Republic of Korea: Personal Information Protection Commission fined Facebook KRW 6.7 billion over unauthorised sharing of personal data

On 25 November 2020, the Personal Information Protection Commission (PIPC) of South Korea imposed a fine of 6.7 billion won and filed a criminal complaint against Facebook for the unauthorised sharing of personal data. The investigation, which began in March 2018, followed reports of improper data sharing during the 2016 US presidential election. The PIPC confirmed that personal data was provided to third parties without users' consent. When users logged into third-party apps via the platform, both their information and their friends' information were shared. This violation lasted for approximately six years, from May 2012 to June 2018. At least 3.3 million of the 18 million South Korean users were affected, with their data shared through over 10’000 apps. The shared data included sensitive information such as education, career, family status, and interests. Furthermore, the PIPC noted that the company obstructed the investigation by submitting false evidence regarding when the sharing stopped and by refusing to provide data on the number of affected users. In addition to the 6.7 billion won fine, the company was fined an additional 66 million won for failing to encrypt user passwords, neglecting to notify users about their data usage periodically, and submitting false materials.