On August 25, 2021, the Personal Information Protection Commission (PIPC) announced that it had imposed various administrative sanctions (i.e., administrative penalty surcharges totaling KRW 6.66 billion, administrative fines totaling KRW 29 million, corrective orders, improvement recommendations, and publications) on Facebook[1]and Netflix for violations of the Personal Information Protection Act (PIPA). Google was also investigated but was only recommended to improve its data processing practices after the PIPC determined that it had not committed any violations of the PIPA. The respective administrative sanctions and measures imposed on each company are summarized in greater detail below.
Details of administrative sanctions/measures
An administrative penalty surcharge of KRW 6.44 billion was imposed on Facebook for generating and collecting the facial template data (i.e., facial recognition templates for identification/display of the names of individuals in photographs uploaded to its platform) of its users without consent for a period of 17 months (from April 2018 until September 2019). An administrative fine of KRW 26 million was also imposed on Facebook for its unlawful collection of resident registration numbers, failure to notify changes in data processing entities, failure to disclose information on the outsourcing of the processing of personal data and the cross-border transfer of personal data, and failure to comply with requests for information from the PIPC. Lastly, (i) a corrective order was imposed on Facebook to rectify its practice of collecting user facial data without consent as well as each of the aforementioned compliance failures which were the cause of its administrative fine and (ii) an improvement recommendation was made to enhance the clarity/transparency of the information notified to users when obtaining consent for the collection/use of personal data.
Netflix
An administrative penalty surcharge of KRW 220 million and corrective order was imposed on Netflix for collecting the personal data of users without consent and an administrative fine of KRW 3.2 million was also imposed for its failure to disclose information on the cross-border transfer of personal data.
Although the PIPC indicated that it did not find any violations of the PIPA committed by Google, an improvement recommendation was made, nevertheless, to (i) enhance the clarity/transparency of the information notified to users when obtaining their additional consent for the collection/use of personal data (e.g., payment data, email address, telephone number, postal address and the like) and (ii) disclose details on the items of personal data transferred overseas with greater specificity.
Implications
The PIPC decided to sanction these companies after comprehensively investigating numerous allegations raised by lawmakers, civil societies, and individual activists of possible data privacy violations by these companies. When announcing its decision, the PIPC emphasized that foreign companies conducting business in Korea should strive to be compliant with notice/consent and other data privacy requirements when processing data in the future.
Since ascending to the role of Korea’s main data protection authority last year, the PIPC has displayed an increasing willingness to aggressively enforce Korean data privacy laws against foreign companies suspected of wrongdoing as witnessed by its decision in November 2020 to impose an unprecedented amount of fine (i.e., an administrative penalty surcharge of KRW 6.7 billion and administrative fines totaling KRW 66 million) on Facebook for violating the PIPA. As such, foreign companies which are processing the data of Korean data subjects should be mindful of the potential risks associated with violations of applicable data privacy requirements in Korea (including those relating to notice/consent and the implementation of mandatory security measures which are quite extensive and unique in comparison to those under the GDPR and other data privacy laws) and take precautions accordingly.
If you have any questions regarding this article, please contact below:
Kwang Bae PARK (kwangbae.park@leeko.com)
Sunghee CHAE (sunghee.chae@leeko.com)
For more information, please visit our website: www.leeko.com
[1] Collectively referring to Facebook Ireland Limited and Facebook Inc.