The Dutch Data Protection Authority (DPA) has penalised streaming platform Netflix with a €4.75 million fine for failing to adequately inform its users about how their personal data was being used.
The violations occurred between 2018 and 2020, according to a statement released by the regulator.
An investigation launched in 2019 revealed that Netflix’s privacy processes fell short of the transparency requirements outlined in the General Data Protection Regulation (GDPR).
The DPA found that Netflix’s privacy statement during the period in question did not clearly explain how customer data was being handled, why it was being collected, and who it was being shared with.
Again, when customers sought clarification about their personal data, Netflix’s responses were deemed insufficient. The DPA also noted that the platform did not provide adequate information on how long it retains user data and how it safeguards information transmitted outside the European Union.
Aleid Wolfsen, chairman of the Dutch DPA, stressed the importance of transparency in data handling, particularly for major companies. “A global company like Netflix must ensure it communicates clearly with its customers about how their data is managed. This is a fundamental right under GDPR, and Netflix failed to meet this standard,” Wolfsen stated.
The investigation was prompted by complaints filed by the Austrian privacy group None of Your Business (noyb). Since Netflix’s primary European base is in the Netherlands, the Dutch regulator took the lead in the inquiry, working in coordination with other European authorities.
Netflix has objected to the fine, asserting that it has made effective improvements to its privacy practices since the investigation began. A company spokesperson said, “We have cooperated with the Dutch DPA throughout this process and have proactively enhanced our privacy information to better serve our members.”
Aside from the current Netflix fine, other tech giants are also facing similar issues. Meta was recently fined €251 million by Irish regulators for a separate data breach involving Facebook users.
