Dutch regulator fines Netflix $5 million for data privacy violations
A Dutch privacy regulator on Wednesday fined Netflix €4.75 Million ($5 million) for not telling consumers enough about how the streaming service uses their data.
The fine stems from Netflix’s failure to give customers “sufficient” information about how it handled customer personal data from 2018 to 2020, the Dutch Data Protection Authority (DPA) said in a press release. The regulator also said the information Netflix did provide was unclear.
The decision comes in response to a complaint the Austrian privacy nonprofit None of Your Business (Noyb) filed with the DPA in 2019.
Netflix has since overhauled its privacy policy and enhanced the information it provides, the DPA said in a press release.
A spokesperson for Netflix did not respond to a request for comment.
Netflix gathers a wide range of personal data from customers, including telephone numbers, email addresses, payment data and what consumers watch on the streaming service and when they watch it, the DPA said.
In addition to not providing clear enough information in its privacy policy, Netflix also failed to provide consumers adequate information even when they asked for details about what data is collected. Both failures violate Europe’s tough data privacy law, the General Data Protection Regulation, DPA said.
“A company like [Netflix], with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data,” Dutch DPA chairman Aleid Wolfsen said in a statement. “That must be crystal clear. Especially if the customer asks about this.”
The DPA said the information Netflix was unclear about includes the purpose and legal basis for gathering and using personal data, which personal data it shared with other parties and why, how long it stores the information and how the company protects data when transferring it outside of Europe.
Netflix disagrees with the fine, the DPA said.
A Noyb official said that while the privacy organization is happy the DPA issued the fine, he questioned why it took five years for it to be issued in what he called a “very simple case.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.