The Dutch Data Protection Authority (DPA) has imposed a €4.75 million ($4.93 million) fine on Netflix for failing to provide adequate transparency regarding the use of personal data between 2018 and 2020. The fine comes after a 2019 investigation revealed that Netflix's privacy statement lacked clarity about how the company handles user data, including email addresses, phone numbers, payment details, and information about users' viewing habits.
The DPA found that Netflix did not adequately explain the purpose and legal basis for data collection or provide sufficient details about what data was shared with third parties, the data retention period, or security measures for transmitting data outside of Europe. Customers also faced difficulties obtaining information about the data Netflix held about them.
The complaint, initially filed by Austrian privacy group None of Your Business (noyb) in 2019, highlighted that Netflix had failed to give clear answers to users’ inquiries about their data. While Netflix has since updated its privacy statement, the company is contesting the fine.
Aleid Wolfsen, Chairman of the Dutch DPA, stated that large companies like Netflix must be transparent with their customers about data handling, especially when customers request such information. "That must be crystal clear," he emphasized.
This ruling follows similar privacy actions against other tech giants, with noyb having also filed complaints against companies like Amazon, Apple Music, and Spotify. Notably, Spotify was fined approximately €5 million by Sweden's Data Protection Authority in 2023.
This decision is part of broader enforcement actions under the EU's General Data Protection Regulation (GDPR), which continues to hold companies accountable for poor data privacy practices.