On December 18, 2024, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €4.75 million fine on Netflix for violation of the General Data Protection Regulation (GDPR), or more specifically, for failing to provide adequate information to its users regarding how their personal data was being used.
The Complaint and Investigation
The complaint, which concerns the period between 2018 and 2020, focuses on Netflix’s failure to clearly inform users about the collection, usage, and sharing of their personal data.
Following its investigation, the AP determined that Netflix’s privacy policy did not adequately disclose:
- the purposes and legal basis for the processing of personal data;
- safeguards when transferring personal data to third countries.
- information about third parties that receive personal data from data subjects;
- the retention period of personal data
Although the streaming giant has since updated its privacy policy, the AP’s decision underscores the necessity for companies to provide crystal-clear communication regarding data practices.
The AP determined that Netflix failed to provide sufficiently specific information about each purpose and the legal basis for processing, as well as clarify which personal data had been processed for which purposes and to which recipients it had been disclosed.
Furthermore, Netflix did not adequately explain the retention period for personal data or detail the safeguards in place for transferring personal data to third countries.
Data Collected by Netflix
Netflix collects a range of personal data from its users, including email addresses, phone numbers, payment details, and usage data such as viewing history.
AP’s Statement on Data Transparency
Aleid Wolfsen, the chairman of the AP, stated, “A company with a turnover of billions and millions of customers worldwide must explain properly to its customers how it handles their personal data. That must be crystal clear.”
This fine serves as a stark reminder to companies that neglecting data privacy obligations can result in significant penalties.
The Legal Process and Appeal
The complaint was brought by none of your business (NOYB) on behalf of individuals to the Austrian data protection authority, which chose to file the case in the Netherlands, where Netflix’s European headquarters are located.
According to EU privacy laws, companies that process data across multiple member states are subject to oversight by a single data protection authority in the country where they are based.
In response to the fine, Netflix has appealed the decision. However, this case highlights the critical need for organizations to ensure compliance with data protection laws, especially as regulatory scrutiny of data privacy practices continues to grow.
How Data Privacy Manager Can Help
As this case demonstrates, ensuring that your company is fully transparent with its data practices is not just a legal requirement but a critical component of maintaining customer trust.
Data Privacy Manager (DPM) offers robust tools to help businesses navigate the complexities of data privacy regulations, including GDPR compliance.
With DPM, you can ensure that your organization is always on top of data processing activities, with clear, detailed records and a system for managing customer consent.
By integrating DPM into your operations, you can protect your business from costly fines and safeguard your reputation by maintaining transparency and trust with your customers.