On November 26, 2020, South Korean regulatory authorities announced sanctions against Facebook (now Meta) due to privacy violations of user data. This significant case highlights the country's strict enforcement of personal data protection laws.
Details of the Violation
The Personal Information Protection Commission (PIPC) of South Korea fined Facebook $6.1 million (equivalent to 6.7 billion won). The primary reason for this penalty was the platform's practice of transferring users' personal data to other companies without explicit consent from the data owners.
The exposed data included critical details such as names, addresses, occupations, places of birth, and relationship information. This violation impacted approximately 3.3 million South Korean citizens, representing about one-sixth of Facebook's 18 million users in the country at that time. The breach spanned an extensive six-year period, from May 2012 to June 2018.
Lack of Transparency and Widespread Impact
What was particularly concerning was Facebook's failure to provide clear explanations regarding the extent of additional data that may have leaked to third-party businesses, nor did it deny such a possibility. Some sources estimated that up to 10,000 companies might have been involved in receiving this data.
In addition to the primary fine, the PIPC also imposed an additional fine of $59,000 for the submission of false documentation, a decision Facebook initially intended to contest.
A Costly Legal Lesson
This incident serves as a crucial lesson for large social media platforms and indicates that regulatory bodies worldwide are increasingly escalating their enforcement of data privacy laws.
Meta (Facebook's current company name) appealed the 2020 fine. However, in March 2025, South Korea's Supreme Court upheld the PIPC's original ruling, meaning Meta is obligated to pay the imposed 6.7 billion won fine.
This case underscores the critical need for tech companies to maintain responsibility and transparency in managing users' personal data to build trust and adhere to stringent data protection standards.