The Dutch Data Protection Authority (AP) has imposed a 4.75 million euro fine (US$4.95 million) for failing to properly inform customers between the years 2018 and 2020 about what their company does with their personal data. Netflix has appealed against the fine, which will not be collected by the AP until the decision is irrevocable.

The streaming company collects various types of information from its customers, including email addresses, phone numbers and payment details, as well as what customers watch and when.

The investigation, launched by the AP in 2019, “shows that Netflix did not inform customers clearly enough in the company’s privacy statement about what exactly Netflix does with that data,” according to the regulator. Furthermore, customers were given “too little information” when they asked the tech giant what data the company collects about them, which breaches the European Union General Data Protection Regulation (GDPR).

“A company like this, with a turnover of billions and millions of customers worldwide, must explain to customers how it handles their personal data,” highlights AP chairman Aleid Wolfsen.

“That must be crystal clear. Especially when the customer asks for it. And that was not in order,” he continues.

A strict interpretation of the personal data rules?

The AP concludes that Netflix “has not fulfilled its information obligation,” as the platform doesn’t provide sufficient information regarding the purposes and basis of the processing of personal data and of the parties that receive personal data from data subjects. Furthermore, not informing customers about the retention period of said data and the safeguards when transferring it to third countries.

Moreover, Netflix did not comply with the information requests of the AP, did not provide information on the purposes and processing of personal data, did not inform of the retention period of the data and gave “insufficient information” on its safeguard and transfer to third countries.

Netflix argues that the GDPR contains “open standards,” and the AP “seems to apply a stricter interpretation of those obligations”. According to the streaming company, “a controller has a certain degree of freedom to convey the processing of personal data and the information to be provided for that purpose at an appropriate level of transparency.”

Nevertheless, Netflix’s fine for breaching the GDPR pales compared to the one given to Uber in 2022, when the ride-hailing platform was fined 290 million euros (US$324 million) for sending the personal data of European taxi drivers to the United States.

Dutch Netflix, Austria’s business

The Dutch AP initiated the investigation after complaints from the Austrian foundation None of your business (noyb) filed to the Austrian privacy watchdog, who later forwarded the grievances to the AP. This was done because Netflix’s European headquarters are located in the Netherlands.

The EU GDPR rules stipulate that there should only be one privacy supervisor to deal with the company. However, the AP coordinated the investigation and the amount of the fine with other European privacy supervisors, according to the AP itself.

You can request to know what personal information Netflix holds about you and ask for a copy here.