Dutch DPA Fines Netflix €4.75 Million for GDPR Violations
Streaming giant Netflix has been hit with a hefty fine by the Dutch Data Protection Authority (Dutch DPA) for failing to provide clear and sufficient information to customers about how their personal data is used.
The Dutch DPA launched an investigation in 2019 following complaints from Austrian privacy NGO, None of your business (noyb). The investigation revealed that between 2018 and 2020, Netflix fell short of GDPR requirements by failing to adequately inform users about its data practices.
“A company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data,” stated Dutch DPA chairman Aleid Wolfsen. “That must be crystal clear. Especially if the customer asks about this. And that was not in order.”
Netflix collects a wide range of personal data, from basic contact information to viewing habits and preferences. However, the company was found to be lacking in transparency regarding several key areas:
- The purposes and legal basis for data collection and use.
- Data sharing practices with third parties.
- Data retention periods.
- Security measures for data transfers outside Europe.
“On several points, Netflix provided too little information to customers, or the information provided was unclear,” the Dutch DPA concluded.
Although Netflix has since updated its privacy statement and improved its information provision, the Dutch DPA imposed a fine of €4.75 million.
Netflix has objected to the fine, but the Dutch DPA, in coordination with other European data protection authorities, maintains that the penalty is justified.