The Dutch Data Protection Authority (the “Dutch DPA”) issued a €4.75 million (approximately $5 million USD) fine on Netflix in connection with a data access investigation that started in 2019.  The investigation arose out of a complaint was filed by nonprofit privacy and digital rights organization, noyb, which is run by European privacy campaigner Max Schrems.

In a press release dated December 18, 2024, the Dutch DPA stated that Netflix “did not give customers sufficient information about what the company does with their personal data between 2018 and 2020.”  In particular, the Dutch DPA alleged Netflix’s privacy notice was not clear about the following:

  • the purposes of and the legal basis for collecting and using personal data;
  • which personal data are shared by Netflix with other parties, and why precisely this is done;
  • how long Netflix retains the data; and
  • how Netflix ensures that personal data remain safe when the company transmits them to countries outside Europe.

Furthermore, the Dutch DPA stated that customers did not receive sufficient information when they asked Netflix what data the company collects about them.  According to the Dutch DPA, Netflix has since updated its privacy statement to improve to the relevant disclosures.

Netflix has objected to the fine.