Netflix Fined €4.75 Million for Insufficient Transparency
The Dutch Data Protection Authority (DPA) has imposed a fine of €4.75 million on Netflix for failing to adequately inform customers about the handling of their personal data between 2018 and 2020. An investigation initiated by the DPA revealed that Netflix’s privacy statement was unclear, and customers did not receive sufficient details when inquiring about the data collected about them. These shortcomings constitute violations of the General Data Protection Regulation (GDPR), which mandates transparency in data handling.
Netflix collects various types of personal data, including email addresses, phone numbers, payment details, and viewing habits. The DPA’s findings indicate that Netflix did not clearly communicate the purposes and legal basis for collecting and using this data. Additionally, the company failed to specify which personal data is shared with third parties, the reasons for such sharing, the duration of data retention, and the measures taken to ensure data security when transferred outside Europe.
The investigation was prompted by complaints from None of Your Business (noyb), an Austrian privacy organization focused on protecting personal data. These complaints were initially submitted to the Austrian data protection authority and subsequently referred to the Dutch DPA, as Netflix’s main European establishment is located in the Netherlands. The DPA coordinated the investigation and the fine with other European data protection authorities.
In response to the findings, Netflix has updated its privacy statement and improved its information provision to customers. Despite these changes, the company has formally objected to the fine imposed by the Dutch DPA, indicating a potential dispute regarding the regulatory action taken against it.
