Netflix has been hit with a €4.75 million fine by the Dutch Data Protection Authority (DPA) for breaking the European Union’s GDPR privacy rules.
According to the DPA on December 18, between 2018 and 2020, the streaming giant failed to provide clear and sufficient information to customers about how their personal data was handled — a fundamental requirement under EU law.
The DPA found Netflix guilty of multiple transparency failures, including what it termed “vague” explanations about why personal data was collected and shared, unclear retention policies and inadequate safeguards for data transferred outside Europe.
The platform gathers a wide range of user information, including phone numbers, email addresses, payment details and viewing habits.
DPA chairman Aleid Wolfsen stated: “A company of this magnitude, with billions in revenue and a massive global user base, must make it abundantly clear to customers how their personal data is being used. And they failed to do so.”
The ruling stems from a complaint filed in 2019 by the European Centre for Digital Rights (Noyb).
The privacy watchdog argued that Netflix breached Article 15 of the GDPR, which compels companies to grant users full access to their personal data along with information about its processing, storage and transfer.
Stefano Rossetti, a lawyer for Noyb, welcomed the fine but criticised the lack of speed regarding the decision. “We’re pleased the DPA issued a fine against Netflix but it took nearly five years to resolve what was, frankly, a straightforward case,” he said.
He also hinted that the issue was not finished, stating: “We’re currently reviewing the ruling to ensure all points of our original complaint have been addressed.”
The DPA has noted that Netflix updated its privacy policy in 2020 — after the rule breaches had taken place.
Netflix has reportedly objected to the penalty.
