South Korea’s information watchdog on Wednesday fined Facebook Inc. 6.7 billion won ($6 million) for passing information of at least 3.3 million South Koreans to other companies in its first crackdown on the U.S. tech giant.

The Personal Information Protection Commission (PIPC) said Facebook violated the country’s personal information law by providing personal information of at least 3.3 million of the country’s total 18 million local users from May 2012 to June 2018 to other companies without their consent.

It marked the commission’s first punishment against Facebook since it was launched in August this year.
The commission said that when users logged into other company’s services using their Facebook accounts, the personal information of their Facebook friends was also shared with such service providers without consent.
The personal information shared with other companies included users’ names, addresses, dates of birth, work experience, hometowns, and relationship statuses.

The watchdog said the exact amount of the shared information is unclear as Facebook did not provide relevant documentation.
Considering the information could be provided to at most 10,000 other companies, the watchdog said a considerable amount of personal information could have been shared.

The commission said it would refer Facebook Ireland Ltd. — which was in charge of Facebook operations in South Korea from May 2012 to June 2018 — to the prosecution for a criminal investigation.
Facebook Ireland’s director in charge of user privacy could face up to five years in prison, or a maximum of 50 million won in fines if convicted of violating South Korea’s relevant personal information law.