The US tech giant shared personal information of at least 3.3 million users without their consent, the South Korean government said.
According to the Personal Information Protection Commission (PIPC), Facebook shared the data of at least 3.3 million of South Korea’s 18 million users between May 2012 and June 2018 without permission of the users.
It marked the commission’s first punishment against Facebook since it was launched in August this year.
The Commission also said it would file criminal charges against Facebook for violating local personal information laws. Information shared by Facebook includes the user’s name, academic background, employment history, place of birth, and marital status.
The commission will refer Facebook Ireland Ltd. — which was in charge of Facebook operations in South Korea from May 2012 to June 2018 — to the prosecution for a criminal investigation.
The investigation against the US tech giant started in 2018 by the Korea Communication Commission, the country’s telecommunication regulator, in the wake of the Cambridge Analytica scandal; wherein the information on up to 87 million users, mostly in the US, has been “improperly shared” with Cambridge Analytica.
In 2018, the Korea Communications Commission, South Korea’s telecommunications regulator, started investigations into Facebook before handing it off to the commission.
According to PIPC, when users logged into other company’s services using their Facebook accounts, the personal information of their Facebook friends was also shared with such service providers without consent.
“A user agreed to share their information with a particular service when they logged in with their Facebook accounts. However, the user’s friends didn’t, and they were unaware that their data were also being shared,” the commission said.
These third-party apps then used data provided by Facebook to create customized ads to appear on social media services without users’ permission. PIPC said that in the end, Facebook made unfair profits by sharing user data without their consent.
Facebook also stored user password data without encryption, and users were not notified as usual when the company gained access to their data.
Considering the information could be provided to at most 10,000 other companies, the watchdog said a considerable amount of personal information could have been shared.
It added that Facebook was uncooperative in its investigation as it submitted incomplete or false documents. This made it difficult to determine the true scope of the company’s violations and led to an intervention investigation. Facebook was fined an additional 66 million won for these obstructions.
“We have cooperated as much as possible throughout the investigation process, we regret that the Personal Information Protection Commission has sought a criminal investigation,” a Seoul-based Facebook spokeswoman said in a statement, declining further comment as Facebook hasn’t yet fully reviewed the details of the decision.