Dutch DPA Fines Netflix €4.75 Million for GDPR Violations Over Data Transparency

December 19, 2024

The Dutch Data Protection Authority (DPA) on Wednesday fined video on-demand streaming service Netflix €4.75 million ($4.93 million) for not giving consumers enough information about how it used their data between 2018 and 2020.

An investigation launched by the DPA in 2019 found that the tech giant did not inform customers clearly enough in its privacy statement about what it does with the data it collects from its users. This includes email addresses, telephone numbers, payment details, as well as information about what customers watch on the platform.

"Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them," the DPA said, adding these constitute violations of the General Data Protection Regulation (GDPR).

Besides failing to clarify the purpose and legal basis for gathering the data, the company has also been accused of being unclear about what kinds of information are shared with third-parties and for what reasons, the data retention period, and the security guarantees when it comes to transmitting the information to countries outside of Europe.

Austrian privacy non-profit None of Your Business (noyb), which filed the complaint against Netflix in January 2019, said it's "happy" with the DPA's decision, while noting that it took almost five years to obtain it.

"Netflix didn't just fail to provide sufficient information about why it collects data and what it does with it," it said. "The company didn't even manage to provide a full copy of the complainant's data."

Although the company has since updated its privacy statement and improved the information it provides to users, it's objecting to the fine, the DPA added.

"A company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data," Dutch DPA chairman Aleid Wolfsen said. "That must be crystal clear. Especially if the customer asks about this. And that was not in order."

Noyb has also filed similar complaints against Amazon, Apple Music, Spotify, and YouTube, with the case against Spotify resulting in the music streamer facing a fine of around €5 million from the Swedish Data Protection Authority (IMY) in June 2023.

The development comes as the Irish Data Protection Commission (DPC) imposed a monetary penalty of €251 million (around $263 million) on Meta for a 2018 data breach that impacted 3 million users in the European Union.