-1734538667662-551960954.png&w=1920&q=75)
- The Dutch Data Protection Authority has fined Netflix €4.75 million for failing to comply with GDPR between 2018 and 2020
- Its privacy statement lacked clarity on data collection purposes, third-party sharing, and data retention practices
- The Nigerian Data Protection Bureau is urged to monitor multinationals' handling of Nigerian users’ data under local laws
Streaming giant Netflix has been fined €4.75 million by the Dutch Data Protection Authority (Dutch DPA) for not providing adequate and clear information about its data handling practices between 2018 and 2020.
The penalty follows an investigation that revealed significant violations of the General Data Protection Regulation (GDPR).
While Netflix has since revised its privacy statement to enhance transparency, the Dutch DPA noted that crucial lapses occurred during the investigation.
The investigation, initiated in 2019, uncovered shortcomings in Netflix’s data protection practices. The Dutch DPA found that:
- Insufficient information: Netflix’s privacy statement failed to clearly explain why and on what legal grounds it collected and processed users' data.
- Third-Party data sharing: The company did not adequately disclose which personal data were shared with third parties or the reasons behind such sharing.
- Data retention practices: Users were not informed about how long Netflix retained their data.
- International data transfers: Netflix provided vague details about how it safeguarded personal data transmitted outside the European Union.
- Poor data access responses: When users requested information about their collected data, Netflix’s responses lacked clarity and detail.
“For this reason, the Dutch Data Protection Authority is imposing a fine of 4.75 million euros on the streaming service,” the regulator said in its statement on Wednesday, December 18.
Aleid Wolfsen, Chairman of the Dutch DPA, emphasised the critical role of transparency in protecting user rights, especially for a global platform like Netflix.
“A company like Netflix must explain properly to its customers how it handles their personal data. That must be crystal clear, especially if a customer asks about it. And that was not in order,” Wolfsen stated.
Complaint origins, GDPR oversight
The investigation stemmed from complaints filed by None of Your Business (noyb), an Austrian privacy advocacy group.
The complaints were initially submitted to Austria's Data Protection Authority but were transferred to the Dutch DPA because Netflix’s main European base is in the Netherlands.
Under GDPR regulations, multinational companies operating in multiple EU states are overseen by the data protection authority in their primary European jurisdiction. The Dutch DPA led the investigation and coordinated the fine with other EU regulators.
This sanction underscores the growing enforcement of GDPR rules and the critical importance of transparency in handling personal data.
The Dutch DPA’s decision comes amid heightened scrutiny of tech giants over privacy violations.
Just this week, social media company Meta was fined €251 million by the Irish Data Protection Commission (DPC) for a 2018 data breach that exposed the personal details of 29 million Facebook users globally.
With increasing enforcement in Europe, the Nigerian Data Protection Bureau is also urged to closely examine how multinational companies handle Nigerian users' data under the Nigeria Data Protection Act.
“Companies must understand that compliance with data protection laws is not optional but a legal and ethical responsibility,” Wolfsen concluded.
WhatsApp could stop working in Nigeria following $220 million fine by government
Meanwhile, TheRadar earlier reported that the Federal Competition and Consumer Protection Commission (FCCPC) had fined WhatsApp $220 million for a data privacy breach.
As a result, the messaging app may halt its operations in the country due to additional regulatory requirements.