According to the Netflix policy, personal information relates to "information that can be used to uniquely identify or contact you". However, it has said that it considers "information that does not permit direct association with you" to be non-personal information, and explains that it can "collect, use, transfer and disclose non-personal information for any purpose".
Dekker said that Dutch data protection laws apply to information that can both be directly and indirectly linked to individuals.
"A person can be identified if he / she can be identified, for example on the basis of an identification number directly or indirectly," Dekker added. If it does not take "disproportionate effort" to link information to an individual then that information is to be considered to be personal data, he said.
Dekker said that Netflix would require specific, explicit consent to collect and use sensitive data that they may derive from data gleaned from viewer behaviour.
Dekker said, though, that Netflix is not subject to the Data Protection Act in the Netherlands. This is because it "has no establishment in the Netherlands". The company is based in Luxembourg and is therefore subject to the data protection regime in place in that country, he added.
Both the Netherlands and Luxembourg implement the EU's Data Protection Directive, but the legal frameworks in place in both countries are different owing to the fact that the Directive does not need to be transposed into national laws in identical wording.