PIPC Imposes Record Fines on Google and Meta for Privacy Violations

On September 14, 2022, the Personal Information Protection Commission (PIPC) announced that it had imposed record fines totaling KRW 100 billion on Google LLC (Google) and Meta Platforms, Inc. (Meta), the service provider of Facebook and Instagram, for collecting and using the behavioral data of users without consent for targeted advertisements in violation of the Personal Information Protection Act (PIPA).  The respective violations committed by each company, as well as the fines and other administrative sanctions imposed thereon, are summarized in greater detail below.

  1. Details of violations and administrative sanctions

The PIPC imposed an administrative penalty surcharge of KRW 69.2 billion on Google for its failure, spanning a period of 6 years, to clearly inform users during the sign-up process for its services that it would be collecting and using behavioral data (regarding their use of other companies’ websites/services) for targeted advertisements.  Similarly, the PIPC imposed an administrative penalty surcharge of KRW 30.8 billion on Meta for its failure, spanning a period of 4 years, to display mandatory notification information when obtaining consent in a manner that was easily viewable to users and for omitting to obtain their actual consent for the collection/use of behavioral data during the sign-up process for Facebook and Instagram.  According to the PIPC, such behavioral data was used by Google and Meta to analyze the interests/preferences of their users and to create individually customized advertisements for each user.

The PIPC also ordered both companies to implement an “easy and clear” process for obtaining consent that would give users more control over whether to share behavioral data regarding their online activities and decided to publicly disclose its decision to issue the corrective orders.

  1. Implications

This latest decision by the PIPC is notable for (i) representing the first instance in Korea where administrative sanctions were imposed on online platform operators for the unlawful collection/use of users’ behavioral data for targeted advertisements and (ii) addressing long-standing issues of controversy such as what the legal requirements should be for the collection/use of behavioral data for targeted advertisements and, where consent is required, who (online platform operators or their enterprise users) should be responsible for obtaining such consent.  Further, the fines imposed on Google and Meta are the largest ever amounts imposed for violations of the PIPA and has thereby elevated the potential risk associated with non-compliance to even higher levels.

In addition, because this decision also took issue with failures to adhere to methods prescribed by the PIPA for obtaining consent, it is expected to serve as important precedent when the PIPC is determining whether the methods for obtaining consent by other online platform operators, or by online businesses in general, can be viewed as compliant with the PIPA.

Lastly, the PIPC made it clear that it would continue to investigate Meta for other possible PIPA violations relating to its previous attempt (and subsequent withdrawal) to restrict the provision of its services to users who refused their consent for the collection/use of behavioral data.  As such, there is a possibility that Meta may be facing more administrative sanctions relating to, among other things, failures to differentiate between consent for the processing of personal information essentially necessary for the provision of services (i.e., required consent) and consent which is not (i.e., optional consent) as required by the PIPA.

Accordingly, foreign companies that are processing the data of Korean users should be mindful of the apparent increase in potential risk associated with violations of the PIPA (including those relating to notice/consent requirements) in light of these latest developments and take precautions accordingly.

If you have any questions regarding this article, please contact below:

Kwang Bae PARK (kwangbae.park@leeko.com)

Hwan Kyoung KO (hwankyoung.ko@leeko.com)

Sunghee CHAE (sunghee.chae@leeko.com)

Kyung Min SON (kyungmin.son@leeko.com)

For more information, please visit our website: www.leeko.com

More from Lee & Ko