Netflix Fined €4.75 Million by Dutch Authority for Data Privacy Breaches
The Hague, Monday, 6 January 2025.
The Dutch Data Protection Authority fined Netflix €4.75 million for inadequate transparency about data handling from 2018 to 2020, highlighting ongoing global scrutiny over privacy practices.
Investigation Details and Findings
The investigation, initiated in 2019 following complaints from the Austrian privacy foundation ‘noyb’, revealed significant transparency failures in Netflix’s data handling practices [1][2]. The streaming giant, which maintains its European headquarters in the Netherlands [1], failed to properly inform customers about several crucial aspects of data processing, including the purposes of data collection, retention periods, and safeguards for international data transfers [2][5].
Scope of Data Collection
Netflix’s data collection practices are extensive, encompassing email addresses, phone numbers, payment details, and viewing habits [5]. The Dutch DPA’s investigation found that when users requested information about their personal data, Netflix failed to provide adequate explanations about how this information was being used and shared with third parties [2][5]. This lack of transparency constitutes a violation of Article 15 of the General Data Protection Regulation (GDPR) [5].
Regulatory Response and Netflix’s Position
Aleid Wolfsen, chairman of the Dutch DPA, emphasized the gravity of the situation, stating that ‘a company like this, with a turnover of billions and millions of customers worldwide, must explain to customers how it handles their personal data’ [1][5]. Netflix has contested the fine, arguing that GDPR has ‘open standards’ and that the Dutch DPA is applying an overly strict interpretation of obligations [1]. The fine will not be enforced until the appeal process is concluded [1].
Remedial Actions and Industry Impact
In response to the investigation, Netflix has updated its privacy statement to improve transparency around data usage [5]. This case follows a broader pattern of increased regulatory scrutiny in the Netherlands, as evidenced by the €290 million fine imposed on Uber in 2022 for similar data handling violations [1]. The Netflix investigation and subsequent fine were coordinated with other European privacy supervisors [1], demonstrating a unified approach to data protection enforcement across the EU.