Facebook created and stored facial recognition details on 200,000 users in South Korea by harvesting info from videos and photos without consent, a data privacy audit revealed. It also illegally collected social security numbers.
The country’s personal information protection watchdog ordered Facebook
to pay 6.4 billion won ($5.5 million) for the unauthorized use of user-image information for its automated facial recognition software between April 2018 and September 2019.
Announcing the preliminary findings of its privacy probe on Wednesday, the Personal Information Protection Commission (PIPC) said Facebook
had “preset consent” for the feature for new profiles created on the platform.
The regulatory body also stated that users were prevented from revoking consent using the settings tool later.
The social media giant was penalized another 26 million won ($22,000) for a number of violations, including obtaining resident registration numbers in an “illicit manner” and not issuing notices to users about changes to its privacy and personal-information management policies.
The PIPC ordered Facebook
to either obtain consent for the stored facial information or erase it. As well, the company was ordered to disclose and delete data related to the international transfer of users’ personal information. It was also barred from processing identity numbers without a legal basis.
Earlier this year, Facebook
’s facial recognition tech had come under legal scrutiny after the company settled a class-action lawsuit in the US and was forced to change its photo face-tagging feature over privacy concerns.
The ‘Tag Suggestions’ tool generated automatic tagging suggestions by scanning previously uploaded images to identify people in new photos and link to their profiles.
It had to pay out $650 million to 1.6 million Illinois-based users, who had alleged the company broke the state’s biometric information privacy law by not getting their consent before scanning their photos to digitally store their faces.
Netflix and Google were also pulled up by the Korean regulatory body for violations of personal information protection laws. It fined the streaming service 220 million won ($188,000) for collecting data from five million people without consent, and another 3.2 million won ($2,700) for failing to notify users about the cross-border transfer of their data.
Meanwhile, Google was handed an official “recommendation” to improve its personal data handling systems and to make its legal notices less vague.
The PIPC stated that its investigation will continue with a legal review of the companies’ compliance with Korean privacy laws – with its director of investigations issuing a warning to overseas companies about the need to “obtain user consent” and “faithfully fulfill their statutory obligations”.
In response, Facebook
denied not seeking user approval for facial recognition and claimed that the PIPC had determined the “control setting for face recognition may have been misunderstood by some people”.
“In fact, we’ve always given people the option to turn off facial recognition on Facebook
, and two years ago, changed this feature to opt-in only,” an unidentified Facebook
spokesperson told the Korea JoongAng Daily newspaper.
This is the second time the PIPC has fined Facebook
after imposing a 6.7 billion won ($5.7 million) penalty last November for sharing the personal data of at least 3.3 million users with at most an estimated 10,000 other firms and service providers without their knowledge between May 2012 and June 2018.
The watchdog had said that when people used their Facebook
accounts to log onto other sites, their personal information – including names, addresses, birthdays, work experience and relationship statuses – was shared with the other companies.