South Korea’s PIPC Fines Tech Giants

South Korea’s PIPC Fines Tech Giants
By Anonymous | September 19, 2021

It is no brainer that South Korea is one of the world’s most technologically advanced and digitally connected countries with the highest average internet connection speed worldwide. With internet infrastructure that places a high priority in numerous governmental regulations, there comes a need for strong data privacy and only recently has a central administrative agency been established to govern data-related policies. Under the newly amended Personal Information Protection Act (PIPA), the Personal Information Protection Commission (PIPC) has become South Korea’s data protection authority since August 5, 2020. Since then, the PIPC has asserted various fines and corrective actions against tech giants such as Facebook, Google, and Netflix due to a major privacy audit that was conducted in 2020.

Out of all, Facebook was fined the largest penalty for privacy violations related to the collection of facial recognition data without the users’ consent. Personal images and social security numbers of over 200,000 platform users were collected for facial recognition templates, while failing to obtain consent, notify users, and submit required information when requested by PIPC. In the context of Respect for Persons, a basic ethical principle outlined in The Belmont Report, it seems that Facebook has neglected the need to provide users an opportunity to opt out of the facial recognition data collection process through proper consent and further ignored providing sufficient information to their users when migrating personal data to third parties or overseas. Prior to the collection and unauthorized transfer of personal data, there must’ve been widespread agreement of the consent process through the following domains: information, comprehension, and voluntariness. Thus, Facebook has been ordered to destroy any personal data that was associated with the facial recognition initiatives.

As for Google and Netflix, less penalties were issued for privacy violations in which Netflix failed to gain proper consent for collecting and transferring personal user’s data while Google ended up not violating the PIPA but still received legal recommendations on clarity and improvements to their personal data collection processes. Even so, Microsoft was fined insignificantly compared to Facebook for privacy violations related to leaked e-mail addresses, with 144 belonging to South Korean citizens and taking 11 days to publish a notification in Korean which was supposed to be performed within 24 hours under the PIPA. Like Facebook’s case, one of the Belmont Report principles, for Justice, seems to have been violated as the benefits and risks of the organization’s users weren’t appropriately assessed. It is also worth mentioning that users who are already marginalized in their everyday lives outside of these platforms are further burdened by the unprecedented age of market concentration that stems out of the personal data collected from these individuals. Even so, the obligations of Beneficence affect both the organization’s investigators and society at large, because they extend both to research projects and to the entire enterprise of research. In the case of using personal user data, organizations must be required to recognize the longer-term benefits and risks that may result from data collection processes and results.

The question of whether tech giants can cope with the patterns of PIPA moving forward comes into play as PIPC issued a statement that its investigations on privacy violations will continue. Even though certain companies only faced small fines, there also comes the concern of the company’s credibility with millions to billions of users providing personal data on a countless basis. With stronger data regulations coming into play, I hope to see many organizations taking a stronger stance in ensuring the autonomy, well-being, and equal distribution of their platform users.