From the Dutch Data Protection Authority:
Netflix did not give customers sufficient information about what the company does with their personal data between 2018 and 2020. And the information that Netflix did give was unclear on some points. For this reason, the Dutch Data Protection Authority (Dutch DPA) is imposing a fine of 4.75 million euros (pdf) on the streaming service. Netflix has since updated its privacy statement and improved its information provision.
Netflix collects various types of personal data of customers, ranging from email addresses, telephone numbers and payment details to data about what customers watch on the platform, and when exactly.
An investigation started by the Dutch DPA in 2019 shows that Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with those data. Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them. These are violations of the General Data Protection Regulation (GDPR).
‘Must be crystal clear’
‘A company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data,’ Dutch DPA chairman Aleid Wolfsen says. ‘That must be crystal clear. Especially if the customer asks about this. And that was not in order.’
Too little and unclear
On several points, Netflix provided too little information to customers, or the information provided was unclear. The company was not clear enough about:
- the purposes of and the legal basis for collecting and using personal data;
- which personal data are shared by Netflix with other parties, and why precisely this is done;
- how long Netflix retains the data;
- how Netflix ensures that personal data remain safe when the company transmits them to countries outside Europe.
Complaints from an Austrian privacy foundation
The Dutch DPA started this investigation following complaints from None of your business (noyb), an Austrian NGO that is committed to privacy. Those complaints were submitted to the Austrian data protection authority and forwarded to the Dutch DPA, because Netflix has its main European establishment in the Netherlands.
Under the GDPR, companies that process data in several EU Member States have to deal with only one data protection authority: the authority in the country in which the company has its main establishment. The Dutch DPA has coordinated the investigation and the amount of the fine with other European data protection authorities.
Netflix objected to the fine.