Netflix in own privacy cliffhanger: EUR 4.75 million fine from Dutch GDPR Watchdog

Article
NL Law
Expertise
Technology, Media and Telecommunications Privacy and Data Protection

Netflix, the global streaming giant, has been fined €4.75 million by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) for failing to provide customers with adequate information about how their personal data was being processed. Between 2018 and 2020, Netflix's privacy practices were found wanting in several critical areas, highlighting key lessons for companies navigating GDPR compliance. In this blog, we dissect the AP’s decision and offer insights on how companies can avoid similar pitfalls.

Office table with a phone, tablet and laptop

The Case Against Netflix

At the heart of the AP’s investigation was Netflix’s failure to comply with the GDPR’s transparency requirements. Specifically, the AP identified deficiencies in four key areas:

  1. Purposes and legal basis for data processing: Netflix did not adequately clarify why and on what legal grounds it processed customer data.
  2. Data sharing with third parties: The streaming platform failed to specify which parties received customer data and the reasons for such sharing.
  3. Retention periods: Netflix did not communicate how long it retained customer data or the criteria used to determine retention periods.
  4. International data transfers: The company’s privacy notice lacked sufficient detail about data transfers outside the EU, including safeguards to protect personal data.

Additionally, when customers exercised their right to access their data under GDPR, Netflix provided incomplete and ambiguous responses, further compounding the violations.

Key Legal Findings

The AP’s enforcement decision hinges on Netflix’s breach of several GDPR provisions, specifically:

  1. Articles 12, 13, and 15 GDPR: Netflix failed to provide information in a concise, transparent, and accessible format, and inadequately responded to data subject requests.
  2. Article 5 GDPR: The company did not comply with the principles of fairness, transparency, and accountability in its data processing practices.
  3. Article 83 GDPR: These violations directly impacted fundamental data rights, warranting a fine designed to be effective, proportionate, and dissuasive.

The AP emphasized that Netflix, as a global company with significant resources and millions of customers, should have been able to maintain higher standards of transparency and accountability.

Determining the Fine

The AP considered several factors when determining the fine, and in line with the European Data Protection Board’s Guidelines1:

  • Severity of the breach: While Netflix provided some information about its data processing activities, the lack of specificity significantly hindered customers’ ability to exercise their rights.
  • Scope of the breach: With millions of EU customers, the potential impact of these shortcomings was vast.
  • Efforts to remediate: Netflix did take steps to improve its privacy practices after the investigation began, including updating its privacy notice and enhancing its responses to data requests.
  • Global revenue: The fine was set against Netflix’s 2023 global revenue of €30.7 billion, well below the GDPR’s maximum penalty of 4% of the global annual turnover.

Ultimately, the €4.75 million fine reflects the AP’s assessment of the seriousness of the violations, while taking into account Netflix’s corrective actions.

Lessons for Businesses

The Netflix case offers several important takeaways for companies handling personal data under the GDPR:

  1. Clarity is non-negotiable: Privacy notices must explicitly state the purposes, legal bases, retention periods, and recipients of personal data. Ambiguity invites scrutiny.
  2. Respond to data subject requests: Ensure that responses to access requests are complete and user-friendly. Missing or vague information can result in regulatory action.
  3. International transfers: If transferring data outside the EU, detail the countries involved, the safeguards in place, and how data subjects can access further information.

Failing to meet these obligations not only exposes companies to fines but also risks eroding customer trust and damaging brand reputation. AP Chairman Aleid Wolfsen stated:
“Companies with a global reach and significant resources must lead by example in ensuring data transparency. Customers deserve to know precisely how their personal information is handled—especially when they ask for it.”

Conclusion

Netflix’s GDPR fine is a stark reminder that even market leaders cannot afford to be complacent about privacy compliance. Transparency is not just a legal obligation but a cornerstone of building trust in a digital economy. Prioritize clear communication about data practices and ensure robust systems for handling customer inquiries about their personal data.

The AP’s decision in ordering a fine can be found here (in Dutch). Netflix has appealed this decision.
 

Author(s)