Netflix fined $5 million by Dutch regulator for privacy violations

The Dutch Data Protection Authority (DPA) announced Wednesday that it has fined Netflix €4.75 million ($5 million) for failing to adequately inform customers about its handling of their personal data between 2018 and 2020. The fine stems from a 2019 complaint filed by the Austrian privacy nonprofit None of Your Business (Noyb).

The DPA concluded that Netflix violated the General Data Protection Regulation (GDPR) by providing insufficient details about collecting, using, and sharing customer data. The regulator criticized Netflix for not explaining the purposes and legal grounds for data collection, the types of data shared with third parties, the duration of data retention, and measures taken to secure data transfers outside Europe.

“A company like [Netflix], with a turnover of billions and millions of customers worldwide, has to explain how it handles their personal data properly,” said DPA chairman Aleid Wolfsen. “That must be crystal clear. Especially if the customer asks about this.”

The DPA highlighted Netflix’s failure to provide transparent information in its privacy policy and to adequately respond to customer inquiries regarding data usage, both of which contravene GDPR requirements.

Netflix collects data such as telephone numbers, email addresses, payment details, and viewing habits. According to the regulator, Netflix has since updated its privacy policy and enhanced transparency measures. Despite these changes, Netflix disputes the fine, the DPA said.

Noyb welcomed the fine but criticized the lengthy enforcement timeline. “While we’re pleased to see action being taken, it’s frustrating that it took five years for a decision in such a straightforward case,” said a Noyb representative.

Netflix has not issued a public response to the ruling, and a company spokesperson did not return requests for comment.