Skip to main content
You are here: News


The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.


General Data Protection Regulation commences 25 May

The European Union (EU) General Data Protection Regulation (GDPR) comes into force on 25 May 2018. The GDPR will harmonise data privacy laws across Europe, and replace existing national data protection rules.

Office of the Australian Information Commissioner
Source: News - OAIC
24 May 2018, 11:28pm AEST

FTC Gives Final Approval to Settlement with PayPal Related to Allegations Involving its Venmo Peer-to-Peer Payment Service

The Federal Trade Commission has given final approval to a settlement with PayPal, Inc. over allegations that its Venmo peer-to-peer payment service misled consumers about their ability to transfer funds to external bank accounts and control the privacy of their Venmo transactions.

In its complaint, the FTC alleges that when Venmo notified users that money had been credited to their Venmo balances and was available for transfer to an external account, it failed to disclose that those funds could be frozen or removed based on the results of Venmo’s review of the underlying transaction. The FTC also alleges that Venmo misled consumers about the extent to which they could control the privacy of their transactions. In addition, Venmo allegedly misrepresented the extent to which consumers’ financial accounts were protected by “bank grade security systems,” and violated the Gramm-Leach-Bliley Act’s Safeguards and Privacy Rules, according to the complaint.

As part of the settlement, Venmo is prohibited from misrepresenting any material restrictions on the use of its service, the extent of control provided by any privacy settings, and the extent to which Venmo implements or adheres to a particular level of security. Venmo also is required to make certain disclosures to consumers about its transaction and privacy practices, and is prohibited from violating the Privacy Rule and the Safeguards Rule. Consistent with past cases involving violations of Gramm-Leach-Bliley Act Rules, Venmo is required to obtain biennial third-party assessments of its compliance with these rules for 10 years.

The Commission voted 5-0 to approve the final complaint and order, as well as responses to the comments the FTC received.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
24 May 2018, 10:00pm AEST

FTC Announces Agenda for June 5 Workshop on Competition in Residential Real Estate Brokerage to Be Held Jointly with the Department of Justice

The Federal Trade Commission and Department of Justice issued the agenda today for a joint public workshop that will explore competition issues in the residential real estate brokerage industry. The workshop will take place on June 5, 2018, at the FTC’s Constitution Center Auditorium, 400 7th St., SW, Washington, DC. The event begins at 9:00 a.m.

Buying or selling a home is one of the biggest financial transactions that most consumers make in their lives, and the residential real estate brokerage industry has experienced significant change in recent years, including the emergence of new technologies and business models. The agencies’ joint public workshop will focus on developments since the publication of their Report on Competition in the Real Estate Brokerage Industry in 2007.

FTC Chairman Joseph J. Simons will open the workshop, which will bring together academics, consumer advocates, data standards experts, real estate brokers, information marketplaces, and multiple listing services. In a series of panel discussions, the agencies will explore technological developments, the availability of listings data, and the evolution of the consumer experience in real estate transactions; developments in real estate brokerage fee and service models; and regulatory and industry factors affecting residential real estate brokerage competition.

The workshop is free and open to the public, and will be webcast live on the FTC’s website. Workshop updates will be available via Twitter @FTC. To join the discussion, please use #RealEstateFTCDOJ.

Until July 31, 2018, the FTC and DOJ will accept public comments relating to competition in the residential real estate brokerage industry and the topics covered by this workshop. For further information on the workshop and the public comment process, including a list of suggested questions open for comment and registration information, please visit the workshop event page. Advance registration is not required, but is strongly encouraged.

Seating will be on a first-come, first-served basis. Attendees should bring a valid government-issued photo ID (government badge, license, passport, etc.) and arrive in time to go through security.

The Conference Center is accessible to people with disabilities. If you need an accommodation related to a disability, please contact Kristal Peters in advance at or 202-326-2913. Such requests should include a detailed description of the accommodations needed and a way to contact you if we need more information.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
24 May 2018, 10:00pm AEST

Administrative Law Judge Dismisses FTC Antitrust Complaint against Generic Pharmaceutical Company Impax Laboratories, Inc.

In an Initial Decision announced on May 18, 2018, Chief Administrative Law Judge D. Michael Chappell dismissed the antitrust charges in a complaint issued by the Federal Trade Commission against generic pharmaceutical company Impax Laboratories, Inc.

The FTC’s January 2017 administrative complaint alleged that in June 2010, Impax and Endo Pharmaceuticals Inc. illegally agreed that Impax would refrain from marketing a generic version of Endo’s Opana ER – an extended-release opioid used to relieve moderate to severe pain – until January 2013. According to the administrative complaint, in exchange, Endo had paid Impax more than $112 million as of January 2017.

Judge Chappell concluded that Complaint Counsel failed to prove that the agreement between Impax and Endo violated Section 5 of the Federal Trade Commission Act. In particular, he found that under the facts of the case, “the magnitude and extent of any anticompetitive harm is largely theoretical, based on an inference that, absent the Challenged Agreement, Impax’s entry date, and therefore generic competition, would have been earlier than January 2013. The evidence shows that such earlier entry was unlikely.” He therefore concluded that the procompetitive benefits of the agreement outweighed the anticompetitive harm.

Specifically, in his Initial Decision, Judge Chappell:

  • found it unlikely that Impax would launch a generic version of Endo’s Opana ER before January 2013; such a launch would have been considered “at risk” because it would have predated final court decisions in related patent litigation. If a generic company launches a product before a non-appealable court decision or patent expiration, brand companies can be awarded damages, according to Judge Chappell’s Initial Decision.
  • found that it would have been economically disadvantageous for Impax to launch generic Opana ER under this type of “at risk” scenario, because it is a small pharmaceutical company with revenues in 2019 of less than $1 billion, and it could not bet the company on any one product.
  • rejected Complaint Counsel’s argument that the agreement between Impax and Endo would harm competition. “[T]he real world procompetitive benefits of the Endo-Impax Settlement are substantial,” Judge Chappell wrote.

In his decision, Judge Chappell noted that the January 2013 entry date and the patent license provisions for Opana ER enabled Impax to introduce a generic version eight months before Endo’s original patents for the drug expired. “Impax has sold generic Opana ER without interruption for more than five years, since launching its product in January 2013,” Judge Chappell noted.

The Appeals Process. The Judge’s Initial Decision is subject to review by the full Federal Trade Commission on its own motion, or at the request of any party, and Complaint Counsel have filed a Notice of Appeal. The Initial Decision will become the final decision of the Commission 30 days after it is served upon the parties unless, prior to that date, Complaint Counsel perfect their appeal by filing an  Appeal Brief or the Commission places the case on its own docket for review.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
24 May 2018, 10:00pm AEST

Working with Industry 2: Are you ready for the GDPR?

This guest post was contributed by Nicola Hermansson, APAC Data Protection & Privacy Leader at EY. It is the second in our Working with Industry series of guest posts. The Working with Industry series do not necessarily reflect the views of our office and are published to inform and stimulate debate on topical privacy issues and developments.

Friday 25 May is D-Day for the European Union’s General Data Protection Regulation (GDPR), yet many organisations in this part of the world don’t know what it is and how it will impact them. Only 12 percent of Asia Pacific businesses impacted by GDPR have a plan to address it.

GDPR: What is it, who does it apply to, and why should you care?

The GDPR is an EU regulation, but it has global reach. Essentially, it requires that organisations doing business in the EU or processing data of individuals in the EU implement a number of data protections. A failure to do so can be met with fines of up to 4 percent of global annual turnover or €20million, whichever is greater. Many New Zealand organisations with EU connections are affected and will need to change their processes to be compliant.

Data breaches happen too often. The failure of organisations to protect and respect their customers’ personal data has led to customer trust being eroded. The GDPR requires organisations to be more responsible for their customer and employee personal data, and gives control back to individuals. In addition, the GDPR is setting a new global standard for the management of personal data, which is causing change well beyond the borders of the EU.

What does it mean for your organisation?

Organisations need to be accountable and proactive. A good start is to document all personal data processing activities and map data flows so that the organisation is aware of what data it has and how that data is used and managed.

The GDPR focuses on facilitating the rights of individuals, including the right to have data collected, used and disclosed in a robust manner, rights of access to data, the portability of data between various organisations, and the right to be “forgotten”.

Consent for processing personal data must be freely given, specific, informed and unambiguous. It cannot be bundled with other written agreements. A catch-all tick box is no longer good enough. Having privacy notices hidden in general terms and conditions is no longer acceptable.

Organisations need to incorporate data protection into the way that they manage their business using privacy impact assessments and Privacy by Design principles to embed privacy into the way that business is done.

Certain breaches must be disclosed within 72 hours, to both supervisory authorities and potentially to affected individuals.

Key challenges of GDPR

In this data-driven era, organisations desire more and more personal data, but have not been demonstrating the same desire to protect it. Many organisations are struggling to identify what personal data they possess, where it is, who has access to it, what third parties they have given it to, and what they are using it for.  A set and forget approach cannot be adopted when business is constantly challenged to use existing data sets in new ways.

The GDPR demands accountability – organisations need to get their data under control and demonstrate compliance. Many organisations who have not previously focused on data protection are finding that complying with the GDPR is taking more effort than they anticipated. Becoming GDPR compliant requires work, forethought, planning and very importantly, senior stakeholder buy-in.

For organisations that have done little to prepare, it may seem overwhelming, but taking a balanced approach, with a focus on high-risk personal data processing, can make the challenge more palatable. Organisations that really embrace the purpose and spirit of the GDPR can make privacy a valuable differentiator. They can turn compliance from a challenge to an opportunity, from a chore into a chance to differentiate and a tangible demonstration of their company values.

If your organisation has yet to fully understand how GDPR impacts it, your new compliance obligations and the extent of your personal data processing, you need to act now. It is never too late to start thinking about data protection. This Friday marks a significant date in what should be an ongoing journey towards data management maturity for every organisation – whether impacted by the GDPR or not.

Image credit: GDPR via Tech Talks


Office of the Privacy Commissioner, New Zealand
Source: Blog
24 May 2018, 8:58am AEST

2018 PAW Business Breakfast

The European Union’s General Data Protection Regulation (EU GDPR) and the complexity of the modern privacy landscape were the key discussion points for the Privacy Awareness Week (PAW) Business Breakfast yesterday morning.

Office of the Australian Information Commissioner
Source: News - OAIC
14 May 2018, 11:40pm AEST

Appearance before the Standing Committee on Access to Information, Privacy and Ethics to discuss the breach of personal information involving Cambridge Analytica and Facebook

Good morning, I very much appreciate the invitation to appear this morning — my first time before you as BC’s new Information and Privacy Commissioner. It is also a great pleasure to do so with my colleague Commissioner Elizabeth Denham. In fact it was only a few short weeks ago, that I was in the UK assisting Commissioner Denham with the investigation she touched on a moment ago.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
12 May 2018, 6:00am AEST

Supreme Court’s Alsford decision affirms role of the Privacy Act

R v Alsford is an important privacy decision. The Supreme Court has clarified the law in relation to voluntary requests for personal information by law enforcement agencies, and affirms the obligations and responsibilities of both the law enforcement requester and the responding agency.

The decision affirms the importance and policy of the Privacy Act, and its relationship with other relevant statutes, including the production order regime in the Search and Surveillance Act 2012, the test for the admissibility of evidence under section 30 of the Evidence Act 2006 and the test for an unreasonable search under section 21 of the New Zealand Bill of Rights Act 1990.

The Privacy Commissioner’s transparency reporting trial revealed confusion in the private sector about the lawful basis for law enforcement requests for personal information.

The Alsford case was a criminal pre-trial matter and it presented an opportunity for judicial clarification. The Privacy Commissioner was granted leave to be heard on the privacy issue. The Court’s decision was released in March 2017, subject to non-publication orders that have now been lifted.

The Court considered whether a production order should have been used to obtain power consumption data from electricity providers in an investigation of suspected cannabis cultivation, and whether the power consumption data was obtained in breach of privacy principle 11(e)(i) of the Privacy Act.

The Police made requests to three electricity providers for power consumption data from the defendant’s properties. All three companies disclosed the information sought under privacy principle 11(e)(i) of the Privacy Act. This manner of obtaining the power consumption information and its use to support subsequent production order and search warrant applications to uncover evidence of offending was one of the grounds of appeal.

The majority of the Supreme Court (4:1) affirmed the Police’s ability, in the circumstances and in the absence of a production order, to ask for power consumption information in the form of monthly aggregated data, despite finding that one of the three requests did not provide sufficient information to justify the resulting disclosure. That particular disclosure was therefore not justified in terms of principle 11(e) and, to that extent, there was a breach of the Privacy Act.

The decision also affirms that where the Police obtain information from service providers about customers on a voluntary basis, they must not infringe section 21 of the New Zealand Bill of Rights Act (the right to be secure against unreasonable search and seizure). 

The Supreme Court decision can be read here. 

You can also read the Privacy Commissioner's rules for information disclosures here.

Lastly, there is also the Privacy Commissioner's Commentary on R v Alsford.

Image credit: Kōtuku - Department of Conservation - New Zealand Birds A-Z

Office of the Privacy Commissioner, New Zealand
Source: Blog
11 May 2018, 1:26pm AEST

Celebrating 30 years of The Privacy Act

As part of our lead up to Privacy Awareness Week (PAW) 2018 we are taking the opportunity to celebrate thirty years since the introduction of the Australian Privacy Act 1988. For those of us who are old enough to cast our minds back to daily life thirty years ago, it really is remarkable to consider how differently we do things today, compared to 1988 — and how technology now shapes our everyday lives.

Office of the Australian Information Commissioner
Source: News - OAIC
11 May 2018, 12:01am AEST

Privacy regulators advise organizations to put privacy principles into practice

May 7-11 is Privacy Awareness Week and, to mark the occasion, members of the Asia Pacific Privacy Authorities (APPA) are reminding organizations to include privacy protection in their systems, processes, and corporate culture.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
8 May 2018, 6:00am AEST

Working with Industry 1: How Uber is driving privacy initiatives

This guest post was contributed by Richard Menzies, General Manager, Uber NZ, to mark Privacy Week. It is the first in our Working with Industry series of guest posts. The Working with Industry series do not necessarily reflect the views of our office and are published to inform and stimulate debate on topical privacy issues and developments.

As the adoption and integration of new technologies continues to grow, so does the importance of data protection, security and privacy. Globally as a company, Uber facilitates around 15 million trips every day and operates Uber Eats in more than 200 cities. More and more people look to ridesharing as a safe, affordable and reliable way to get around their cities and have great, tasty food delivered to their door. This year, like every year, Privacy Week is a great chance for all of us to take stock of our digital footprint.

Every one of these trips and deliveries creates a digital footprint - data which can be used to further improve Uber’s services, but that might also include personal information. We have a duty to protect that data and the privacy of our users, and we take that seriously.

Learning from past mistakes

Last year, our new CEO, Dara Khosrowshahi, publicised a security incident that took place in 2016. The incident involved two individuals from outside the company that inappropriately accessed old copies of user data stored on a third-party cloud-based service that we used at the time. The user data included names, email addresses and mobile phone numbers of 57 million Uber users, including approximately 100,000 Kiwis.

Our security engineering team was able to respond quickly and contain the risk for our users and the incident did not breach our corporate systems or infrastructure. We took steps to confirm that the two individuals did not further use or disseminate the information.

In addition to technical improvements made to prevent similar attacks in the future, we recommitted the company to more transparent disclosure practices in the future. Our CEO said at the time: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Uber’s approach to privacy

As Dara emphasised, we are committed to being open and upfront with our users and regulators. Under the direction of Tony West, Uber’s new general counsel, former general counsel for PepsiCo, and former US Associate Attorney General in the Department of Justice, our security and privacy teams are working toward a global standard for data protection and privacy beyond legal requirements. This includes improvements in the way we design and build our products, as well as how we manage all the user data we hold.

New features and products at Uber are developed with a review process to evaluate potential security and privacy risks, even down to the code level. Uber’s security engineering team works with our privacy team to ensure our data practices are not only compliant with applicable law, but also supported by the required engineering capabilities to enforce adoption across the company. Based on the level of sensitivity, we are able to leverage privacy protecting technologies such as differential privacy, which enables data scientists to analyse large data sets without exposing the identity of individual users. As well, we open-sourced these tools to make them available for use by privacy professionals at other organisations.

We’re also bringing privacy to the forefront of our products with user controls inside our mobile apps and websites. For example, users who choose not to share their device’s location information with Uber can choose to turn this off in their privacy settings and manually input their pick-up location. We also built a self-service tool for riders in the app if they choose to delete their Uber account. We are investing more resources in giving users more control over the data they share with us and there will be more features coming later this year.

Long term global vision

Last year, Uber updated its privacy policy to provide more, simplified information about how we collect user information and what it’s used for. As stewards of public trust, and across the industry as a whole, we need to understand the expectations of our users. Privacy is more than just a compliance checkbox or consent taking exercise - we want to make sure that we are only using our customers’ data in ways that are consistent with their expectations. As an industry, we’re increasingly seeing users react negatively when their data is used in ways that don’t meet their expectations.

We’re learning that we can no longer only build seamless protections behind the scenes in an effort to spare users the technical details. In fact, users are telling us they want to be more engaged in the process, so we are working on products improvements that will better assure our users that we have their back. Our CEO has made it very clear that moving forward, we will stand for safety, and that includes safeguarding the security and privacy of user information. Privacy and security are key business goals for us.

Building for New Zealand

We are particularly pleased to work closer with the Office of the Privacy Commissioner in New Zealand in its pursuit of mandatory breach notifications via the new Privacy Bill. We believe in working with government bodies which can hold all businesses to high standards, and will continue to support local representatives.

In a day and age when data has become an increasingly important cornerstone of modern commercial business, people need to know companies have their best interests at heart when it comes to protecting the privacy of their personal information.

All companies can learn from each other as we develop new technologies that offer better protection for consumers.

Companies owe it to their customers to treat their information with respect and to take every action and precaution possible to protect their privacy. Uber is committed to leading the way both locally and globally.

Image credit: Photo by Elliott Brown via Flickr

Office of the Privacy Commissioner, New Zealand
Source: Blog
7 May 2018, 7:00am AEST

Presentation to Social Media Camp: Why Privacy is Good Business

There are many tools for organizations, businesses, and public bodies to connect with citizens, potential customers, members, or users of your systems or products. But how you use these powerful social media tools is incredibly important because you will almost always be collecting people’s personal information. More often than not, that information can be very sensitive. Trust is at the heart of the transaction between users and social media platforms… trust that the personal information gathered about users is used properly and in accordance with privacy laws.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
4 May 2018, 6:00am AEST

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST