Skip to main content
You are here: News

News

The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.

Array

Audit report commends WorkSafeBC on acces and privacy practices

Acting Information and Privacy Commissioner Drew McArthur has found that WorkSafeBC is generally fulfilling its duty under the Freedom of Information and Protection of Privacy Act (FIPPA) to respond to access requests and protect the personal information of British Columbians. The findings were published today in Audit & Compliance Report F18-01: WorkSafeBC: Management of access and privacy requests and complaints.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
18 Jan 2018, 7:00am AEDT

FTC Posts Blog on Voices for Liberty Video Project

The Federal Trade Commission today issued a blog highlighting a series of videos featuring Acting Chairman Maureen K. Ohlhausen and four guests who shared their stories about the burdens of unnecessary occupational licensing regulations.

During the “fireside chat” held last month, Acting Chairman Ohlhausen spoke with a natural hair braider, as well as an educator, an emergency medical technician, and a licensed esthetician, three of whom are military spouses.

Acting Chairman Ohlhausen launched the agency’s Economic Liberty Task Force in early 2017. Prior to that, occupational licensing reform was a core focus of the FTC’s competition advocacy program, which urges policymakers to reduce or eliminate regulations that stifle competition and are not needed to protect consumers.

In addition to the blog post, Voices for Liberty Videos: “Fireside chat” participants explain burdens of unnecessary occupational licensing, the agency’s Economic Liberty Task Force website has a range of other information about efforts to address regulatory hurdles to job growth, including the proliferation of occupational licensing.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
17 Jan 2018, 11:00pm AEDT

Commissioner to release findings of WorkSafeBC audit

On Wednesday, January 17, 2018 at 9:30 am, Acting Information and Privacy Commissioner Drew McArthur will release the results of an audit into the management of access and privacy requests and complaints by WorkSafeBC.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
17 Jan 2018, 7:00am AEDT

FTC Returns Money to Consumers Who Bought Purported Business Coaching Programs

The Federal Trade Commission is mailing 7,583 checks totaling more than $2.2 million to people who lost money to a telemarketing scheme offering business coaching services. As alleged in the FTC’s complaints, the defendants falsely promised consumers they would earn substantial income from home-based Internet businesses if they used the defendants’ services.

In June 2017, the defendants, who operated under various names, including Professional Learning Institute, Pinnacle Learning Institute, Advantage Education, and Discover Education, were banned from selling business coaching services and work-at-home opportunities under settlements with the FTC.

Each check is worth $295. Recipients should deposit or cash checks within 60 days. The FTC never requires people to pay money or provide account information to cash a refund check. If recipients have questions about the case, they should contact the FTC’s refund administrator, Rust Consulting Inc., at 855-255-1885.

FTC law enforcement actions led to more than $6.4 billion in refunds for consumers in a one-year period between July 2016 and June 2017. To learn more about the FTC’s refund program, visit www.ftc.gov/refunds.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
16 Jan 2018, 11:00pm AEDT

FTC Approves Final Consent Order in Victory Media Advertising Case

Following a public comment period, the Federal Trade Commission has issued a final order settling charges that Victory Media violated Section 5 of the FTC Act in connection with its promotion of post-secondary schools to military consumers.

According to the FTC’s complaint, some of the company’s materials and tools deceptively promoted schools that paid the company for those promotions, including some schools the company had not deemed “military friendly.”

The order bars the company, in connection with paid promotional content regarding post-secondary schools, from misrepresenting the scope of the search conducted by any search tool, any material connection between Victory Media and any school, or that paid commercial advertising is independent content. It further requires Victory Media, in connection with an endorsement of any post-secondary schools, to disclose all material connections between the endorser and the schools.

The Commission vote approving the final consent order and letters to the public commenters was 2-0.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
12 Jan 2018, 11:00pm AEDT

New look, same website

It’s a new year — and a new look for the OAIC.

Office of the Australian Information Commissioner
Source: News - OAIC
7 Jan 2018, 2:37am AEDT

Nosing around the Customs and Excise Bill

Cast your mind back to 2013. Same-sex marriage was legalised in NZ, we learnt more about the activities of the NSA than we ever cared to know, Prince George was born, Margaret Thatcher died and our long Marmite (marmageddon) nightmare finally ended.

2013 also marked the year the New Zealand Customs Service began reviewing its 17-year-old legislation, the Customs and Excise Act 1996. It is now 2017 (nearly 2018), the Customs and Excise Act is 21 years old and the Customs and Excise Bill has just had its second reading in Parliament.

Our office has been involved in the Customs and Excise Act’s review since its inception. We are pleased that following the Foreign Affairs Defence and Trade Committee’s consideration of the Bill, New Zealanders are going to have:

  • clearer legislation governing the searching of their electronic devices;
  • greater protections for privileged information gained from these searches; and
  • better oversight of Customs’ information sharing practices.

Electronic device searches

The border is our first line of defence against many threats. Customs needs the ability to fully investigate these threats, which can include examining electronic devices. However, it is also important that NZ Customs consider individual privacy.

We’ve talked about NZ Customs having access to people’s electronic devices like smartphones, tablets and laptops before – see here and here. Phones in particular are a touchy issue. In 2017, smartphones rule and often contain our lives. The information they hold is sensitive, highly personal and needs protection from prying eyes.

We were therefore pleased to see that the Bill reflects[1] the advice we gave Customs about requiring a threshold before a device is searched. The threshold is reflected in the two types of electronic device searches Customs officers can undertake under the Bill: an ‘initial search’ and a ‘full search’.

Initial search

For an initial search of an electronic device, the Bill requires Customs officers to have “reasonable cause to suspect” the person in possession of the device is or is about to be involved in the commission of an offence. An initial search means:

  • the device may be searched manually or using software* that scans for objectionable images like child pornography;
  • the transmitting function must be turned off; and
  • Customs can’t keep any information gained from an initial search unless it shows evidence of offending.

Full search

To conduct a full search, Customs officers must have “reasonable cause to believe” the device contains evidential material about offending. A full search means:

  • the device may be accessed and searched using any technology aid;
  • the information contained in the device may be copied (including by cloning);
  • the device may be detained in order to conduct the search;
  • the search must not damage the device; and
  • the transmitting function must be turned off.

Duty to assist

People having their device searched have a ‘duty to assist’ NZ Customs. This means that if your device is locked or encrypted, you must give the Customs officer the information or assistance they need to gain access. Failing to do so may result in a fine of up to $5,000 and your device being held (until access can be granted through other means).

Information sharing

The Bill also deals with NZ Customs’ ability to share information through direct access agreements, disclosures to New Zealand government agencies and disclosures to international government agencies.[2]  NZ Customs wanted:

-       an expanded ability for the Chief Executive to enter into a direct access agreement with any other government agency for a broad range of functions;

-       a new power for the Chief Executive to disclose information to any other government agency; and

-       the extension of an existing power to disclose “any information” overseas without any requirement to consider the relevant risks of that disclosure such as human rights considerations.

During the select committee process, the Privacy Commissioner made submissions that the information sharing clauses presented significant privacy concerns – our written submission can be found here. In short, we said:

-       the expanded ability for the Chief Executive to enter into direct access agreements should be removed as this can already be facilitated through the AISA provisions in Part 9A of the Privacy Act;

-       the new power for the Chief Executive to disclose information to any other government agency should be removed. Information disclosure could already be achieved through either an AISA or the regulation making power found in the Customs and Excise Act. The Commissioner noted that entering into information sharing agreements such as those proposed, without ministerial oversight, represented an inappropriate delegation of power to the Chief Executive and would inappropriately intrude on the privacy of New Zealanders; and

-       the extension of the power to share information overseas should be amended to restrict the information that Customs is able to disclose overseas, ensure adequate oversight and review of international information disclosures and require NZ Customs to consider the implications of the sharing such as torture or capital punishment. The Commissioner noted that NZ Customs collects a vast amount of sensitive information including political affiliation, sexual orientation and religion and that this could put persons at risk if shared with a less progressive country.

As a result of our submissions the Select Committee amended the Bill to provide for greater transparency and oversight of Customs information sharing. The amendments included:

-       agreements for direct access must be entered into by the Minister of Customs, specify why the accessing agency needs the information and how it will be accessed, have safeguards like audit and compliance regimes and proper procedures for access, use, disclosure and retention of information and require the Privacy Commissioner to be consulted on any new agreement;

-       the ability for the chief executive of NZ Customs to enter into a disclosure agreement with another agency is removed and reassigned to the Minister of Customs. The Privacy Commissioner is required to be consulted on any new agreement;

-       both the ability to enter into direct access agreements and disclosure agreements require the Minister to be satisfied of certain things, such as the reasonableness of the information to be accessed/shared and that there are adequate privacy safeguards;

-       international disclosure agreements can be reviewed at the request of the Commissioner.

We are grateful to Customs officials for their proactive engagement with our office and the constructive manner in which they approached our feedback.

The amendments to the power to search electronic devices and the information sharing provisions in the Bill are major improvements on the original draft and will help ensure that our borders can be properly protected while still protecting individual privacy. The Bill will be reported back for its Committee of the Whole reading in the House in 2018.  

* NB: Any technology aids used for an initial search must have completed a privacy impact assessment in consultation with the Privacy Commissioner.

Image credits:

Watching the watchers - Slane Cartoons

Customs logo via Wikimedia Commons.


 

[1] Clause 207

[2] Clauses 293, 294 and 297

Office of the Privacy Commissioner, New Zealand
Source: Blog
19 Dec 2017, 2:30pm AEDT

Highlights of APPA 48

Privacy authorities in our region rounded off the year in Vancouver with the 48th Asia Pacific Privacy Authorities (APPA) Forum on 16-17 November. The meeting was hosted by the Office of the Privacy Commissioner of Canada (OPC-Canada) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC-BC). Our office was represented by the Commissioner, John Edwards, and myself.

Our office is an active and fully contributing member of APPA and we gain considerable value from being able to learn of the work of our peers, hear of the problems they face and the solutions to problems they’ve engineered and to ‘pick the brains’ of other Commissioners during formal sessions and in the corridors and in breaks.

Kicking off

The day preceding the formal events was a workshop put on by an international think-tank the Centre of Information Policy Leadership (CIPL). This was an opportunity not only to hear of some of CIPL’s ongoing privacy projects but also to meet with and hear from some of the local Canadian business privacy leaders.

APPA 48 proper began on 15 November with a short bus tour around the central city for delegates to get to know each other or renew acquaintances before getting down to business with a half-day of presentations focused upon the value of independent research in privacy. The event showcased results of the OPC-Canada’s Contribution Programme which funds research by other bodies such as academics and privacy advocacy groups.

Among the interesting research showcased, was research which led to a documentary film about the genealogy industry. Edited to manageable commercial proportions with Contributions Programme funding support, the documentary maker Julia Creet’s film shows her quest to unearth the genealogy industry's key players and examine their motivations. It raised questions about the ownership and privacy of personal data, particularly the merging of genetic and genealogical information. The film is a cautionary tale for anybody undertaking genealogical research. You can find out more here.

I shared the stage with the UK Information Commissioner and a representative of the Federal Trade Commission to explain approaches to partner with independent researchers in New Zealand, Britain and the United States. From a New Zealand perspective, I spoke of the experience in setting up the Privacy Good Research Fund and running the first round, last year’s Privacy Research Symposium and Privacy Research Week and of the challenges we’ve faced in launching a second round.

The UK Commissioner discussed their recently launched grants programme which is very similar to our Privacy Good Research Fund, but with a vastly larger budget of over NZ$400,000. The FTC spoke of their innovative PrivacyCon events that bring together researchers from across the US.

Day one

The first day of the more formal roundtable began with a broader session where representatives from organisations that are not part of APPA are invited to speak in sessions that focus on a variety of privacy and data protection topics. In the Applied Privacy session, representatives of Google Canada, Facebook, Apple and Microsoft Canada discussed how their companies respond internally to privacy risks and breaches and how they practice privacy compliance.

A session on re-thinking consent was a lively mix of privacy commentators discussing potential solutions for reconfiguring the role of consent in privacy protection. There’s more information about the issue of consent on the Canadian Office of the Privacy Commissioner’s website here.

When the closed session began after lunch, it began with an update on how the European Union’s General Data Protection Regulation would be implemented when it takes effect on 25 May 2018. We heard from Isabelle Falque-Pierrotin, the Chair of the French privacy regulator CNIL, Christian D’Cunha, from the Office of the European Data Protection Supervisor, and Elizabeth Denham, the UK’s Information Commissioner.

Our office has received a number of enquiries about the impending GDPR and you can find some advice for New Zealand companies on our website here.

Day two

The closed session for APPA members continued on day two. A regular feature at APPA is the jurisdiction reports from each of the member data protection authorities. It’s a crucial way for each of us to be made aware of the main concerns and issues faced by our international colleagues. The five main subject areas are compliance and enforcement, cross-border data flows, law reform, outreach and education, and business and innovation.

Each APPA member submits a jurisdiction report and it is interesting to note common and uncommon areas of interest. For example, the newest APPA member, the Philippines National Privacy Commission highlighted that, according to a privacy survey, only 13 percent of Filipinos were aware of the country’s Data Privacy Act - although 85 percent said their privacy rights were important to them. The Philippines Commission is hard at work in many creative and innovative ways in seeking to create awareness of the new privacy rights in fairly challenging conditions given its population of 103 million scattered over 7,000 islands. 

In a session on other international privacy networks, we heard updates about the APEC Cross-Border Privacy Rules, the International Conference of Data Protection and Privacy Commissioners, the Global Privacy Enforcement Network and the Common Thread Network.

I presented a report on the work of the APPA Comparative Statistics Working Group that is led by New Zealand. Recent highlights included finalising a regional awareness benchmark, contributing to the organisation of an OECD Roundtable and the tabling of a paper that compared APPA authorities to those in the rest of the world.

New Zealand Privacy Commissioner John Edwards then facilitated a discussion about access by responsible government ministers to personal information held by departments they oversee. It was a wide ranging discussion on participants’ experience and views on the practices in their jurisdictions, the limits placed on access, the issues that had arisen and the responses of various stakeholders. The topic raised challenging and delicate issues in the intersections of competing interests such as public sector governance and accountabilities, ethics, politics, privacy and the law.

At the request of New Zealand, members also shared their thoughts on the merits of participating as amici in the US Supreme Court case of the US government v Microsoft. Following the discussion, New Zealand decided that it was worth pursuing and last week filed this submission.

APPA 48 concluded with a presentation by the hosts of the coming 49th and 50th APPA forums. The 49th forum will be hosted by the US Federal Trade Commission in June 2018 and the 50th will be hosted by our office in Wellington from 3-4th December 2018.

You can read more about APPA 48 on the APPA website here.

Image credit: Purple finch via John J. Audobon's Birds of America.

Office of the Privacy Commissioner, New Zealand
Source: Blog
19 Dec 2017, 9:10am AEDT

What’s happening with the Trans-Pacific Partnership?

Rumours of the demise of the Trans-Pacific Partnership (TPP) have proved premature. It has been given new life - with some important changes – as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). What has happened and does this mean anything for privacy?

By way of background, when the United States pulled out of the TPP, this meant that the trade treaty could not proceed. This was due to an unusual formula for commencement based upon the size of the economies signing up, not merely the number. Effectively, the big economies, the US and Japan, each had a veto over the agreement even if all other TPP partners had signed on.

However, with the departure of the US, the remaining 11 TPP partner economies decided to forge ahead anyway with TPP Mark II or, more correctly, the retitled Comprehensive and Progressive Agreement for Trans-Pacific Partnership.

Important differences

The CPTPP is based on the exact text of the TPP. However, there are some important differences.

Perhaps most significantly, some 20 provisions from TPP have been ‘suspended’ meaning that, in effect, they’re not part of what is now to be adopted and that agreement of all CPTPP members would be needed for these provisions to apply in the future.

It would appear that those suspended provisions were included in the TPP at the behest of the US and, one presumes, only reluctantly by the other 11 partners. This helpful fact sheet - TPP and CPTPP: The differences explained - from the Ministry of Foreign Affairs and Trade (MFAT) notes that the suspensions will remove some provisions that caused anxiety in sections of the New Zealand public (e.g. concerns that TPP might put Pharmac’s purchasing model at risk or unduly favour copyright owners at the expense of the public).

MFAT has published a lot of information on CPTPP on its website. It has highlighted the importance of the agreement including, for instance, the fact that it includes four countries with which New Zealand has never had a free trade agreement (Japan, Canada, Mexico and Peru). As an aside, each of those four countries has a privacy authority that is a member of the Asia Pacific Privacy Authorities Forum, the main network in our region for cooperation amongst privacy regulators.

Privacy regulation

So has anything changed between TPP and CPTPP in relation to privacy regulation? In relation to the principal provisions found in the Electronic Commerce chapter, it appears that the position remains the same as described in earlier blog posts in October and November 2015. 

The key provision is Article 14.8 which is entitled “Personal information protection”.

The article commences with a high level statement recording that the parties “recognise the economic and social benefits of protecting the personal information of users of electronic commerce and the contribution that this makes to enhancing consumer confidence in electronic commerce.”

To give effect to that high level aspiration, the article imposes a positive obligation on each party. It provides that they “shall” adopt or maintain a legal framework that provides for the protection of the personal information of the users of electronic commerce.

The article adds that “in the development of its legal framework for the protection of personal information, each party should take into account principles and guidelines of relevant international bodies”.

The article goes onto provide that “each party shall endeavour to adopt non-discriminatory practices in protecting users of electronic commerce from personal information protection violations occurring within its jurisdiction”.

The article further provides that each party should publish information on the personal information protections it provides to users of electronic commerce, including how individuals can pursue remedies and business can comply.

Flexible implementation

The article concludes with a fairly lengthy statement:

“Recognising that the parties may take different legal approaches to protecting personal information, each party should encourage the development of mechanisms to promote compatibility between these different regimes. These mechanisms may include the recognition of regulatory outcomes, whether accorded autonomously or by mutual arrangement, or broader international frameworks. To this end, the parties shall endeavour to exchange information on any such mechanisms applied in their jurisdictions and explore ways to extend these or other suitable arrangements to promote compatibility between them.”

Although not stated expressly, it might be expected that one such mechanism could be the APEC Cross Border Privacy Rules system (CBPRs).

In closing, it might be said that for a short while TPP appeared to be destined for a dead end but there has been an impressive turnaround and son-of-TPP may have a reasonable chance of adoption. Although in this age it seems unlikely that any trade agreement will achieve wide popularity, it appears that the 11 partners – with the benefit of not having the US in the negotiations - have managed to remove some of the aspects that had attracted particular controversy to TPP.

On the privacy front, the agreement carries clear obligations on the parties to adopt or maintain a legal framework that provides for the protection of the personal information, at least in the context of the users of electronic commerce, which is a new obligation for this region.

Image credit: Wave via Pixabay - Creative Commons licence 

 

Office of the Privacy Commissioner, New Zealand
Source: Blog
15 Dec 2017, 1:18pm AEDT

Notifiable Data Breaches scheme resources finalised

Following consultation, the Notifiable Data Breaches (NDB) scheme resources have been finalised. You can view all of the resources on our NDB webpage.

Office of the Australian Information Commissioner
Source: News - OAIC
15 Dec 2017, 2:59am AEDT

What the Notifiable Data Breaches scheme means for schools

The Notifiable Data Breaches (NDB) scheme comes into effect on 22 February 2018, and private schools and private tertiary educational institutions across Australia will be required to comply.

Office of the Australian Information Commissioner
Source: News - OAIC
6 Dec 2017, 3:43am AEDT

Speech to the IoT/Big Data Healthcare Summit, Western Canada

I’m here today as BC’s Acting Information and Privacy Commissioner to offer my perspective on Big Data and the Internet of Things…. well, let’s be honest and call it what it really is - the Internet of EVERYthing. From the rubber ducky in your child’s bathtub to your smart tea kettle, connected devices truly are everywhere.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
30 Nov 2017, 7:00am AEDT

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST