Skip to main content
You are here: News


The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.


FTC Sends $68,000 in Refund Checks to Consumers Who Bought Lights of America LED Light Bulbs and Filed a Claim

The Federal Trade Commission is sending a second round of refund checks, totaling more than $68,000, to consumers who bought Lights of America LED light bulbs and filed a claim.

The FTC sued Lights of America Inc. and related defendants for violating federal law by misrepresenting the light output and life expectancy of their LED bulbs, and falsely comparing the brightness of their LED bulbs with that of other light bulbs. A federal court ordered the defendants to pay $21 million to the FTC to provide refunds and banned the defendants from misrepresenting material facts about lighting products.

The FTC is mailing 1,352 checks averaging $50 each. Recipients should deposit or cash the checks within 60 days, as indicated on the check.

The FTC previously mailed 499,105 checks totaling more than $14.4 million to people who bought Lights of America light bulbs. The FTC then identified additional eligible consumers through a claims process. The claims process is still open, and consumers who bought these lightbulbs and have not received a check should contact the FTC’s administrator, Analytics Consulting LLC, at 800-419-4695.

FTC law enforcement actions led to more than $2.3 billion in refunds for consumers between July 2017 and June 2018. To learn more about the FTC’s refund program, visit

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
19 Jul 2019, 10:00pm AEST

Privacy in the news (5 July – 18 July 2019)

Welcome to our latest weekly round-up of privacy stories.

Cameras filming drivers continuously ‘does nothing for driver safety'

A survey carried out by First Union earlier this year found cameras that record inside truck cabs were a leading reason why drivers were quitting the profession. The US-made cameras can be enabled to record continuously, and they are installed in 7000 vehicles in New Zealand. Trucking companies cite health and safety reasons for installing the cameras but recording more data than necessary could breach drivers’ privacy and may not contribute to safer driving at all. Read more here.

Government looks at powers to seize illegally-operated drones

The government is looking at a broad range of drone regulations that support commercial use but protect citizens and spaces – such as airports – from unlawful activity. Some operators already require certification, but the government doesn't know who buys and flies off-the-shelf drones, making laws hard to enforce. Transport Minister Phil Twyford says the regulations need to balance the industry's clear potential for growth while managing safety and privacy issues that arise from the technology’s use. Read more here. 

Android apps harvest data even after you deny permissions

Researchers have found more than 1,000 apps that work around permissions, enabling them to gather precise geolocation data and phone identifiers without your knowledge. The discovery highlights how difficult it is to stay private online, particularly if you're attached to your phones and mobile apps. Read more here.

Google’s 4,000-word privacy policy is a secret history of the internet

The late 1990s was a simpler time for Google. The company’s first privacy policy reflected that simplicity. It was an earnest artefact of a different time in Silicon Valley, offering only 600 words to explain how it was collecting and using personal information. That version of the internet is now gone. Google’s privacy policy has become a sprawling 4,000-word explanation of the company’s data practices. This evolution is the story of the internet’s transformation into a terribly complex environment for privacy. Read the full story here.

Facebook embeds ‘hidden codes' to track who sees and shares your photos

An Australian cyber researcher has reopened the debate around whether Facebook is embedding hidden codes in photos to track their movements outside of the platform. Edin Jusupovic claims to have found ‘metadata watermarks’ embedded into Facebook images that allow the company to identify individual images and link users who share the same content. Facebook can then use these user associations for more precise marketing. Read more here. 

How WeChat censors private conversations, automatically in real-time

Based in China and boasting over 1.1 billion global users, WeChat is one of the world’s most advanced and popular apps. The platform is heavily embedded into most Chinese citizens’ lives, and it uses some of the quickest and most extensive censorship technology on earth. New research from the University of Toronto reveals how WeChat’s censorship of content is used to exert control over political discussion, part of Xi Jinping’s tightening grip on the Chinese internet and society more broadly. Read more here.

Think FaceApp is scary? Wait until you hear about Facebook

FaceApp is a viral lark that takes a convincing guess at what you’ll look like when you’re old. FaceApp is also the product of a Russian company that sends photos from your device to its servers, retains rights to use them in perpetuity, and performs artificial intelligence black magic on them. So, the FaceApp backlash has kicked into gear, with anxious stories and tweets warning you off its charms. Which is fine – just make sure you save some of that ire for bigger targets. Read more here.

Facebook: US report says record $US5b fine imposed for data breaches

The US Federal Trade Commission has approved a $US5 billion ($NZ7.4b) settlement with Facebook over its investigation into the social media company's handling of user data. The FTC has been investigating allegations Facebook inappropriately shared information belonging to 87 million users with the now-defunct British political consulting firm Cambridge Analytica. Read more here.

Image credit: Turnstone via John James Audubon's Birds of America.

Office of the Privacy Commissioner, New Zealand
Source: Blog
19 Jul 2019, 12:14pm AEST

FTC Chairman Supports Common Understanding of G7 Competition Authorities on Competition and the Digital Economy

Federal Trade Commission Chairman Joseph J. Simons has issued the following statement about the Common Understanding of G7 Competition Authorities on Competition and the Digital Economy, which France’s competition authority, the Autorité de la Concurrence, released today following the G7 Finance Ministers and Central Bank Governors meeting in Chantilly, France. The FTC worked with its G7 counterparts to draft these principles, which recognize innovation, sound competition analysis, competition advocacy, and international cooperation as keys to promoting the benefits of competition in the digital economy:

“The Common Understanding recognizes the importance for competition agencies to examine enforcement and policy issues raised by evolving business practices and emerging technologies in light of the goals of protecting consumers and promoting competition,” said Chairman Simons. “The FTC welcomed this opportunity to engage with our international counterparts to advance collaboration and convergence toward sound competition policies and principles in the context of the digital economy.”

Besides the FTC, the Antitrust Division of the Department of Justice, and France’s Autorité de la Concurrence, the G7 competition authorities also include Italy’s Autoritá Garante della Concorrenza e del Mercato, Germany’s Bundeskartellamt, Canada’s Competition Bureau, the United Kingdom’s Competition and Markets Authority, the European Commission’s Directorate General for Competition, and the Japan Fair Trade Commission.

The Federal Trade Commission works with foreign governments to promote international cooperation and sound policy. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases and the FTC International Monthly for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
18 Jul 2019, 10:00pm AEST

FTC Returns More than $708,000 to Consumers and Businesses Tricked Into Paying for Unordered Light Bulbs and Cleaning Supplies

The Federal Trade Commission is mailing 3,615 checks totaling $708,586 to small businesses, nonprofit organizations, and other consumers who were tricked into paying for overpriced office supplies—including light bulbs and cleaning supplies—that they did not order. The average refund amount is $196.

The refunds are the result of a court order obtained against Lighting X-Change Company, LLC, which operated using several different names. The company’s telemarketers allegedly failed to disclose they were making a sales call, pretended they had a previous business relationship with the recipients, and falsely claimed that they wanted to send a free sample or catalog.

Instead, they sent light bulbs and cleaning supplies without disclosing the price up-front, and billed the recipients much more than market price for the products. Businesses that paid for the unordered products received additional unordered shipments, along with new invoices seeking payment.

In addition to banning the defendants from the illegal shipping and billing practices, the FTC’s settlement order imposes a $720,000 judgment, which the Commission is using to provide refunds.

Consumers who have questions about the refunds should contact the FTC’s refund administrator, Analytics Consulting, LLC, at 1-877-202-5930. Recipients should deposit or cash checks within 60 days, as indicated on the check. The FTC never requires people to pay money or provide account information to cash a refund check.

FTC law enforcement actions led to more than $2.3 billion in refunds for consumers in a one-year period between July 2017 and June 2018. To learn more about the FTC’s refund program, visit

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
18 Jul 2019, 10:00pm AEST

Are you ready for breach notifications?

As you may already know, both winter and privacy breach notifications are coming. And while you may have already prepared for winter and its influx of colds and flu, it’s also important to prepare for mandatory breach notifications, so that your agency is ready when the requirements kick in.

New Zealand currently falls into a group of countries for which privacy breach reporting is voluntary - but the privacy law reform underway in Parliament will change that. The Privacy Bill, which is likely to be passed by Parliament this year and become law in 2020, will introduce a mandatory breach notification regime.

The effect of this is that your agency will have to notify both the individual and the Privacy Commissioner in certain circumstances if the agency experiences a serious privacy data breach.

What will I have to notify?

Agencies won’t have to notify every single breach. The threshold for notifiable breaches isn’t finalised, but it is likely to only cover privacy breaches where there is the risk of serious harm. The threshold aims to balance the compliance burden on agencies, while making sure that affected individuals are notified, and minimising the risk of ‘notification fatigue’.

Once the Privacy Bill has passed, the Privacy Commissioner will publish more information on how the breach notification reporting will operate, and when privacy breaches must be reported.

In the meantime, this is a great time to take stock of your existing policies and procedures to prevent, mitigate, and report data breaches, check that they’re still best practice (update them if they’re not), and make sure your staff all understand what they need to do.

Avoid human error

A significant cause of data breaches is from simple errors like sending emails or attachments to the wrong people (or failing to BCC an email list); putting patient letters in the wrong envelopes or falling prey to a phishing attack.

These kinds of mistakes are easy to make. We’ve all had an email auto-populate in the ‘To’ field to the wrong John Smith or wondered whether we really do have that Nigerian fortune waiting to be claimed.

Setting up systems to prevent or catch these human errors will help stop sensitive information going out to the wrong person. For example, name documents clearly so that attachments are identifiable immediately if they’re the wrong file; set up a delay send rule on emails and provide regular refresher training to staff on email security and avoiding phishing scams. Other options include encrypting attachments with sensitive information, so that the recipient needs a password to read the file.

Think through the risks

Risks can appear in unexpected ways. At a medical practice, a patient was handed a form to give to the doctor. On the front of the form was the patient’s information but on the back of the page was another patient’s information in the form of an invoice. When asked, staff at the medical centre explained they were motivated by a desire to recycle paper. They had blanked out the patient's details on the back, but this had been done poorly. When it was held up to the light, the other patient's information, such as their name and address, could be clearly seen.

The recycled paper was not intended to leave the clinic. But it had created a risk. The recycled paper should have been destroyed or disposed of in the first instance.

Review your policies and procedures for best practice

How do you get rid of your agency’s rubbish? Put it into a regular rubbish collection? What if it includes patient information like prescription labels with a person’s name, address, and the condition of that patient who was being treated? We received a breach incident notification last year when a member of the public noticed patient documents strewn along a street.

The health agency’s rubbish was supposed to have been double-bagged, which would usually prevent spillages but not in this case. We discovered the agency had access to a secure shredding service and it quickly moved to adopt this method of disposing patient information.

In another embarrassing breach, patient notes were found scattered along a busy Brisbane inner-city street having literally fallen off the back of the van or truck taking them to be disposed of.

It’s up to agencies to work out practical policies and solutions that work for their circumstances. But agencies should also make sure their procedures appropriately mitigate privacy risks, including the risk of health data breaches.

Make sure policies are being followed

Do you ever take patient files home, or keep them in your car or bag? We’ve received notifications of multiple incidents where staff have suffered burglaries of their home or car, and as a result, patient records have gone missing. Or a receptionist has left a client file on the desk overnight, leading to the risk that someone else could pick up and read the file.

Many agencies will have a policy that hard copy files must be locked up at the end of the day, and that laptops or other devices used to access the digital files must be password protected. If your staff don’t follow the policies, it only increases the risk your agency will suffer a data breach.

Reducing your data breach notifications

The best way to make sure you don’t have to explain why a data breach occurred is to practice data breach sanitation. Think of it as the equivalent of making sure you wash your hands regularly or cover your mouth when coughing. Prevention, as we know, is better than the cure.

But despite the best precautions, some people will still get sick, and privacy breaches will occur (hopefully less often and with less seriousness). Just like staying at home when you come down with a cold, data breach notifications to our office and to the people affected are intended to help agencies prevent a breach from worsening while giving people the opportunity to take steps to protect themselves, if their information is lost.

This article was first published in NZ Doctor magazine.

Image credit: Shutterstock

Office of the Privacy Commissioner, New Zealand
Source: Blog
17 Jul 2019, 10:28am AEST

Privacy commissioners gather in Tokyo – Part 2

Privacy Commissioner John Edwards partakes in a sake ceremony

These APPA sessions emphasized that data flows underpin the digital economy and innovation. Significant developments are increasing the international imperative to harmonise privacy frameworks and build interoperable frameworks for data flows.

Cross border data transfers

APPA members heard from James Sullivan, Deputy Assistant Secretary for Services at the US Department of Commerce. The Department administers the EU-US, Privacy Shield Framework, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.

Mr Sullivan observed that data underpins a globally connected world and underpins benefits for citizens and the economy, driving 20% of global economic output. Privacy and data protection are essential for legal certainty and to build trust and it is right for citizens to know what happens with their data.

He noted the absence of a globally accepted standard of data privacy and thought there was unlikely to be a global standard any time soon.

The concerns are that inconsistent regulatory regimes will exacerbate compliance costs and that some countries are adopting prescriptive rules on data flows such as data localisation.

While the GDPR is both comprehensive and progressive, from the US perspective there are still questions regarding its potential impacts on free speech, research and the compliance cost burden. The challenge raised by Mr Sullivan was how countries can prepare for the next big wave of technological change in the absence of global data protection standards. He suggested the most realistic option was to build interoperability between current schemes such as the EU/U.S. Privacy Shield and the APEC Cross Border Privacy Rules to bridge the different regimes.

How to establish the Free Data Flow World while ensuring security of personal information through mutual trust

A public conference following APPA. Keith Enright, Google’s Chief Privacy Officer, noted Japan’s strong privacy laws and its strong position as a proponent for the APEC Cross Border Privacy Rules, was a participant in the CPTPP, and had achieved EU adequacy under the GDPR.

Mr Enright described trust as the foundation for everything Google does. He said two core priorities for Google are ensuring the free flow of data and preserving user trust by confirming privacy is central to product development enabling users to control their experience.

Mr Enright noted that Google is taking steps to lead on data portability including the Data Transfer Project. Google had previously announced new privacy features during Privacy Awareness Week in May.

There’s a lot of privacy activity in Asia with new laws emerging including China and India. Asian countries take an economic approach to the regulation of data flows. However, data is not just a commodity and privacy is taken very seriously by Asian privacy regulators. In some jurisdictions there is tradition of a complementary human rights approach (such as Hong Kong). Many jurisdictions want to become AI and analytics hubs and to do so requires strong privacy laws. The challenge in Asia is how to combine different approaches to data protection.

The ICO noted that a strong regulatory scheme such as the GDPR has not proved to be an impediment to innovation, citing on the ICO’s regulatory sandbox initiative.

G20 side event – Global free flow of data with adequate protection

A G20 side event provided an opportunity to hear from speakers from the European Commission and several Asian and European privacy authorities. Mr Bruno Gencarelli, from the European Commission, expressed strong support for the free flows of data with trust initiative to combine high standards of privacy and data protection with economic data flows.

Mr Gencarelli commented on the historic nature of the recent EU/Japan mutual adequacy decision and the common vision of both sides that privacy needs to be effectively protected with a clear set of rules and rights and an independent enforcement authority. These rights are necessary to support democratic and electoral systems and support economic growth as a foundation for consumer trust. The result of the mutual adequacy decision is that data can flow freely between Japan and the EU and will amplify the benefits of a free trade agreement. Mutual adequacy will also provide an opportunity for closer and deeper co-operation between respective data protection authorities.

French data protection authority (CNIL) President Mme Denis, noted that free flows of data cannot undermine the protections guaranteed under the GDPR framework. The GDPR has several mechanisms for a wide variety of transfers including contractual clauses and an adequacy decision.

Mme Denis also noted that the Council of Europe Convention 108 has potential to foster greater convergence – this is an international instrument and is open to accession by countries outside Europe.

New Zealand has observer status, along with a number of other non-European observers

Highlights from the panels included:

  • Mme Pouliou, head of privacy for Chanel reported that the GDPR has led to significant harmonisation across 28 countries and has the potential to inspire greater global harmonisation.
  • Australian Information Commissioner, Angelene Falk, shared the Australian experience of building trust in personal information handling and the OAIC’s collaboration with other regulators. Australia is implementing the APEC Cross Border Privacy Rules and is considering certification of privacy competence as a potential mechanism for recognising organisational accountability.


Read Part 1 of blog here 

Office of the Privacy Commissioner, New Zealand
Source: Blog
9 Jul 2019, 6:45am AEST

Statement from BC Information and Privacy Commissioner regarding independent oversight over government’s duty to document and use of personal communication tools

BC Information and Privacy Commissioner has issued the following statement regarding independent oversight over government’s duty to document and use of personal communication tools.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
18 May 2019, 6:00am AEST

Protecting privacy is everyone’s responsibility: BC Information and Privacy Commissioner statement on Privacy Awareness Week 2019

As Privacy Awareness Week (May 6-11) gets under way today, Michael McEvoy, information and privacy commissioner for British Columbia, is calling on everyone – businesses, the public and government – to take action to better protect personal information. He has released the following statement.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
7 May 2019, 6:00am AEST

Commissioner statement regarding the joint Facebook/Cambridge-Analytica investigation

The Information and Privacy Commissioner for British Columbia made the following statement during a joint press conference at the National Press Theatre in Ottawa.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
26 Apr 2019, 6:00am AEST