The Seoul Administrative Court decided on January 23, 2025 (Case No. 2023Gu-Hap54259) to affirm the Korea’s data protection authority’s September 2022 disciplinary action against Meta for collecting and using its members’ behavior data on third party websites and apps (“third party behavioral data”) without obtaining legally effective consent. Although Open Net’s intervenor filed from the users’ perspective was rejected by the court, this is the world’s first decision that pinned the responsibility on Meta (as opposed to the website or app operators partnering with Meta) for collecting third party behavioral data, squarely along the lines of data protection law. A similar line of judicial decisions may follow in other countries with data protection laws, most of which usually require consent for collection of personal data. Meta must amend the sign-up system in order to comply.
Background: In September 2022, Korea’s data protection authority, Personal Information Protection Commission or PIPC had disciplined Meta and Google for engaging in targeted advertising based on third party behavioral data without obtaining effective consent. Meta and Google challenged the decision in an administrative court, and this judgment concerns Meta’s challenge.
Summary of the Judgment
Meta makes available free of charge Pixel, Facebook SDK, Facebook Login, and Social Plugin (“Meta business tools”) to all the willing operators of websites and smart phone apps (“web/app enterprises”) which, once installed on those websites and apps, collect behavioral data of the users of those websites and apps and transfer the same to Meta. While Facebook Login and Social Plugin only record the fact of the use and transfer the same to Meta’s server, upon the user’s act of logging into or leaving comments on those web/apps through Facebook login credentials, Pixel and the SDK record up to 17 and 24 targeted actions of the user such as “Submit Payment”, “Put In Cart” taking place on the webs and apps, respectively, and transfer the resulting data to Meta’s server. Meta analyzes the aggregated data and send the results to the web/app operators so that they can use them to optimize their web/app services and marketing.
Now, as to those web/app users who also have enrolled in Facebook, their devices are already installed with the cookies that are associated with their Facebook profile information. When the user’s behavioral data is transferred to Meta’s server through the aforesaid Meta business tools, the user’s Facebook profile information is transferred in combination with his or her behavioral data. If and when the web/app operator happens to have requested Meta to use the data analysis to place advertisements of their goods and services, Meta places in the Facebook timeline or in the banner ads that Meta was given control of, the advertisements targeting those users’ interest shown through the third party behavioral data. Meta also uses the behavioral data to customize the Facebook features and contents to those users.
- Who is the data controller of the users’ personal data?
Meta argued that it is the website/app operators who are collecting the users’ behavioral data and entrusting the processing of the data to Meta since they chose to install the Meta business tools. Meta also pointed out that the web/app operators can control the scope of behavioral data that is collected by the Meta business tools as in the case of Pixel and Facebook SDK, arguing that such control makes the web/app operators ‘data controllers’. (This argument seems to be based on the European Court of Justice’s 2019 Fashion ID decision.) Meta even in distributing the Meta business tools free of charge to web/app operators included a provision in the terms of use for the tools that the web/app operators “must obtain necessary consent from the end users”. Pursuant to this provision, Adidas Korea, Amore Pacific and other web/app operators state in their “personal data processing policy” that they are collecting behavioral data, and Coupang, Timon, and Nexters go as far as stating “Meta” as the company accepting the behavioral data from them.
However, the court found that the behavioral data initially collected by the Meta business tools are anonymous. Only when the third party behavioral data of Facebook members are transferred to Meta’s server, they are combined with the Facebook member’s profile information because the cookies planted by Meta on those members are transferred together with the behavioral data. The court reasoned that, therefore, the website/app operators are not a data controller under the meaning of the Korean data protection law. The court goes as far as saying that the data inputted by the users into the websites/apps is not personal data. The data protection law applies from the time when the cookies planted by Meta on the user’s device is combined with the third party behavioral data as only those cookies are linked to the user’s profile information, according to the court.
Meta also argued that it is technically difficult for Meta to obtain the users’ consent for each of all the web/app operators while it is relatively easier for the web/app operators themselves to obtain consent. However, the court again reasoned that the behavioral data collected by the web/app operators becomes personal only as to the Facebook members because of Meta’s act of combining the associated cookies with the behavioral data collected on the devices by Meta’s business tools, and that Meta is the data controller. The court also reasoned that it is feasible for Meta to obtain the consent upon the users’ login or signup stage and delete all the data if the consent is not given as Meta is doing to the users logging in from Europe.
- Did the data controller obtain necessary consent?
In joining Facebook, they must check a “yes” box to “Data Policy” consisting of 14,600 letters and 694 lines (as of January 2022) which the user must scroll through first (for Instagram, the user does not have to scroll through or check “yes” on the Data Policy). The Data Policy lists under “The types of information we collect” the following: “(3) Data provided by Partners. “Advertisers, app developers and publishers can use Meta Business tools such as Social Plugin (for example, “Like” button), Facebook Login, SDK or Meta Pixel to provide data to us. These Partners provide the information about your behavior (your device, the websites visited by you, your purchasing records, the ads shown to you, the methods of how you used the Partners’ services).” The Data Policy then explains under “the Way We use the Data” that “we use the stored data (your interest, behavior and relationship) to select and customize advertising, coupons, and other marketing contents shown to you. You can find out more at Facebook settings or Instagram settings about your choices on how we select and customize the advertising or what data are used to select the advertising and other marketing contents.”
Facebook’s Terms of Use states “We don’t charge you to use Facebook or the other products and services covered by these Terms, unless we state otherwise. Instead, businesses and organizations, and other persons pay us to show you ads for their products and services. By using our Products, you agree that we can show you ads that we think may be relevant to you and your interests. We use your personal data to help determine which personalized ads to show you.”
The court states that “ordinary users should be able to recognize that they are consenting to the collection and use of personal data” and that Meta has not fulfilled that requirement. According to the court, the title “Data Policy” is too vague; scrolling the long document through a window showing 5 lines at a time is not conducive to the users’ easy understanding; the section titled “Data Provided by Partners” merely explains that Meta “uses” the data already provided by the partners but does not directly disclose that Meta “collects” the data; and finally that the terms such as “advertisers”, “partners”, the names of Meta business tools are confusing to ordinary users.
The court also points out that although, since August 2019, the Facebook members could choose to opt out of such combination of their Facebook profile information, the default was set to allow such combination, and that the users can change the setting only afterwards. The court contrasts this to what Meta does to the European users upon signup, i.e., gives them the option not to consent to the use of cookies to combine the Facebook profile information with the third party behavioral data.
In conclusion, the court states:
Meta’s activities of collecting the third party behavior data has the danger of depriving the users of their online anonymity. Analysis of each user’s behavioral data over long periods can lead to recognition of his or her ideology, beliefs, political views, health, physical and physiological, and behavioral features, and other sensitive data. The method of such collection is technically complex and is administered without special notice to the users, hampering the users’ awareness. The user, exposed to targeted ads, is likely to feel anxiety that their online activities are being surveilled. Therefore, in a contemporary society where online activity is essential, it is highly necessary to protect the right to self-determination on the third party behavioral data which constitutes personal data of the users.
- Is the disgorgement of profit fairly calculated?
The court notices that the third party behavioral data is used not just for advertising but also for optimizing Meta’s own services. The court therefore rules that multiplying by a statutory factor to the entire revenue of Meta drawn from Korean users is not excessive.
Moving forward
This is the world’s first decision that recognized the platform’s responsibility for collection of third party behavioral data along the simple ‘consent’ requirement of data protection law without relying on the market dominance of the relevant platform, as the European Court of Justice did in 2023. Therefore, a similar line of judicial decisions may follow in other countries with data protection laws, which usually require consent for collection of third party behavioral data unless Meta amends the sign-up system.
Meta has revised the Data Policy shown upon the sign-up, to make the fact of data collection more prominent or informed to the users but combination of the Facebook profile information with the third party behavioral data, which makes the collected personal and brings the practice within the purview of data protection laws according to the Korean court, is done on an opt-out basis, e.g., combined unless the member objects, and furthermore the user can opt out only after signing up with Facebook.
Most global-facing websites and apps have set up cookie consent banners in accordance with the European GDPR under which the website/app operators were deemed data controllers and therefore were required to obtain consent from the users when they use the web/apps, the consent for collecting the data and sending the same to Meta and other advertising network operators. However, the websites/apps appealing to the non-European audience were not imposed that requirement. Now, the Korean court departs from that reasoning finding them not data controllers because the behavioral data collected at the web/apps are initially anonymous unless otherwise identified and puts the onus on the advertising network operators like Meta who attach identifiers subsequently. If other jurisdictions with local data protection laws follow suit, Meta will have to amend the global sign-up system to protect the users’ profile information by default.
![[RightsCon 2025] Data Privacy in the Era of AI: Public and Private Sector Perspectives](https://www.opennetkorea.org/wp-content/uploads/et_temp/RC25_Poster-for-Data-Protection-Session-819x1024-600353_819x675.png)
0 Comments