The Dutch Data Protection Authority (Autoriteit Persoonsgegevens - “AP”) has recently imposed a fine of EUR 4,750,000 on a data controller for failing to fulfil the obligation to provide clear and transparent information to users regarding the processing of their personal data.
This decision highlights the importance of adhering to the principle of transparency established by the General Data Protection Regulation (“GDPR”).
Privacy Policy and Its Importance
Privacy policy is a document through which a data controller informs data subjects about the methods, purposes, and legal basis for processing their personal data, as well as other relevant aspects of data processing, in compliance with the GDPR. Its primary purpose is to provide users with a clear insight into controller’s data processing practices and to inform them about their rights in connection with such processing, thereby ensuring compliance with the principle of transparency.
However, in practice, privacy policies are often reduced to formal documents filled with generic and hard-to-understand phrases, resulting in a lack of transparency and the violation of users' rights. Many data controllers fail to grasp the importance of this document and frequently create it solely to meet formal requirements, without adequately understanding its role in personal data protection. Such an approach leads to privacy policies that are often incomplete, unclear, and difficult for the average user to understand.
Case Before the Dutch Data Protection Authority: Identified Violations and Key Circumstances
In the case of a complaint filed against the streaming service giant Netflix, the Dutch Data Protection Authority determined that the data controller acted in violation of fundamental data protection principles established by the GDPR.
Netflix, as a data controller, requires users – data subjects – to create an account to access its services. During the registration process, users are obligated to provide certain personal data, such as their name, date of birth, email address, phone number, and bank account details. Additionally, while using the platform to stream movies and series, the controller collects information about users' viewing preferences to personalize content and suggest programs that may interest them.
The Austrian organization "NOYB" (None of Your Business), which advocates for digital rights, submitted a data access request on behalf of two users. After the controller responded to the request, NOYB filed a complaint with the Austrian Data Protection Authority, alleging that the controller failed to provide sufficient information about its data processing practices. The Austrian authority subsequently referred the case to the Dutch Data Protection Authority – AP, as the controller’s central headquarters is located in Amsterdam.
Upon reviewing the complaint, AP concluded that the controller violated fundamental GDPR principles, identifying the following breaches:
The controller’s privacy policy failed to provide accurate information on the purposes of personal data processing. This omission violates one of the fundamental elements of any data processing notice, particularly a privacy policy.
In its submissions during the proceedings, the controller listed eight different processing purposes, which significantly differed from those outlined in the privacy policy and the response to the data access request.
AP found that the controller uses third-party services that also process users' personal data. However, information about these data recipients was neither included in the privacy policy nor provided in the response to the data access request.
The controller’s privacy policy did not specify how long the data would be retained. Instead, it relied on generic statements such as "in accordance with legal requirements," without providing clear timeframes for data retention.
Although the controller transfers users' personal data to other countries, the privacy policy failed to specify users’ rights regarding the transfer of their personal data outside the EEA (European Economic Area).
AP's Decision and Imposition of the Fine
Based on the identified violations, the Dutch Data Protection Authority (AP) imposed a fine of EUR 4,750,000 on Netflix. The fine was issued for failing to comply with key GDPR principles, particularly regarding transparency and the right of access to data. AP considered the severity of the violations and the fact that the controller generates an annual revenue exceeding EUR 30 billion, which further amplified its responsibility.
The fine amount was deemed proportional to the infringements and aims to encourage all data controllers to strictly adhere to data protection regulations and enhance their privacy policies.
Significance of AP's Decision and Its Impact on Practices in Other EU Member States
The AP's decision in the Netflix case serves as a reminder to all data controllers that they must provide clear information about data processing to enable users to fully exercise their rights under the GDPR.
Transparency in privacy policies, as well as providing clear and accurate information upon request from data subjects, is not only a legal obligation but also the foundation of trust between data controllers and data subjects.
This decision could influence the future practices of other supervisory authorities across the EU. While each EU Member State is responsible for enforcing the GDPR within its jurisdiction, such decisions often set a precedent and promote the harmonization of data protection practices within the Union.
How this decision will specifically affect the behavior of controllers and the practices of other data protection authorities across the EU remains to be seen. However, it is evident that every decision of this nature sends a strong message about the importance of transparency and accountability for controllers in accordance with the highest standards of personal data protection.
Sonja Stojčić
Senior Associate