South Korea's Personal Information Protection Commission (PIPC) has recently imposed fines on tech giants OpenAI and Meta, the parent company of Facebook. OpenAI's chatbot, ChatGPT, has been fined 3.6 million won for a data breach incident on 27 July.
The breach was caused by a bug in an open-source library on ChatGPT, leading to the unintended exposure of personal information belonging to 687 South Korean citizens. The leaked data included payment details such as names, email addresses, the last four digits of credit card numbers, and credit card expiration dates of ChatGPT Plus subscribers. OpenAI confirmed the incident and acknowledged the affected users in South Korea.
The PIPC found that OpenAI failed to promptly report the data leakage to authorities within the required 24-hour period. Consequently, the company was held responsible for breaching its duty in protecting personal information. However, the commission also highlighted the need for enhanced personal information protection measures across the board.
To avoid similar incidents in the future, the PIPC has advised OpenAI to take preventive measures and adhere to South Korea's personal information protection law. The commission further urged the company to actively cooperate with the PIPC's inspection activities.
Meanwhile, Meta, the parent company of Facebook, has been slapped with a hefty fine of 7.4 billion won by the PIPC. This fine is related to the unauthorized collection and use of personal information for personalized online advertising.
The PIPC revealed that Meta had gathered personal information without obtaining proper user consent, and this violation took place before July 2018. The commission discovered that Meta secretly collected Facebook users' personal data through "Facebook Login," a feature that allows developers to integrate Facebook accounts with their applications or websites.
Previously, in September of the previous year, Meta had faced another fine of 30.8 billion won for failing to clearly inform users and obtain their consent when using their data for personalized advertisements.
Despite the seriousness of the offence, the PIPC has decided not to pursue a criminal complaint against Meta at this time. Instead, it granted the company a grace period to address the issues on its own and ensure compliance with data protection laws.
Also Watch: Frontier Model Forum: Google, Microsoft, OpenAI, Anthropic join hands to tackle AI related security risks