Netflix Fine - €4.7m - GDPR - AP (Dutch DPA) - Nov-24

QUICK FACTS

• Fine Amount: €4,750,000

• Date: 26 November 2024

• Primary Violations: GDPR Breaches

  • Failure to provide clear and sufficient information to customers regarding the processing of their personal data, in breach of GDPR transparency requirements

Overview

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) has imposed a significant administrative fine of €4.75 million on Netflix International B.V.. The penalty addresses violations of the General Data Protection Regulation (GDPR), specifically related to a lack of transparency.

The investigation concluded that Netflix failed to adequately inform its customers, both in its privacy statement and in its responses to individual access requests.

The core issues identified were insufficient clarity on the purposes and legal bases for processing, the recipients of personal data, data retention periods, and the safeguards for international data transfers.

Details of the CASE

NETFLIX's DEFENSE

• Netflix contended that the GDPR's transparency obligations are "open norms", which allow for a degree of freedom in how information is presented.
• Netflix argued its subscription service is a "straightforward" business model and not the kind of "complex, technical or unexpected data processing" that would require more detailed explanations under EDPB guidelines.
• The company stated its privacy statement was designed primarily for its TV User Interface (TV UI), which has limited functionality, and that it used this format across all platforms for the sake of uniformity.
• It claimed that it was not required to name specific third-party recipients of data, believing that naming categories of recipients was sufficient to meet its obligations.

THE REGULATOR's DETAILED FINDINGS

The AP's findings centered on Netflix's failure to comply with the information and access-to-data obligations under Articles 13 and 15 of the GDPR. The regulator addressed Netflix's defenses and detailed its own conclusions:

• The AP found that while Netflix listed the data it collects and the purposes for its use, it failed to transparently link specific data categories to their corresponding processing purposes. For instance, it did not make it clear what specific data it uses for its recommendation engine, for audience analysis, or for fraud prevention.
• The AP rejected Netflix's argument that naming categories of recipients was sufficient. It asserted that because Netflix possessed the information and the number of recipients was limited, it should have explicitly named them in its privacy statement to provide meaningful information, particularly for online advertising services. The regulator noted that Netflix updated its policy with a link to a list of recipients on July 7, 2022.
• Netflix's privacy policy vaguely stated that data is retained "as required or permitted by applicable laws and regulations". However, the AP noted that when requested, Netflix was able to provide a detailed table with specific retention periods. This demonstrated that Netflix had access to the specific information and should have made it available to users in its privacy statement and in response to access requests.
• The investigation found that Netflix could process personal data in twelve countries outside the EU. However, its privacy statement failed to name these countries or specify the appropriate safeguards (like adequacy decisions) in place for those transfers, as required by the GDPR

fines and Penalties

Total Penalty: €4,750,000

The AP determined that the violations were the result of negligence rather than being intentional, partly taking into account the design challenges of the TV UI and Netflix's goal of platform uniformity.

Key quotes

• "The Dutch Data Protection Authority (hereinafter: the AP) has decided to impose an administrative fine on Netflix International B.V. (hereinafter: Netflix) of € 4,750,000,- (...) because Netflix has insufficiently informed its customers; firstly in its privacy statement and secondly in response to access requests about 1) purposes and legal bases for the processing of personal data 2) recipients of personal data; 3) retention periods; and 4) international transfers." 
• "...the decoupling of personal data from the purposes for which this personal data is processed, has the consequence that the information provided is not in line with providing information in a concise, transparent, intelligible and easily accessible form and in clear and plain language (Article 12, first paragraph, GDPR)." 
• "Given this, the AP fails to see why Netflix did not list the names of recipients, which are also limited in number, in its privacy statement. The AP is of the opinion that Netflix should have done so and in case of an access request should have provided this information." 

Sources: 

• AP - Boete Netflix voor niet goed informeren klanten