Netflix, Inc. (NASDAQ:NFLX) began offering its streaming service in the Netherlands last month and immediately found itself in violation of the Dutch Data Protection Act. Funny thing is, the fact that the Dutch Data Protection Authority is headquartered in Luxembourg means that the DDPA is unable to do anything about Netflix’s violations in Holland.
Dutch law for personal data
The Dutch view “personal data” differently than those in the United States and other countries in which Netflix, Inc. (NASDAQ:NFLX) offers its service. Netflix considers “personal data” to only be data that can be directly linked back to an individual. Dutch law, however, dictates that data that can be indirectly linked back to an individual constitutes “personal data.”
According to Dutch law, companies need customers’ explicit consent to gather data that can indirectly be traced back to an individual, while Netflix, Inc. (NASDAQ:NFLX) only asks for consent for information that is directly linked to a user.
Holland’s secretary of state for education, Sander Dekker recently wrote on the Dutch government website, “Netflix, Inc. (NASDAQ:NFLX) gathers so much information of its customers that this can be considered extremely sensitive personal data, as referred to in article 16 of the Data Protection Act.”
“There are strict regulations with regard to that, and customers must give their express consent for that, which, in case of Netflix, Inc. (NASDAQ:NFLX), they have not. Under Dutch law, a user ID can also be considered personal data, whereas in the Netflix privacy statement, it is not considered as such.”
Netflix gathers viewers’ information
“Moreover, Netflix, Inc. (NASDAQ:NFLX) gathers a lot of information about its viewers, in order to be able to offer them customised recommendations. If this information can be used to trace back religious or sexual preferences to the user, viewers must give their express consent for that information being gathered. There must be a specific button to confirm that, and Netflix doesn’t provide that button.”
As Netflix’s European operations are based in Luxembourg, they’re governed by Luxembourg’s laws, rather than Dutch law. As a result, even though it offers its services in the Netherlands, the Dutch Data Protection Authority can’t take action on any violations of the Dutch Data Protection Act by the company.
Netflix data processing methods
While Mr. Dekker may have some valid points and know the law, his hands are tied. Since Netflix, Inc. (NASDAQ:NFLX) calls Luxembourg home for its European operations they are governed by Luxembourg law and its data processing methods can only be judged by the law of the land in the tiny European nation.
Dutch MP Kees Verhoeven has called for Dekker to bring the matter to the attention of his Luxembourg counterpart, who could ask the country’s Data Protection Authority to take action. Thing is, Luxembourg is known for giving businesses a long leash and may simply choose to ignore the situation.