The Dutch Data Protection Authority (DPA) has fined Netflix for breaches of privacy regulations. From 2018 to 2020, the streaming platform failed to adequately inform its users regarding the handling of their personal data, and the information provided was ambiguous in various aspects. Consequently, on 26 November 2024, the Dutch DPA levied a fine of 4.75 million euros against Netflix.
Netflix gathers a range of personal information from its users, including email addresses, phone numbers, payment information, and details regarding viewing habits, including the timing of such activities. However, for several years, it failed to adequately inform its customers regarding the use of their personal data, and the information provided lacked clarity in certain areas. These omissions constitute violations of the General Data Protection Regulation (GDPR).
On multiple occasions, Netflix offered insufficient information to its customers, or the information given was ambiguous. The company failed to adequately clarify (i) the objectives and legal grounds for the collection and utilisation of personal data; (ii) the specific personal data that Netflix shares with third parties, along with the rationale for such sharing; (iii) the duration for which Netflix retains this data; and (iv) the measures taken by Netflix to ensure the security of personal data when it is transmitted to countries beyond Europe.
The Dutch Data Protection Authority initiated this investigation in response to complaints lodged by None of Your Business (NOYB), an Austrian non-governmental organisation dedicated to privacy advocacy. These complaints were initially directed to the Austrian Data Protection Authority and subsequently referred to the Dutch DPA, as Netflix’s primary European operations are based in The Netherlands.
According to the GDPR, organisations that handle data across multiple EU Member States are required to engage with a single data protection authority, specifically the one located in the country of the company’s main EU establishment. The Dutch DPA has collaborated with other European data protection authorities to coordinate the investigation and determine the amount of the fine.
