The Dutch regulator AP is fining Netflix 4.75 million euros, one of the highest GDPR fines the country has ever imposed.
The fine was imposed because Netflix did not adequately inform users about what happened to their personal data from 2018 to 2020. The privacy statement did not clearly describe how the company processed data such as email addresses, phone numbers, payment information, and viewing habits. In addition, customers who wanted to know what data Netflix had collected about them were not given sufficient insight into this information.
Violations
In 2019, the AP launched an investigation into Netflix’s practices. The regulator now concludes that there were multiple violations of the GDPR. It was unclear what purposes Netflix was pursuing when collecting and using personal data or the legal basis for doing so. The company did not explain what data was shared with other parties and why, and it remained unclear how long this data was kept. Moreover, information on how Netflix guarantees the security of personal data when transferred to countries outside Europe was lacking.
According to AP chairman Aleid Wolfsen, it is unacceptable that a large international company with billion-dollar revenue and millions of customers worldwide does not communicate clearly about the use of personal data. “That should be crystal clear, especially if the customer asks about it. And that was not in order.”
The AP says that Netflix has since updated its privacy statement and improved its disclosure. However, the company has objected to the fine imposed, which the regulator is considering. Should Netflix disagree with the outcome, the matter may be taken to court.
If the fine of 4.75 million euros stands, Netflix bumps the 2022 fine from the Ministry of Finance down one position in the list of highest Dutch GDPR fines. The infamous €3.7 million fine to the tax authorities followed for maintaining a blacklist of personal data of potential fraudsters. Incidentally, Uber also received a much higher fine in 2024 for GDPR violations. The cab company was fined 290 million euros for transferring the personal data of European cab drivers to the United States.