Why Netflix Was Fined €4.75M for Failing GDPR Transparency

The Dutch Data Protection Authority has hit Netflix with a €4.75 million fine for not being transparent enough under the GDPR. The investigation found that between 2018 and 2020 Netflix didn’t provide its users with clear and understandable information on how their personal data was used, shared or stored.

This highlights the importance of transparency in data handling, a fundamental part of GDPR compliance. Any organisation, big or small, including global companies like Netflix, must ensure their privacy policies and data practices are clear, accurate and user-centric. The fine is a timely reminder that non-compliance not only means financial penalties but also damages consumer trust – an asset we can’t live without in the data age.

Key GDPR Issues Identified

But how did Netflix manage to rack up this fine? Netflix’s failure to comply with GDPR came down to several specific transparency issues. The Dutch DPA mention that Netflix collected various personal data from customers, including email addresses, phone numbers, payment details and even information on what and when customers watched content. However, the company failed to explain clearly how this data was used, shared, or stored. Here’s a closer look – 

Unclear Privacy Statement: Netflix’s privacy statement didn’t explain how user data was used. The information provided to consumers about the data collected wasn’t transparent enough.

Not Transparent about Data Usage: Netflix didn’t inform customers properly about the purposes and legal grounds for collecting their data. This included no clarity on why and on what legal basis the company processed customer data.

Not Clear about Data Sharing: The streaming service didn’t clearly state which third parties received customer data or why. No clarity on what info was shared with third parties and for what reason.

Unclear Data Retention: Netflix didn’t clearly state how long they kept customer data or the criteria used to determine the retention period.

Not Enough Info on International Data Transfers: Netflix’s privacy notice didn’t provide enough information about data transfers outside the EU, including the measures in place to protect personal data.

Incomplete Answers to Data Subject Requests: When customers tried to exercise their right to access their personal data under GDPR, Netflix gave incomplete and unclear answers. In some cases they couldn’t even provide a full copy of the complainant’s data.

Overview of GDPR Breaches

More specifically, these breaches relate to key GDPR requirements that set the standard for handling personal data. The DPA pointed to the following articles:

  • Article 5: Netflix didn’t follow the principles of fairness, transparency, and accountability in how it processed data.
  • Article 83: The breaches were serious enough to warrant a fine designed to ensure compliance and protect data rights.

Background and Timeline of the Investigation

The investigation started in 2019 after a complaint from the Austrian privacy non-profit None of Your Business (noyb). The complaint was about Netflix not answering user access requests as required by Article 15 GDPR. noyb has also filed complaints against other tech companies like Amazon, Apple Music, Spotify and YouTube. The complaint against Spotify resulted in a fine of around €5 million from the Swedish Data Protection Authority. The long time it took to reach a decision (almost 5 years) raises questions about the efficiency of the regulatory body and the enforcement mechanisms.

The fine against Netflix is a reminder that even big global companies have to be transparent about their data practices and respect user rights. The DPA said companies with big resources and global reach should set an example in data transparency. The DPA considered several factors when setting the fine: the gravity and impact of the breach, the efforts to fix the issue and Netflix’s global revenue18. The fine is calculated on Netflix’s 2023 global revenue of €30.7 billion but is below the GDPR maximum of 4% of the global annual turnover.

Netflix’s Response to the Fine

Netflix disagrees with the fine and says they followed the GDPR. The company claims the Dutch DPA is applying a stricter interpretation of the GDPR. Netflix also says their privacy statement asked customers to contact them if they had any questions about their personal data. And Netflix has updated their privacy statement and provided more information to users since the period of the complaint.

The Dutch DPA’s Statement

Aleid Wolfsen, chairman of the Dutch DPA, explained the importance of transparency for a global company like Netflix. “A company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data. That must be crystal clear, especially if the customer asks about this. And that was not in order.”

A statement like this shows how important it is to be clear and upfront to meet GDPR rules and keep customers’ trust.

Broader Lessons for GDPR Compliance

This shows that we need more enforcement and faster resolution of GDPR cases. It shows companies need to be more transparent and user centric in their data handling. And clarity is non negotiable when it comes to data privacy1

Other companies have also received similar fines for GDPR breaches. In another case the Dutch DPA fined Uber €290 million for GDPR breaches related to transferring drivers’ personal data to the US. The Irish Data Protection Commission fined Meta Platforms $1.3 billion for not protecting European Facebook users’ data from US surveillance.

Don’t be lazy Netflix. Transparency is not just a rule. It’s a foundation of the digital trust.