The Dutch Data Protection Authority (DPA) fined Netflix โฌ4.75 million ($5 million) for failing to provide sufficient information to its customers about their personal data usage between 2018 and 2020.
The DPA started its investigation against Netflix in 2019 following complaints from None of your business (noyb), an Austrian NGO committed to privacy.
The Dutch watchdog found that the streaming service did not inform customers clearly enough in its privacy statement about what exactly it does with their data.
Moreover, customers were not adequately informed when they inquired about the data Netflix collects about them, constituting violations of the General Data Protection Regulation (GDPR).
Apparently, Netflix gathers extensive personal information from its users, including contact details like email addresses and phone numbers, payment information, and detailed records of viewing behavior, such as what content is watched and the precise timing of their activity on the platform.
According to the DPA, the popular video streaming service failed to provide clear and adequate information to customers on several key aspects, including:
- The purposes of and the legal grounds for collecting and using personal data;
- Information about which personal data are shared with third parties and the specific reasons for doing so;
- The duration for which Netflix retains the personal data;
- What measures does Netflix take to ensure the security of personal data when transferring it to countries outside Europe.
โA company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data. That must be crystal clear. Especially if the customer asks about this. And that was not in order,โ Aleid Wolfsen, Chairman of the Dutch DPA, said.
Reacting to DPAโs decision, Stefano Rossetti, data protection lawyer atย noyb said:ย โWe are happy with the DPAโs decision to issue a fine against Netflix. However, it took almost five years to obtain it, and in a very simple case.”ย
On the other hand, Netflix reacted to the fine by saying that over the past five years, it has actively collaborated with the Dutch DPA during the investigation and has already proactively updated its privacy statement to ensure transparency and improve its information provision.
“Since the investigation began over five years ago, we have worked closely with the Dutch Data Protection Authority and continuously evolved our privacy information to provide greater clarity for our members,” a spokesperson for Netflix stated.
Meanwhile, Netflix has objected to the fine but hasnโt yet appealed the decision as a whole.