Net flicks – Media Act expands editorial standards to cover “TV-like” VOD services

The Media Law 2024 passed the parliament prior to the 2024 general election, and obtained a royalty on May 24, 2024. The law greatly updates British broadcast regulations. One of the most remarkable changes is the fourth part of the law, which expands audience media standards to cover the mainstream video on demand (VOD) service.

By giving OFCOM the authority to create a new VOD reference code, part 4 will bring larg e-scale VOD streaming services such as Netflix, Amazon Prime, and Disney+to the current linear television standard.

Which VOD services will be caught by the legislation?

The law states that only "Tier 1" services are eligible. "Tier 1" is an o n-demand program service (ODPS) used by (a) public broadcasting operators (except BBC), or (b) ODPS designated by the Secretary of State, or ODPS other than the UK. It is defined as corresponding to the description specified by the secondary law. [1]

The law of the law states that Vod Standards Code is the "largest, most televisio n-like" service. [2] [2] In addition, OFCOM formulates reports in the UK, including individual catalogs, viewers, and sales, regarding the status of the VOD market in the UK, including individual catalogs, viewers, and sales. It is stipulated that we are expecting to request. The Secretary of State is required to consider this report when determining which service is considered Tier 1. [3]

OFCOM also lists the following major providers: Netflix, Amazon Prime, Disney+, etc. [4] OFCOM states that Tier 1 includes the mainstream "T V-like" service that is not currently under the jurisdiction of the UK. [5] This shows the size and type of services that are regarded as Tier 1 and are likely to be subject to law.

The law obliges DCMS to publish a specific description of Tier 1 list or Tier 1 service on a general accessory government website before DCMS formulates regulations on Tier 1 service.

What will the Code set out?

The exact content of the VOD reference code has not yet been created by OFCOM. The law stipulates that the standard should do the best calculation to ensure the following:

• It is protected under the age of 18;
• Contents that may encourage or incite the execution of crimes or disturb the order are not included in Tier 1 Service;
• The news included in these services is provided with legitimate fairness;
• The news contained in these services is reported in accurate;
• The content eliminates the views and opinions of those who provide services regarding political or industrial controversy or the current public policy;
• The generally recognized criteria are applied to the contents of the service, and protects the general public from the posting of unpleasant or harmful contents.
• Appropriate responsibility has been exercised for the contents of religious programs. [6]

This regulation is expected to be based on existing OFCOM Broadcasting Code, which deals with similar problems. OFCOM must continue to review this regulation and revise it at any time.

OFCOM has stated that this year will begin to create code draft and adherent guidance, and that it will come into effect in 2025 after consultation. [7]

For some VOD services, it will be a big adjustment. In fact, in response to the turmoil over the Netflix series "Baby Revinger", DCMS stated that this law would impose "high standards" on the mainstream video on demand service. [8] [8] However, the service of Tier 1 is given a 1 2-month grace period after code issuance, ensuring compliance. Based on the OFCOM roadmap, you will not need to conform to 2026.

For public broadcasting (ITV, Channel 4, Channel 5, etc.), Code is unlikely to be a concern because most of the existing content is already compliant with BroadCasting Code. Netflix is ​​one of the services that expressed concern about how the code affects the existing library. In April 2023, a senior director in the UK and Ireland has expressed concern in April 2023 that "there is a danger that it is not executable or has a cold effect". He was particularly concerned about the current documentary library. [9]

The law stipulates specific matters that OFCOM should consider when creating code, which includes the following:

• Expectations for viewers on the nature of the content of the program included in a specific Tier 1 service;
• Age of content included in the service;
• The period is included in the Tier 1 service.
• It is desirable to maintain independent editorial control over programme content. [10]

Ofcom may then take a view on how carefully it expects VOD services to examine their libraries to ensure that all historical content complies with the Code.

Accessibility requirements

In addition to the Standards Code, Ofcom is also required to develop an Accessibility Code for Tier 1 services to ensure that people with disabilities, particularly those affected by vision or hearing, can use the service. Ofcom has stated in its roadmap that it plans to consult on this around the beginning of 2025.

The Act sets out targets that should be included in the Accessibility Code. [11] The first targets are:

• 40% of total catalogue time to consist of subtitled programmes;
• 5% of total catalogue time to be audio-described programmes;
• 2. 5% of total catalogue time to be programmes in sign language or translated into sign language.

These initial targets must be achieved within two years of either (a) two years after the VOD service is designated Tier 1, or (b) two years after the date of publication of the Code (whichever is later).

The second targets are:

• 80% of the total catalogue time must consist of subtitled programmes;
• 10% of the total catalogue time must be audio-described programmes;
• 5% of the total catalogue time must be programmes in sign language or translated into sign language.

These higher targets must be achieved within two years of either (a) four years after the VOD service is designated Tier 1, or (b) four years after the Code is published (whichever is later).

Ofcom can also make exceptions for VOD services in certain circumstances.

Audience protection measures

Ofcom is also required to carry out a review of the audience protection measures used by UK VOD services designated Tier 1 or non-UK VOD services to assess whether the measures adequately protect audiences from harm. Such measures may include age ratings or other classification systems, content warnings, parental controls and/or age safeguards. [12] Ofcom may request information from services for its review and may also publish any information provided. According to the roadmap, Ofcom was due to launch a general review of audience protection measures shortly after the Charter.

This law intends to link the regulations of the mainstream VOD content closer to the conventional TV services, which means a change that is one step in the regulation of large VOD services. Therefore, the new Vod Standards Code is likely to be in line with the existing BroadCasting Code of OFCOM. Considering the fact that "T V-like" programs are converging between conventional services and VOD services, harmony of some standards, such as harmful or unpleasant things, accuracy of news content, respect for privacy, etc. Is likely to be welcomed by general viewers. Another remarkable change is that it may cause ou t-o f-area effects to incorporate VOD services that are not established in the UK.

Comment

However, this significant change can provide a fairly strict logistics issue for the VOD services to be applied to the new rules. In particular, whether existing content is compliant with the rules (other than the programs already produced in accordance with the requirements of the broadcast code), for example, that kind of content licensed for streaming with such services). Large audits may be required. The grace period of about two years is also so that the related VOD services can deal with the logistics burden, and the affected services hope that they will take a close consultation on the formulation of new VOD standards and accessibility code. There seems to be no doubt.

Contributed to Entertainment Law Review.

[1] The schedule 5 of the law that newly inserts Chapter 3 of Part 4a of the 2003 Communications Act (Communications Act 2003).

[6] 2003 Communications Law 368HF Article.

[8] Report on DCMS warning.

[10] In 2003, the Communications Law 368HH (2) was newly established.

[11] New of the 2003 Communication Law 368HL.

[12] Article 38 of the same law that inserted a new 368OB article of the 2003 Communications Act (Communications Act 2003).

The new data protection law proposed by the British government aims to promote dat a-led innovation and reduce the burden on organizations associated with the General Data Protection Rules (GDPR).

UK Data Protection and Digital Information Bill: in detail

The data protection and digital information bill submitted to the Congress on Monday is the result of the government's larg e-scale discussions last year on the reform of other privacy laws that originated in the UK GDPR and the EU method.

Partner, Technology, Media / Communications Division

Those seeking to significantly streamline requirements and remove impediments to innovation and business may feel that the Bill does not go far enough. On the other hand, the proposals depart sufficiently from the EU’s GDPR that they could be seen as threatening the UK’s adequacy status.

While significant changes are proposed as the government seeks to demonstrate the benefits of Brexit, open questions remain as to whether the UK reforms will depart too far from the standards that apply under the EU GDPR and endanger the continued free flow of personal data between the EU and the UK, and the resulting trade that underpins it.

That the Bill was introduced in Parliament in the last week before the summer recess shows how politically important it is for the government. The fate of the Bill will naturally depend on the priorities of the next Prime Minister, but so far the Government’s plans for data protection reform have not attracted as much discussion among candidates as the Online Safety Bill (another Bill that, if implemented, would have a major impact on regulating the digital world). One of the candidates seeking to lead the ruling Conservative Party to become Prime Minister is former Chancellor Rishi Sunak. He has said he will make data protection reform one of his four top priorities.

Timing

At the moment, the Bill is likely to pass Parliament in September. The impact assessment of the Bill reiterates that "it is the Government's view that reform of UK law on personal data is compatible with maintaining the free flow of personal data from Europe," but the UK's adequacy status will depend on how the final text strikes the balance.

The Bill seeks to clarify and potentially limit what information the Data Protection Act applies to, i. e. "personal data." For companies that are not subject to the EU's GDPR, this will be welcome.

Amended definition of “personal data”

The Bill proposes a new section that would limit the scope of personal data to:

if the information is identifiable by the controller or processor at the time of processing.

• if the controller or processor should have known that it was likely that others would obtain the information as a result of the processing and that at the time of processing, they would be likely to be able to identify the individual by reasonable means.
• The proposed change would limit the assessment of identifiability to the controller or processor and those who may receive the information, rather than to everyone in the world. This point is often debated, but the proposed addition seems to be merely a clear reiteration of the position that the CJEU appears to have adopted in its 2016 judgment in Patrick Breyer v. Federal Republic of Germany.

This addition may make it easier for companies to achieve legal anonymity, since they no longer have to worry about future identifiability and instead focus on identifiability at the time of processing. On the other hand, the proposed change does not eliminate the risk of identification by “identification” that has made anonymization elusive.

The real driver for the reform is the government’s view that the existing accountability framework of the GDPR is too rigid and burdensome for companies to comply with. The proposed new streamlined accountability regime is built around the concept of a “privacy management” program that organizations implement to manage data risks.

Reform of the accountability framework

DCMS said that “organizations that currently comply with the GDPR will not need to significantly change their approach.” However, it is unclear from the text whether organizations will need to make any changes to meet the new requirements for accountability frameworks.

For example, we understood that organizations could continue to use a Data Protection Officer (DPO) appointed in line with the previous requirements if they wished. However, the new requirement to appoint a “senior officer” who is “a member of the organization’s senior management” seems to contradict the current GDPR requirement to avoid conflicts of interest for the DPO, and may also suggest that the “senior officer” should not be an external consultant. Guidance confirming that organizations whose accountability frameworks meet the current requirements do not need to make any changes would be very welcome.

The amendments in Schedule 5 pave the way for organisations to take a risk-based approach to assessing the impact of international transfers of personal data using mechanisms such as Standard Contractual Clauses (SCCs). It also provides a framework for the Department for Digital, Culture, Media and Sport (DCMS) to make new adequacy decisions for transfers from the UK using the same risk-based framework. DCMS has already announced that the US will be the preferred jurisdiction for making adequacy decisions.

International transfers

Pinsant Mason can help you manage your Schrems II business needs.

Some data protection authorities have said that the GDPR's provisions on the transfer of personal data to third countries do not allow for a risk-based approach.

Organisations will likely be keen to simplify the process for international transfers. However, the government acknowledges that the costs of the change would outweigh the benefits if concerns are raised about the UK's approach to international transfers and it were to result in the UK losing its EU adequacy status.

In an impact assessment published alongside the Bill, the government estimates that these changes will bring annual trade benefits of between £80 million and £160 million. It also estimates the impact of terminating EU adequacy "in addition to these measures" at between £190 million and £460 million in one-off SCC costs and £210 million to £410 million per year in lost export revenue.

The Bill does not include any significant changes to responding to personal data breaches. There is no change to the need to report and respond to security incidents.

Cyber

Pinsant Mason's Cyturion is a one-stop-shop tool for businesses to prepare for and respond to cyber incidents.

For now, the legislative focus of cybersecurity reform in the UK appears to be on managed service providers and other service suppliers of key infrastructure activities under the proposed reforms to the NIS regulations.

However, under the Bill, the Information Commissioner is under no obligation to encourage public authorities to develop codes of conduct which could explicitly include on notifying the Commissioner of personal data breaches and communicating personal data breaches to data subjects.

The Information Commissioner Secretariat (ICO) has recently issued a unique ransomware guide, including a checklist for companies, but such a practical guidance will help companies plan to prepare for cyber. It is obvious.

It is a common misunderstanding that individual consent is required to enable personal data processing. The Data Protection Law has other legal basis for processing personal data.

Legitimate interests

The basis of the s o-called "legitimate interest" is the most flexible among the legal basis specified under gdpr, but the organization needs to balance and actually just right behind the process. We must carefully consider whether there is a profit, whether the processing is actually necessary for its legitimate purpose, and whether the legitimate profit is prioritized by personal rights, interests, and freedom.

However, under a new proposal, the government intends to abolish existing balance tests for some activities.

It is unknown whether the organization needs to make a legitimate profit in order to determine whether processing is necessary for the purpose.

In order to understand whether the organization can rely on "legitimate interests" processing, the government proposes a list of things that are recognized as legitimate interests.

An example of a proposed new list is when processing, investigation, and prevention of crime is required. This clarity may be useful, especially for financial service companies, in relation to money launding and fraud prevention activities.

However, it is unknown whether the tissue needs to evaluate a legitimate profit in some form to determine the need for processing for the purpose. What is expected to be specific from the viewpoint of compliance may remain unclear until further guidance is provided.

The government chose to include only for public interests in the list of what is recognized as a legitimate profit, and does not include general commercial purposes. Including normal business purposes could be useful for companies, but it would have been difficult to get rid of the burden on companies. In this regard, lon g-time evaluation may be required for whether the activity corresponds to the enumerated purpose, which may have been counterproductive. < SPAN> Information Commissioner Secretariat (ICO) has recently issued a unique ransomware guide, including corporate checklists, but it is the help of companies that plan to prepare for cyber. It is clear that it will be.

It is a common misunderstanding that individual consent is required to enable personal data processing. The Data Protection Law has other legal basis for processing personal data.

Subject access requests

The basis of the s o-called "legitimate interest" is the most flexible among the legal basis specified under gdpr, but the organization needs to balance and actually just right behind the process. We must carefully consider whether there is a profit, whether the processing is actually necessary for its legitimate purpose, and whether the legitimate profit is prioritized by personal rights, interests, and freedom.

However, under a new proposal, the government intends to abolish existing balance tests for some activities.

It is unknown whether the organization needs to make a legitimate profit in order to determine whether processing is necessary for the purpose.

In order to understand whether the organization can rely on "legitimate interests" processing, the government proposes a list of things that are recognized as legitimate interests.

An example of a proposed new list is when processing, investigation, and prevention of crime is required. This clarity may be useful, especially for financial service companies, in relation to money launding and fraud prevention activities.

However, it is unknown whether the tissue needs to evaluate a legitimate profit in some form to determine the need for processing for the purpose. What is expected to be specific from the viewpoint of compliance may remain unclear until further guidance is provided.

The government chose to include only for public interests in the list of what is recognized as a legitimate profit, and does not include general commercial purposes. Including normal business purposes could be useful for companies, but it would have been difficult to get rid of the burden on companies. In this regard, lon g-time evaluation may be required for whether the activity corresponds to the enumerated purpose, which may have been counterproductive. The Information Commissioner Secretariat (ICO) has recently issued a unique ransomware guide, including a checklist for companies, but such a practical guidance will help companies plan to prepare for cyber. It is obvious.

Automated decision-making

It is a common misunderstanding that individual consent is required to enable personal data processing. The Data Protection Law has other legal basis for processing personal data.

The basis of the s o-called "legitimate interest" is the most flexible among the legal basis specified under gdpr, but the organization needs to balance and actually just right behind the process. We must carefully consider whether there is a profit, whether the processing is actually necessary for its legitimate purpose, and whether the legitimate profit is prioritized by personal rights, interests, and freedom.

However, under a new proposal, the government intends to abolish existing balance tests for some activities.

It is unknown whether the organization needs to make a legitimate profit in order to determine whether processing is necessary for the purpose.

In order to understand whether the organization can rely on "legitimate interests" processing, the government proposes a list of things that are recognized as legitimate interests.

Access to business data

An example of a proposed new list is when processing, investigation, and prevention of crime is required. This clarity may be useful, especially for financial service companies, in relation to money launding and fraud prevention activities.

However, it is unknown whether the tissue needs to evaluate a legitimate profit in some form to determine the need for processing for the purpose. What is expected to be specific from the viewpoint of compliance may remain unclear until further guidance is provided.

The government chose to include only for public interests in the list of what is recognized as a legitimate profit, and does not include general commercial purposes. Including normal business purposes could be useful for companies, but it would have been difficult to get rid of the burden on companies. In this regard, lon g-time evaluation may be required for whether the activity corresponds to the enumerated purpose, which may have been counterproductive.

The British Data Protection Law gives individuals the right to copy the data held by the organization. However, the response to the dat a-based access request (DSAR) is a complicated and burdensome process, and the cost and resources required for response may increase rapidly. This bill aims to alleviate some of the tasks facing the organization.

Cookies and other tracking technologies

The bill incorporates a wider basis that can refuse to respond to the entire requirement or claim fees if the organization determines that the request is annoying or excessive. 。 This is an alternative to the current exemption that DSAR can be rejected in the case of "obviously there is no basis".

It is the organization that determines whether the threshold is annoying. However, to support the organization, the bill lists some relevant situations to be considered, similar to those that have already been listed in ICO's DSARS guidance.

Invisible, the bill also shows specific examples of "annoying" requests. This includes what is intended to be painful, not in good faith, and those that correspond to "abuse of procedures."

The organization will welcome these examples because the British case law has been confirmed that DSAR is treated as "unknown purpose". In contrast, these examples suggest that a wider context may be considered, such as ongoing litigation procedures.

• Further guidance on what requests are "annoying and excessive" will be welcomed. For example, for a financial service company, a clear guidance on whether a large amount of claim management companies can be regarded as "abuse of procedures" will be valuable. Such demands require an organization to respond to multiple requests in the same time frame as one request, and does not necessarily aim to obtain useful information for the data.
• It is hoped that the ICO's promise to provide more guidance and resources to comply with the UK Data Protection Law will include such problems in DSAR's context.
• One of the areas where the government expects the development of dat a-led innovation is the use of an artificial intelligence (AI) system. < SPAN> British Data Protection Law gives individuals the right to copy the data held by the organization. However, the response to the dat a-based access request (DSAR) is a complicated and burdensome process, and the cost and resources required for response may increase rapidly. This bill aims to alleviate some of the tasks facing the organization.

The bill incorporates a wider basis that can refuse to respond to the entire requirement or claim fees if the organization determines that the request is annoying or excessive. 。 This is an alternative to the current exemption that DSAR can be rejected in the case of "obviously there is no basis".

It is the organization that determines whether the threshold is annoying. However, to support the organization, the bill lists some relevant situations to be considered, similar to those that have already been listed in ICO's DSARS guidance.

Invisible, the bill also shows specific examples of "annoying" requests. This includes what is intended to be painful, not in good faith, and those that correspond to "abuse of procedures."

Digital verification services

The organization will welcome these examples because the British case law has been confirmed that DSAR is treated as "unknown purpose". In contrast, these examples suggest that a wider context may be considered, such as ongoing litigation procedures.

Further guidance on what requests are "annoying and excessive" will be welcomed. For example, for a financial service company, a clear guidance on whether a large amount of claim management companies can be regarded as "abuse of procedures" will be valuable. Such demands require an organization to respond to multiple requests in the same time frame as one request, and does not necessarily aim to obtain useful information for the data.

Our view

It is hoped that the ICO's promise to provide more guidance and resources to comply with the UK Data Protection Law will include such problems in DSAR's context.

One of the areas where the government expects the development of dat a-led innovation is the use of an artificial intelligence (AI) system. The British Data Protection Law gives individuals the right to copy the data held by the organization. However, the response to the dat a-based access request (DSAR) is a complicated and burdensome process, and the cost and resources required for response may increase rapidly. This bill aims to alleviate some of the tasks facing the organization.

The bill incorporates a wider basis that can refuse to respond to the entire requirement or claim fees if the organization determines that the request is annoying or excessive. 。 This is an alternative to the current exemption that DSAR can be rejected in the case of "obviously there is no basis".

• It is the organization that determines whether the threshold is annoying. However, to support the organization, the bill lists some relevant situations to be considered, similar to those that have already been listed in ICO's DSARS guidance.
• Invisible, the bill also shows specific examples of "annoying" requests. This includes what is intended to be painful, not in good faith, and those that correspond to "abuse of procedures."
• The organization will welcome these examples because the British case law has been confirmed that DSAR is treated as "unknown purpose". In contrast, these examples suggest that a wider context may be considered, such as ongoing litigation procedures.
• Further guidance on what requests are "annoying and excessive" will be welcomed. For example, for a financial service company, a clear guidance on whether a large amount of claim management companies can be regarded as "abuse of procedures" will be valuable. Such demands require an organization to respond to multiple requests in the same time frame as one request, and does not necessarily aim to obtain useful information for the data.
• It is hoped that the ICO's promise to provide more guidance and resources to comply with the UK Data Protection Law will include such problems in DSAR's context.
• One of the areas where the government expects the development of dat a-led innovation is the use of an artificial intelligence (AI) system.
• In response to discussions on data protection reform earlier this summer, we confirmed that we are considering revision of existing rules for automatic decisio n-making and profiling under the UK Data Protection Law, but will be stipulated in future white paper on AI governance. He wanted to take the expected measures and the "consistency of proposals". The AI ​​White Paper is expected to be later this year, but the government has published a document on the same day as the bill announced on the same day, summarizing an approach to AI use regulations in the UK.
• The core of this problem is how much human surveillance is needed to determine the AI ​​system that affects the individual based on the processing of personal data by the AI ​​system.
• In a new bill, the government proposes to reconstruct existing rules for automated decisio n-making from the perspective of aggressive rights for human intervention. Naturally, the true meaning of existing rights, "it is not subject to decisio n-making based only on automated processing," is not always clear for individuals. However, newly introduced human intervention rights are applied only to "important" decisions, rather than making legal and important effects.
• There are concerns that restricting this right may threaten the valid status of the UK, but this wording can create a more wid e-range human intervention right than it exists. Whether or not this happens is how the Secretary of State exercises the authority to determine what decisions are "important" under the bill and for the purpose of rights. It is on.
• The bill is to the Secretary of State and the Ministry of Finance, a regulation that "data holder" requires "customer data" and "business data" to customers and third parties, and collection and maintaining such data. Give the authority to issue a regulation that obliges the processing.