The Dutch Data Protection Authority (Dutch DPA) has fined streaming giant Netflix €4.75 million for failing to provide customers with adequate and clear information about its handling of personal data between 2018 and 2020.
The fine comes after an investigation revealed violations of the General Data Protection Regulation (GDPR).
While Netflix has since updated its privacy statement and improved its data transparency, the Dutch DPA determined that significant lapses occurred during the investigation period.
Key Findings of the Investigation
Netflix collects a wide range of personal data from its users, including email addresses, phone numbers, payment details, and viewing habits.
However, Dutch DPA said the investigation initiated in 2019 found that:
- Netflix’s privacy statement failed to adequately inform customers about the purposes and legal basis for collecting and processing their data.
- The company did not clearly explain which personal data were shared with third parties and the reasons for such sharing.
- Netflix provided inadequate information about how long it retains users’ personal data.
- The platform did not clearly articulate how it safeguards personal data when transmitting it to countries outside the European Union.
In addition, when customers requested details about the data collected on them, Netflix’s responses were found lacking in clarity and detail.
“For this reason, the Dutch Data Protection Authority (Dutch DPA) is imposing a fine of 4.75 million euros on the streaming service,” the data protection watchdog said in a statement issued on Wednesday.
Dutch DPA Chairman Aleid Wolfsen emphasized the importance of transparency, especially for a global company like Netflix with billions in revenue and millions of users.
“A company like Netflix must explain properly to its customers how it handles their personal data. That must be crystal clear—especially if a customer asks about it. And that was not in order,” Wolfsen stated.
Origin of Complaints
The investigation was triggered by complaints filed by None of Your Business (noyb), an Austrian privacy advocacy group.
- These complaints were initially lodged with the Austrian Data Protection Authority but were forwarded to the Dutch DPA, as Netflix’s main European establishment is based in the Netherlands.
- Under GDPR rules, companies operating across multiple EU member states are overseen by the data protection authority in the country of their primary European base.
- The Dutch DPA coordinated the investigation and fine with other European regulators.
What you should know
The sanction highlights the increasing scrutiny under GDPR regulations and the importance of transparency for companies handling personal data.
- On Tuesday, social media giant, Meta, was also slammed a €251 million in Europe over a 2018 personal data breach that impacted 29 million Facebook users globally.
- In Meta’s case, the fine came from the Irish Data Protection Commission (DPC), which pointed out that the breach arose from the exploitation by unauthorized third parties of user tokens on the Facebook platform.
The increasing data protection enforcement happening in Europe is also signaling to the Nigerian data protection agency the need to pay closer attention to the way these multinationals are handling Nigerians’ data and take appropriate measures under the Nigeria Data Protection Act.