The violations occurred between 2018 and 2020, according to a statement released by the regulator.

An investigation launched in 2019 revealed that Netflix’s privacy processes fell short of the transparency requirements outlined in the General Data Protection Regulation (GDPR). 

The DPA found that Netflix’s privacy statement during the period in question did not clearly explain how customer data was being handled, why it was being collected, and who it was being shared with.

Again, when customers sought clarification about their personal data, Netflix’s responses were deemed insufficient. The DPA also noted that the platform did not provide adequate information on how long it retains user data and how it safeguards information transmitted outside the European Union.

Aleid Wolfsen, chairman of the Dutch DPA, stressed the importance of transparency in data handling, particularly for major companies. “A global company like Netflix must ensure it communicates clearly with its customers about how their data is managed. This is a fundamental right under GDPR, and Netflix failed to meet this standard,” Wolfsen stated.

The investigation was prompted by complaints filed by the Austrian privacy group None of Your Business (noyb). Since Netflix’s primary European base is in the Netherlands, the Dutch regulator took the lead in the inquiry, working in coordination with other European authorities.

Netflix has objected to the fine, asserting that it has made effective improvements to its privacy practices since the investigation began. A company spokesperson said, “We have cooperated with the Dutch DPA throughout this process and have proactively enhanced our privacy information to better serve our members.”

Aside from the current Netflix fine, other tech giants are also facing similar issues. Meta was recently fined €251 million by Irish regulators for a separate data breach involving Facebook users. 

The Dutch Data Protection Authority (DPA), which issued the fine, revealed that Uber had been transferring this data without implementing necessary safeguards, thereby breaching the General Data Protection Regulation (GDPR). 

Uber’s data transfer methods were brought under investigation following a complaint from French taxi drivers. The French data protection regulator, CNIL, cooperated closely with the Dutch DPA during the investigation, which ultimately revealed significant lapses in Uber’s handling of sensitive information. 

The DPA noted that Uber had not only transferred the data but failed to protect it adequately, a serious infringement of GDPR standards.

Although Uber has since ceased the cross-border data transfers in question, the company has asserted strong disagreement with the decision. Uber spokesperson Caspar Nixon described the fine as “extraordinary and unjustified,” stating that Uber’s practices were aligned with GDPR during what he described as a “period of immense uncertainty” between the EU and the U.S. regarding data protection agreements. 

Uber intends to challenge the ruling, confident that its appeal will succeed in overturning the fine.

The EU and U.S. are currently having issues over data protection standards, particularly concerning the transfer of personal data across borders. The EU’s GDPR, one of the world’s toughest data protection frameworks, requires companies to ensure that data transferred outside the EU is adequately protected, a standard the DPA concluded Uber had not met.