Out-Law News 1 min. read
09 Oct 2013, 3:06 pm
Netflix began operating in the Netherlands in September. In its privacy policy the company says that it tracks users' interactions with its service and that it collects both personal and non-personal information from users.
However, the Dutch Security and Justice Minister Sander Dekker has identified discrepancies in how Netflix has defined 'personal information' within its privacy policy and how the term is defined under data protection laws in the country.
According to the Netflix policy, personal information relates to "information that can be used to uniquely identify or contact you". However, it has said that it considers "information that does not permit direct association with you" to be non-personal information, and explains that it can "collect, use, transfer and disclose non-personal information for any purpose".
Dekker said that Dutch data protection laws apply to information that can both be directly and indirectly linked to individuals.
"'Personal data' means any information relating to an identified or identifiable natural person," Dekker said, according to an automated translation of answers he gave to questions raised about Netflix's privacy policy (4-page / 42KB PDF) by Dutch MP Kees Verhoeven.
"A person can be identified if he / she can be identified, for example on the basis of an identification number directly or indirectly," Dekker added. If it does not take "disproportionate effort" to link information to an individual then that information is to be considered to be personal data, he said.
Dekker said that Netflix would require specific, explicit consent to collect and use sensitive data that they may derive from data gleaned from viewer behaviour.
Dekker said, though, that Netflix is not subject to the Data Protection Act in the Netherlands. This is because it "has no establishment in the Netherlands". The company is based in Luxembourg and is therefore subject to the data protection regime in place in that country, he added.
Both the Netherlands and Luxembourg implement the EU's Data Protection Directive, but the legal frameworks in place in both countries are different owing to the fact that the Directive does not need to be transposed into national laws in identical wording.