Approval of the AudioVisual Directive and GDPR sanction in The Netherlands

LawBytes deals with the approval of new Audiovisual Directive and the first GDPR sanction in The Netherlands.

Media – Approval of the Audiovisual Directive by the EU

After the EU Parliament positive vote in October 2018, on the 6th November 2018 the EU Council finally adopted the new Audiovisual Media Services Directive.

The new directive modifies the existing legal framework based on the 2010 directive to take account of the recent market developments: viewing habits have changed, rapid technical developments have sparked new types of services and user-generated content has gained in importance as highlighted also in the recent copyright Directive.

The revised legislation changes the media landscape for broadcasters and video-on-demand platforms, redefining advertising limits and enhancing the promotion of European works, but also strengthening the protection of minors against harmful content and limiting profiling and behaviourally targeted advertising.

Notably, as previously highlighted in this post, the text extends the European audiovisual directive rules to video-sharing platforms, which will now be responsible for reacting quickly when content is reported or flagged by users as harmful and may be asked to create a transparent, easy-to-use and effective mechanism to allow users to report or flag content.

The approval of the Audiovisual Directive requires now for its coming into force the elapse of the 20th day after its publication in the Official Journal of the EU. Member States will have only 21 months after its publication to transpose the new rules into national legislation.

My view is that companies shall start to evaluate how the new rules of the AudioVisual Directive may impact their business also taking into account the recent EU Guidelines on safeguarding privacy in the media.

Privacy – 1st GDPR sanction issued in the Netherlands

Under the GDPR companies face higher sanctions for breaching privacy rules. And a few months after May 2018, the Dutch Data Protection Authority now imposed its first GDPR sanction that is of € 150,000 per month with a maximum of € 900,000 which was issued against to the Employee Insurance Agency (UWV) for failure to adopt the adequate security measures for data processing.

According to Aleid Wolfsen, chairman of the authority, the severity of the sanction depends on the fact that the data processing of the UWV

“concerns the health data of an enormous number of people, all of whom must be able to rely on the UWV carefully handling their data“.

The UWV has now a short timeframe to comply until the deadline of 31 October 2019, at the latest.

This case proves that companies should carefully assess their GDPR compliance (read on the topic “Top 5 GDPR changes to remember for your privacy compliance program“) and eventually should be ready to assess and limit the risks deriving form the applicable sanctions (read on the topic”Are privacy fines really massive under the GDPR?“).