The Dutch Data Protection Authority (DPA) has imposed a €4.75 million fine on Netflix International B.V. for failing to provide adequate transparency about its personal data processing practices between 2018 and 2020. The decision, announced on December 18, 2024, comes after an extensive investigation initiated by privacy complaints filed in 2019.

The investigation revealed systematic deficiencies in Netflix's data transparency obligations under the General Data Protection Regulation (GDPR). The streaming giant, which processes extensive personal data ranging from viewing habits to payment details, failed to properly inform its customers about critical aspects of data handling.

According to the Dutch DPA Chairman Aleid Wolfsen, "A company like that, with a turnover of billions and millions of customers worldwide, has to explain properly to its customers how it handles their personal data. That must be crystal clear."

The investigation identified multiple violations of GDPR requirements. Netflix failed to provide clear information about the purposes and legal basis for collecting and using personal data. The company also inadequately disclosed which personal data it shared with third parties and the specific reasons for such sharing. Additionally, Netflix's data retention periods remained unclear, as did its safeguards for transferring personal data outside Europe.

The case originated from complaints filed by noyb (None of Your Business), an Austrian privacy advocacy organization, in January 2019. The complaints were initially submitted to the Austrian data protection authority but were forwarded to the Dutch DPA since Netflix's main European establishment is in the Netherlands.

Stefano Rosset, a data protection lawyer at noyb, expressed satisfaction with the decision while noting the lengthy process: "We are happy with the DPA's decision to issue a fine against Netflix. However, it took almost five years to obtain it, and in a very simple case."

The investigation's findings highlight broader issues in Netflix's data handling practices. The streaming service's privacy statements and responses to user data access requests lacked sufficient detail and clarity. This inadequacy prevented users from fully understanding how their personal information was being processed and shared.

Under GDPR regulations, companies must provide comprehensive information about their data processing activities, particularly when individuals explicitly request such details. The Dutch DPA's investigation found that Netflix's responses to these requests often directed users to general privacy policies rather than providing specific, detailed information about individual data processing.

The fine represents a significant enforcement action in the context of GDPR compliance. With Netflix's reported annual revenue of approximately €10.4 billion, the maximum potential fine could have reached €415 million under GDPR provisions allowing penalties of up to 4% of global annual revenue.

Netflix has already filed an objection to the fine, though it has not yet appealed the decision as a whole. The company has since updated its privacy statement and improved its information provision practices.

The case underscores the increasing focus on data protection compliance among major technology companies and the growing enforcement of GDPR regulations across Europe. It also demonstrates the effectiveness of cross-border cooperation between European data protection authorities, as prescribed by GDPR's one-stop-shop mechanism for companies operating across multiple EU member states.

Furthermore, the case sets an important precedent for how streaming services and other digital platforms must handle transparency regarding their data processing activities. The decision emphasizes that companies must provide clear, specific information about data handling practices, particularly when users explicitly request such details.

The Dutch DPA coordinated its investigation and fine determination with other European data protection authorities, highlighting the collaborative nature of GDPR enforcement for companies operating across multiple EU jurisdictions.