data by tracking tools placed on websites required consent of the users, it was the responsibility of those site operators (or app operators) to obtain that consent, not that of the companies as analytics or ad service providers.
At the same, the PIPC acknowledged separately, during the press conference for the September 14 announcement, a feature of their work (so far) that may merit careful watching: Asked why Naver and Kakao, leading Korean tech companies that engage in similar data gathering, were not subject to sanctions alongside Google and Meta, the PIPC explained this was because those local companies did not engage in combining behavioral data with user account data. The remark might point, possibly, toward some conceptual safe harbor for behavioral data collection, although the regulator made it clear that investigation and review were ongoing.
Statutory particulars of decision and sanctions. The decision relies, specifically, on PIPA Article 39-3: This core provision of the data privacy statute requires any “IT services provider” (which includes virtually any online service) generally to obtain consent for collection and use of personal information and, in doing so, to disclose each purpose of such collection and use, and each item (or, roughly speaking, each specific type) of the personal information in question, along with the respective retention and use periods. The same Article 39-3, together with other rules, requires an online service to classify each consent, so requested, as necessary (or “required”), or instead optional: An online service may not refuse its service to a user on grounds of non-consent to collection of data beyond “the minimum required.” (Main features of the regulatory framework are covered in our general Korea data privacy guide.)
The administrative penalties imposed, totaling over USD 70 million, are based on each company’s use of the offending practices during a 3-year period covered by the investigation, 2019-2021. The specific figures correspond to the PIPA-permitted maximum amount of 3% of revenues relating to the violation in question, said here to be calculated based on the Korea portion of the total revenues of each service.
Additional factors in decision. The PIPC adduced, in Google’s case, a comparison with its practices in the EU, where the sign-up process requests consents in a sequence of steps, guiding users to possible adjustments in privacy settings, including for personalized advertising. In Meta’s case, the regulator also (though perhaps without obvious direct relevance) pointed to the fact that Meta had undertaken to modify its user sign-up and consents, so as to render consent to behavioral data collection a “required” item, without which the user would be unable to use Facebook or Instagram, period – a move that was called off under pressure from users and the PIPC.
Also a factor for the PIPC was its assessment that, among affected Korean users, there is a very high level of permission given for behavioral data collection, 82% and 98% respectively. That is said to present a high risk of data infringements. (An impression is that these statistics are also treated by the PIPC as signifying user unawareness of risks – in other words, these very levels of consent seen as implying the inadequacy of disclosures accompanying the consents.) Related to this, the PIPC cautioned against casual acceptance of the practices “on the basis that [anyway] the platforms are providing the services for free”.
EU precedents. PIPC also cited a couple of EU precedents, namely two 2019 decisions, in France (by the Commission nationale de l'informatique et des libertés) and Germany (Federal Cartel Office), which are said to have found, respectively, that Google failed to obtain required consents to engage in personalized advertising, and that Meta collected behavioral data without required consents. The PIPC seems also, at least in one stage, to have looked at a draft decision, concerning Facebook, of Ireland’s Data Protection Commissioner in late 2021, which went to the question of whether consents for collection of behavioral data can be validly classed as necessary, instead of optional.
Outlook. The PIPC decision, stated by the regulator itself to be the first of its kind in Korea, in sanctioning collection of behavioral data for personalized advertising, follows a lengthy review process, which started in mid to late 2021 and was widely known of by February 2022. The decision is appealable to the courts, by each company. At any rate the decision underscores the fact that a significant part of the regulator’s attention has been and is being directed to issues surrounding collection and use of data for personalized advertising. At present there is no hard and fast set of rules specifically directed to personalized advertising, only a limited set of general principles, promulgated by the Korea Communications Commission. The PIPC has been working, since 2021, to draw up regulations governing personalized advertising, which may well come out in the 1st half of 2023, if not sooner. The PIPC indicates that its findings against Google and Meta will be “reflected” in those regulations.
- All USD figures are approximations, based roughly on KRW-USD exchange rate around the date of this newsletter.