Data PrivacyFine on Netflix- Lessons to be Learnt

Analysis of Dutch DPA’s Fine on Netflix for GDPR Violations: Issues, Lessons, and Conclusion

The Dutch Data Protection Authority (DPA) imposed a €4,750,000 fine on Netflix for violating the General Data Protection Regulation (GDPR).

The violations were linked to Articles 5(1)(a), 12(1), 13(1)(c), 13(1)(e), 13(1)(f), 13(2)(a), 15(1)(a), 15(1)(c), and 15(1)(d).

The primary issues were deficiencies in Netflix’s privacy statement and inadequate responses to data access requests.

1. Specific Violations Identified

The violations stem from the following failures:

A. Privacy Statement Deficiencies:

• Lack of clarity on the purposes and legal bases for processing personal data.
• Failure to specify the recipients or categories of recipients of personal data.
• Omission of specific retention periods for personal data.
• Inadequate information about international data transfers, including safeguards and rights.

B.Inadequate Responses to Access Requests:

• Insufficient information on the purposes of processing and the legal basis for each purpose.
• Lack of clarity about the recipients of personal data.
• Failure to specify retention periods or the criteria used to determine them.

2. Issues Highlighted

• Transparency Obligation: Netflix did not present information in a concise, transparent, intelligible, and easily accessible form.
• Right to Access: The incomplete information provided to data subjects hindered their ability to exercise rights under GDPR.
• International Transfers: Failure to clarify safeguards and rights related to third-country transfers.

3. Methodology for Fine Calculation

The Dutch DPA followed the European Data Protection Board’s (EDPB) Guidelines 04/2022 on administrative fines:

• Nature and Gravity: The large user base amplified the scope of violations, though no special categories of data were involved.
• Duration: Violations persisted over a significant period (May 2018–November 2020).
• Turnover Consideration: The €4.75 million fine was proportionate to Netflix’s global annual turnover (€30.7 billion in 2023).

4. Lessons Learned

• Transparency Standards: Organizations must clearly link each processing activity with its purpose, legal basis, and recipients in privacy statements. This requires periodic reviews to ensure GDPR compliance.
• Retention Policies: Explicitly state retention periods or criteria to determine them.
• International Data Transfers: Include detailed safeguards, adequacy decisions, and user rights related to data transferred outside the EU.
• Access Requests: Responses to data subjects must be specific and detailed.
• Iterative Improvements: Organizations must proactively address identified gaps instead of waiting for regulatory enforcement.

5. Conclusion

This case reinforces the need for stringent adherence to GDPR’s transparency and data subject rights provisions.

The fine underscores the importance of periodic compliance audits, clear communication with data subjects, and robust privacy governance frameworks.

While Netflix adjusted its policies after the violations, early compliance could have avoided regulatory action.

Organizations processing personal data in the EU must ensure:

• Accurate privacy notices.
• Clear and accessible information regarding data usage, retention, and transfers.
• Prompt and comprehensive responses to data access requests.

This enforcement serves as a critical reminder for multinational corporations to align their data practices with GDPR’s principles of transparency, fairness, and accountability.

𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 𝗶𝘀𝗻’𝘁 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹 but 𝗶𝘁’𝘀 𝗲𝘀𝘀𝗲𝗻𝘁𝗶𝗮𝗹

Team AMLEGALS 

For any queries or feedback, feel free to connect to mridusha.guha@amlegals.com