Netflix Dutch privacy violations: Watchdog finds itself unable to bite

Netflix Dutch privacy violations: Watchdog finds itself unable to bite

Summary: As Netflix's European base is in Luxembourg, the Dutch privacy watchdog can't take any action over breaches of the country's data protection laws.

SHARE:
TOPICS: Privacy, EU
1

Video streaming service Netflix, which launched its services in the Netherlands last month, has found itself in violation of the Dutch Data Protection Act. However, as the company has chosen to headquarter itself in Luxembourg, the Dutch Data Protection Authority is unable to intervene on the matter.

The Netflix privacy violation is caused by a different interpretation of the definition of personal data. In its terms and conditions, the video streaming company states that it considers "personal data" to be data that can be traced back directly to an individual.  However, under Dutch legislation, data that can indirectly be traced back to an individual — for instance, by linking it to other data — is considered to be personal data as well.

According to Dutch law, companies need customers' explicit consent to gather data that can indirectly be traced back to an individual, while Netflix only asks for consent for information that is directly linked to a user.

The Netherlands' secretary of state for education, Sander Dekker, considers the discrepancy a significant threat to the privacy of Dutch customers. "Netflix gathers so much information of its customers that this can be considered extremely sensitive personal data, as referred to in article 16 of the Data Protection Act," he wrote on the Dutch government website.

"There are strict regulations with regard to that, and customers must give their express consent for that, which, in case of Netflix, they have not. Under Dutch law, a user ID can also be considered personal data, whereas in the Netflix privacy statement, it is not considered as such.

"Moreover, Netflix gathers a lot of information about its viewers, in order to be able to offer them customised recommendations. If this information can be used to trace back religious or sexual preferences to the user, viewers must give their express consent for that information being gathered. There must be a specific button to confirm that, and Netflix doesn't provide that button." 

In the hands of Luxembourg

As Netflix's European operations are based in Luxembourg, they're governed by Luxembourg's laws, rather than Dutch law. As a result, even though it offers its services in the Netherlands, the Dutch Data Protection Authority can't take action on any violations of the Dutch Data Protection Act by the company.

Had Netflix chosen to have its European base in the Netherlands, or indeed outside of Europe, the Dutch Data Authority could have intervened. However, businesses domiciled in Luxembourg constitute an exception, and their data processing methods can only be assessed under Luxembourg law.

Dutch MP Kees Verhoeven has called for Dekker to bring the matter to the attention of his Luxembourg counterpart, who could ask the country's Data Protection Authority to take action. Whether this will happen, of course, remains to be seen.

Netflix declined to comment.

Further reading

Topics: Privacy, EU

Martin Gijzemijter

About Martin Gijzemijter

Martin began his IT career in 1998 covering games and gadgets, only to discover that the scope of his interests extended far beyond that. Ironically, where he used to cover 'anything with a plug', he now focuses on the wireless world. A self-pronounced Apple enthusiast who can't live without his Windows PC, he writes tech news, reviews and tutorials for the Dutch market and stories about flying elephants for his two sons.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Same story across Europe

    We need to band together, pass laws along the lines of:
    Google Schmidt "if you want to claim tax from us, change the law'.
    Then impose retrospective taxes and put him and his cronies in prison. Or shut their operations down in Europe. Rich people don't like having their money supply stopped.
    Or divert his 'presidential jet' when he next visits Europe ... to Syria.
    (Instead of Google we could use Bing for a while ... until we shut MSFT down.
    And instead of Starbucks we could go to COSTA ...
    ... or maybe just pay down out national debts.)

    Hopeless I know ... but you get the idea.

    Plus fire the watchdog employees and confiscate their unearned wages.

    Oh, for some backbone in our politicians.
    Kroes and Merkel have it I think.
    jacksonjohn