Facebook used facial recognition without consent 200,000 times, says South Korea's data watchdog
Hands Zuck its second-largest fine ever, also makes Netflix pay up and warns Google to be more obvious about privacy
Facebook, Netflix and Google have all received reprimands or fines, and an order to make corrective action, from South Korea's government data protection watchdog, the Personal Information Protection Commission (PIPC).
The PIPC announced a privacy audit last year and has revealed that three companies – Facebook, Netflix and Google – were in violations of laws and had insufficient privacy protection.
Facebook alone was ordered to pay 6.46 billion won (US$5.5m) for creating and storing facial recognition templates of 200,000 local users without proper consent between April 2018 and September 2019.
Another 26 million won (US$22,000) penalty was issued for illegally collecting social security numbers, not issuing notifications regarding personal information management changes, and other missteps.
Facebook has been ordered to destroy facial information collected without consent or obtain consent, and was prohibited from processing identity numbers without legal basis. It was also ordered to destroy collected data and disclose contents related to foreign migration of personal information. Zuck's brainchild was then told to make it easier for users to check legal notices regarding personal information.
- Korean app-maker Scatter Lab fined for using private data to create homophobic and lewd chatbot
- South Korea to test grenade-launching drones
- South Korea reports export boom in silicon, wireless comms, and instant noodles
The fine is the second-largest ever issued by the organization, the largest ever also going to Facebook. In November 2020 the Social Network™ was fined 6.7 billion won (US$5.7m) for passing on personal data to other operators without user permission.
Netflix's fine was a paltry 220 million won (US$188,000), with that sum imposed for collecting data from five million people without their consent, plus another 3.2 million won (US$2,700) for not disclosing international transfer of the data.
Google got off the easiest, with just a "recommendation" to improve its personal data handling processes and make legal notices more precise.
The PPIC said it is not done investigating methods of collecting personal information from overseas businesses and will continue with a legal review.
Song Sang-hoon, director of Investigations and Corrections at the PPIC, issued a warning in Korean specifically to overseas companies that translates as:
We hope that overseas companies will obtain the consent of users according to domestic law when collecting and using personal information, and faithfully fulfil their statutory obligations.
The PPIC is no stranger to fining overseas big tech for violations, but the fine on Facebook is an unusually large sum for the organization.
Last June, Microsoft received fines totalling 16.4 million won (US$14,700) from the PPIC. PPIC determined that Microsoft failed to have protective measures on administrative accounts that led to the leak of over 119,000 email accounts – 144 of which belonged to Korean residents – and did not announce the leak in a timely enough fashion. ®