The Dutch Data Protection Authority (DPA) has imposed a €4.75 million ($4.93 million) fine on Netflix for failing to provide consumers with adequate information about its data practices between 2018 and 2020, marking a significant enforcement of GDPR regulations.
Investigation Findings
The DPA launched an inquiry into Netflix’s privacy practices in 2019, concluding that the streaming giant failed to clearly disclose, through its privacy statement, the specifics of its data collection activities. This encompassed sensitive information such as email addresses, telephone numbers, payment details, and viewing histories.
“Additionally, customers were not sufficiently informed when requesting a breakdown of the data Netflix had collected about them,” stated the DPA. These shortcomings constitute direct violations of the General Data Protection Regulation (GDPR).
Key Violations Identified
Netflix’s infractions included:
- Lack of transparency: Insufficient explanation of the purpose and legal basis for data collection.
- Third-party disclosures: Failure to specify what data was shared with external entities and for what purposes.
- Data retention details: No clear timeline for how long data would be stored.
- Cross-border security: Ambiguity around safeguards for transferring user data outside of Europe.
Reaction from Privacy Advocates
Austrian privacy organization None of Your Business (noyb), which initially filed the complaint in January 2019, welcomed the decision while criticizing the lengthy process.
“Netflix not only failed to provide sufficient information about its data practices,” said noyb, “but it also couldn’t deliver a complete copy of the complainant’s personal data.”
Netflix’s Response and Ongoing Challenges
Although Netflix has since updated its privacy statement and improved user-facing data disclosures, the company is contesting the penalty. The DPA emphasized the heightened responsibility of large-scale businesses to ensure transparency.
“A company of this magnitude, with billions in revenue and a global user base, must clearly explain how it processes personal data,” stressed Aleid Wolfsen, chairman of the Dutch DPA. “This is especially critical when users request clarity. Netflix fell short on this obligation.”
Broader Implications
This case follows similar GDPR enforcement actions, including:
- Spotify: The Swedish Data Protection Authority fined the music streaming service approximately €5 million in June 2023 following a related noyb complaint.
- Meta: The Irish Data Protection Commission levied a staggering €251 million ($263 million) fine against Meta in 2023 for a data breach affecting 3 million EU users.
Noyb has also filed complaints against Amazon, Apple Music, and YouTube, underscoring ongoing scrutiny of how major tech companies handle user data under GDPR frameworks.
This latest development serves as a reminder of the regulatory emphasis on transparency and accountability in data practices, reinforcing the importance of compliance for enterprises operating within the EU.