The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has fined Netflix €4.75 million for failing to adequately inform customers about the processing of their personal data between 2018 and 2020. The investigation, initiated in 2019 after complaints from the Austrian privacy group noyb (None of Your Business), revealed shortcomings in Netflix's privacy policies and responses to customer inquiries about their data.
Netflix's violations of the General Data Protection Regulation (GDPR) included insufficient and unclear communication regarding:
- The purposes and legal bases for processing personal data.
- Details of data sharing with third parties.
- The duration of data storage.
- Measures to secure data transferred outside the EU.
Additionally, Netflix did not fully comply with GDPR's Article 15, which guarantees users the right to access their data and obtain information about its processing. Customers who sought clarification received incomplete or unclear answers, leading to allegations of non-compliance.
AP Chair Aleid Wolfsen emphasized the significance of transparent data practices, stating, “A company with millions of customers and a global presence must be crystal clear about how it handles personal data, especially when users ask for clarity. This was not up to standard.”
The investigation was triggered by complaints filed by noyb, an Austrian privacy organization led by activist Max Schrems. In 2019, noyb lodged eight complaints against major streaming platforms, including Netflix, Spotify, and Amazon, for failing to comply with GDPR access rights.
Stefano Rossetti, a data protection lawyer with noyb, praised the Dutch DPA's decision but expressed frustration over the five-year delay. “This was a straightforward case, yet it took almost half a decade for a fine to be issued,” he said.
Under GDPR's “one-stop-shop” mechanism, companies that process data across multiple EU countries are regulated by the authority in the nation where their European headquarters are based. Since Netflix's EU operations are headquartered in the Netherlands, the Dutch DPA led the investigation, coordinating with other European regulators to ensure consistency.
Netflix's response
Netflix has since updated its privacy policies to align with GDPR requirements, enhancing the clarity and accessibility of information provided to users. However, the company has formally objected to the fine and may appeal.
The case remains unresolved, as noyb continues to await a related decision from the Austrian Data Protection Authority (DSB). Despite progress, Rossetti highlighted unresolved issues, such as Netflix's failure to provide complete data copies to complainants, which could have broader implications for the enforcement of GDPR access rights.
Meanwhile, users are urged to exercise their right (under GDPR) to access what data companies hold of them, read and understand privacy policies, and file complaints with national privacy regulators when firms fail to comply with transparency standards.
Telegram’s Dominance in Cybercrime Persists Despite Policy Shift
Leave a Reply