Skip to main content
You are here: News

News

The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.

FTC Approves Final Order Preserving Competition in 3 Natural Gas Production Areas off the Coast of Louisiana

Following a public comment period, the Federal Trade Commission has approved a final order settling charges that the proposed merger of energy infrastructure companies Enbridge Inc. and Spectra Energy Corp likely would harm competition in the market for pipeline transportation of natural gas in three production areas off the coast of Louisiana.

First announced in February 2017, the FTC’s complaint alleged the merger likely would reduce natural gas pipeline competition within the Green Canyon, Walker Ridge and Keathley Canyon production areas in the Gulf of Mexico. In portions of the affected areas, the FTC alleged, the merging parties’ pipelines are the two pipelines located closest to certain wells and, as a result, are likely the lowest cost pipeline transportation options for those wells.

The order requires that Enbridge establish firewalls to limit its access to non-public information about the Discovery Pipeline. Also, with two limited exceptions, board members of the Spectra-affiliated companies that hold a 40 percent share in the Discovery Pipeline must recuse themselves from any vote involving the pipeline.

The Commission vote approving the final order was 2-0. (FTC File No. 161 0215; the staff contact is Eric Cochran, Bureau of Competition, 202-326-3454.)

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
24 Mar 2017, 11:00pm AEDT

FTC Charges Online Marketing Scheme with Deceiving Shoppers

“Free” and “risk-free” trials come with hidden charges

The Federal Trade Commission has charged a group of online marketers with deceptively luring consumers with “free” and “risk-free” trials for cooking gadgets, golf equipment, and access to related online subscription services.

According to the FTC, the defendants asked people for their credit card information to cover shipping and handling, and then charged them for products and services without their consent. The FTC’s complaint alleges that Brian Bernheim, Joshua Bernheim, Jared Coates, Robert Koch AAFE Products Corp., JBE International LLC, BSDC Inc., KADC Inc., Purestrike Inc., and BNRI Corp., formerly known as Bernheim and Rice Inc., violated the FTC Act and the Restore Online Shoppers’ Confidence Act.

According to the complaint, the defendants’ websites, TV infomercials and email deceived consumers by prominently claiming that their products and services were free, without clearly disclosing that they would start charging consumers if they did not cancel their “free trial” or return the “free” products. They also misrepresented their return, refund and cancellation policies. Specifically, they buried these terms in pages of fine print that people could reach only through a tiny hyperlink.

During the purchase process, the defendants signed consumers up for more “free” trials after forcing them to click through as many as 14 upsell pages to reach a final confirmation page.  According to the complaint, many of those pages included poorly disclosed, or undisclosed, additional “free trials” that resulted in yet more unauthorized charges. 

The defendants marketed their products under various company names, including Kitchen Advance, Gourmet Cooking Online, Gourmet Cooking Rewards, Medicus Golf, Kick X Tour Z Golf Balls, Golf Online Academy, Golf Tour Partners and Purestrike Swing Clinic.

The Commission vote authorizing the staff to file the complaint was 2-0. It was filed in the U.S. District Court for the Southern District of California.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. The case will be decided by the court.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).  Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
24 Mar 2017, 11:00pm AEDT

FTC Settlement Halts Allegedly Abusive Practices by Company Collecting Debts for More Than 500 Municipalities

An operation that collects debts owed to municipalities has agreed to stop engaging in allegedly illegal collection tactics under a settlement with the Federal Trade Commission.

According to the FTC, American Municipal Services Corporation and its owners, Lawrence Bergman and Gregory Pitchford, collect court fines, parking tickets, and debts for utility bills and other services on behalf of more than 500 municipalities in various states, including Alabama, Arkansas, Illinois, Kansas, Louisiana, Mississippi, Oklahoma and Texas.

Using “Warrant Enforcement Division” or “Municipal Enforcement Division” letterhead that falsely suggested that the letter was coming from a government agency, the defendants sent consumers an initial warning letter, and then a “FINAL NOTICE” falsely claiming, among other things, that the consumer was subject to imminent arrest for nonpayment, that their driver’s license may be suspended for nonpayment, and that the debts would be reported to consumer reporting agencies.

The defendants, who also employ collectors who call people in English and Spanish, are charged with violating the FTC Act and the Fair Debt Collection Practices Act (FDCPA).

Under a proposed stipulated order, the defendants are prohibited from making misrepresentations to collect debts, including: that an arrest warrant has been issued, that consumers must act immediately to avoid arrest, that failure to respond may lead to suspension of a driver’s license, that the defendants’ communications are from a government entity with arrest power, and that consumers’ payment status will be reported to credit reporting agencies.

The order also prohibits the defendants from making unsubstantiated claims and violating the FTC Act and the FDCPA, and imposes a $350,000 judgment that must be paid within seven days.

The Commission vote authorizing the staff to file the complaint and proposed stipulated final order was 2-0. The U.S. District Court for the Eastern District of Texas, Sherman Division, entered the order on March 21, 2017.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. Stipulated final injunctions/orders have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).  Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
24 Mar 2017, 11:00pm AEDT

Hager and Westpac - A bit more context, information and clarification

There has been a significant amount of media coverage about our investigation into Westpac bank disclosing journalist Nicky Hager’s bank account information to Police in 2014. In the course of that reporting, some misconceptions have emerged. Because of the interest in the case, and the potential implications for future practice, we have noted some points of clarification and context below.

Coverage of the story has focussed on our final opinion letter to Mr Hager that he chose to make public. The final opinion is the tail end of a long process that involved submissions, meetings and careful consideration of the facts of the case.

Key background facts

  1. Westpac disclosed Mr Hager’s account information during a Police investigation that followed the publication of Mr Hager’s book Dirty Politics.  In the course of investigating how Mr Hager got the information he used to write the book, Police asked Westpac for information about Mr Hager. Westpac provided Police with several months of Mr Hager’s transaction information.

Privacy Commissioner’s legal opinion

The Privacy Commissioner’s opinion is just that – it is not a ‘ruling’ and it is not legally binding. The Human Rights Review Tribunal – where Mr Hager has taken his case now – issues rulings. It hears evidence and argument afresh and comes to its own conclusion.

  1. We form a view of each case based on its specific facts. The law describes a range of circumstances where organisations like banks can disclose customer information, but they have to be able to justify why they did so

  2. The views expressed in our correspondence are not changing or reforming the law. The Police sought Mr Hager’s information without seeking a production order from a court. That in itself is unremarkable; there is nothing in the Privacy Act that requires a production order before information may be released.

Westpac’s decision to disclose the information

  1. Westpac told us its authority to disclose Mr Hager’s banking details came from its terms and conditions, which Mr Hager had accepted. Principle 11(d) of the Privacy Act allows agencies to disclose personal information if the agency believes on reasonable grounds that the disclosure is authorised by the individual concerned. For example, a home insurer may share information with a mortgage holder, with customer consent.

  2. The relevant clause said that Westpac would disclose information to Police whenever it “reasonably believes that the disclosure will assist it to comply with any law, rules and regulations in New Zealand or overseas or will assist in the investigation, detection and/or prevention of fraud, money laundering or other criminal offences.”

Privacy Commissioner’s view of Westpac’s reasoning

  1. We found that a reasonable Westpac customer would think the phrase “fraud, money laundering or other criminal offences” suggests “other criminal offences” would be similar sorts of financial crimes. Police asked for Mr Hager’s information as part of an investigation involving section 249 of the Crimes Act (accessing a computer for a dishonest purpose), and fraud. Mr Hager himself was not a suspect in this investigation. Westpac has noted that this latter fact was not clear at the time the information was requested. We therefore formed our view that Westpac could not reasonably believe Mr Hager had given his consent for his account information to be disclosed to the Police, given that set of specific facts.

  2. When an agency sets its terms and conditions, it needs to abide by them. Our view was that Westpac’s interpretation of its terms and conditions was too broad, particularly in its definition of “other criminal offences”.

  3. Westpac also argued that the disclosure was allowed under principle 11(e)(i), which allows agencies to disclose information “to avoid prejudice to the maintenance of the law.” We thought this argument was difficult to sustain. If Westpac thought that Mr Hager had authorised it to disclose his information to Police, then “maintenance of the law” didn’t need to enter consideration. It is not consistent to disclose information based on both criteria because they address different circumstances, and one of the two should be enough to authorise disclosure.

Why do production orders and search warrants exist?

  1. Production orders oblige agencies to provide information. The Privacy Act exceptions do not oblige an agency to disclose information - they enable an agency to disclose information.

How does the “maintenance of the law” exception work?

  1. The Privacy Act maintenance of the law exception (principle 11(e)(i)) allows an agency to give information to the Police, provided certain criteria are met.

  2. This exception does not give Police the right to see any information they would like in order to maintain the law. Rather, it only applies to situations where not seeing the information would prejudice, or do some harm to, maintaining the law. Fraud is a good example. If banks suspect fraud, they are absolutely within their rights to disclose information to the authorities. Police cannot investigate without good information from the bank. Similarly, in missing persons’ cases, bank transactions could indicate where someone is. Under these circumstances, if the agency refused to provide the information to Police, it could be hindering an investigation or, in other words, prejudicing the maintenance of the law, and they could therefore provide the information without breaching the individual’s privacy.

  3. A good way to think of the maintenance of the law exception is that it functions as “a shield, not a sword.” Rather than a government agency saying “you must give this information so we can maintain the law”, the exception enables an agency receiving the request to say “explain to me why not giving this information would stop you from maintaining the law.”

  4. The case law in this area underlines that when government agencies ask for information under this exception, they need to provide reasons why they think the exception applies. In the Westpac-Hager complaint, Police did not provide any reasons, so Westpac had no way to assess whether the “maintenance of the law” exception applied.

Role of the Human Rights Review Tribunal

  1. Mr Hager’s legal counsel has indicated that he will be taking the case to the Human Rights Review Tribunal. The Tribunal will hear the case “afresh” (i.e: without taking the Privacy Commissioner’s view into consideration), and then issue a judgment. Tribunal judgments, unlike findings from this office, are enforceable rulings. We will be keeping a keen eye on the outcome in order to inform our approach to future cases.

Image credit: Brook Ward via Flickr

Office of the Privacy Commissioner, New Zealand
Source: Blog
22 Mar 2017, 7:37am AEDT

Breach Cases 2: Don't bite when a phisher calls

A recent data breach involved a deliberate email phishing* attack on an industry organisation. The email purported to come from the chief executive and requested a copy of the membership list (names and email addresses).

At the time, the CEO was away from the office. This fact could have been known by the person who sent the phish, as a high profile person’s travel for work is often publically known. Because this attack was targeted, it was not easy to spot. One of the reply addresses was unfamiliar, but the other was the CEO’s work email address so the unfamiliar one could have been assumed to be their personal email address.

The request was also plausible, particularly since the information asked for was limited to names and email addresses.

The most effective way for an organisation to protect against this form of attack would be to have a policy of independently verifying requests for sensitive information. Since this might involve junior staff having to contact senior management to verify a request, employees need to be confident that they are expected to do so.

A basic phish can usually be spotted by moving your mouse cursor over the link without clicking. The text that pops up when you do so will usually look different from what you might expect. This difference might be just one character. Moving the mouse cursor over the reply email address can similarly be helpful when in doubt.

The basic phishing email below is an example. It should not have been addressed to “undisclosed-recipients” as your bank can address an email just to you. And you can see the box that popped up when the mouse cursor was held over the link. An address of “alex-parus.ru/” does not seem likely for a New Zealand company to use. 

We regularly get data breach notifications and, this year, we will be sharing the lessons learned from these more regularly. If you want to know more about data breaches please check out our Data Safety Toolkit.

Three things to do when you get a phishing message

1. Report it! 

  • Let others in your organisation know. If you have IT support people, forward the email with a warning that it is a phishing email. They should handle the rest. In a small organisation, let everyone know - but do not forward the message. People have been known to click on the links in such situations “to see what happens”! You can convert the link to plain text so people can see it, without it being so dangerous.
  • Report the phish to the Electronic Messaging Compliance Unit at the Department of Internal Affairs (DIA) by forwarding the email to scam@reportspam.co.nz or by forwarding the TXT for free to the shortcode 7726 (SPAM).
  • Let the other organisation know. If the message pretended to come from an organisation, then it is helpful to let them know. It can take a little time looking on the organisation’s website (type the real web address in yourself – don’t click on that link in the phishing email!) to find where to report the spam. Netsafe have listed the common New Zealand bank reporting addresses here. 

 2. Delete it!

 3. Get help!

  • If you responded to the phishing email with personal information, contact us using this form or phone us on 0800 803 909 (Monday-Friday between 10am-3pm).
  • You may want to seek help in handling enquiries by affected people. IDCARE is a sponsored support service. Contact them on 0800 201 415 or contact@idcare.org.
  • You should still report it as above. DIA may pass on your report to the Police, Netsafe or MBIE (Consumer Affairs) for further help.

For more examples of and explanations about phishing emails, visit these links – here and here.

* Phishing is a term invented, by analogy with fishing, for emailing scams where the email is the “bait” and a link is the “hook”. It is a form of social engineering that was previously done by letter or in person, but can be done so much more prolifically using email. Phishing emails are generally sent out to a lot of people, in the hope a few will respond.

Image credit: Flying Phish by Chris Slane.

Office of the Privacy Commissioner, New Zealand
Source: Blog
20 Mar 2017, 12:11pm AEDT

Me and AboutMe

I recently received a bill from a local authority relating to work carried out on my property before I bought it. I was not responsible for the bill and I had challenged it successfully on three previous occasions. But it kept coming back. 

Four years on after my first contact with the local authority over the bill, I received a new notice. It was clear that I needed information relating to my previous contact with the local authority over the bill, if I wanted to end this saga once and for all. The local authority would hold the information relating to my earlier contact and this would amount to personal information about me.

One of the most common complaints made to the Privacy Commissioner’s office is in relation to principle 6. It is the principle in the Privacy Act that gives each of us the right to obtain confirmation from an agency as to whether it holds personal information about us, and it gives us the right to access that information.

The complaints we receive are often about the agency not providing the information within the statutory time frame. Section 40 of the Privacy Act says that time frame should be no later than 20 working days from the day the request is received. Section 41 allows an agency to extend the time limit if it has good reason to do so.

The Privacy Act does not contain a set form for individuals to use for principle 6 requests and therefore these can sometimes get lost amongst other correspondence received by an agency. This can cause unnecessary delays for the person requesting their information.

For my request to the local authority, I decided to use our office’s AboutMe online tool.

AboutMe helps individuals to create standardised principle 6 requests that go directly to a relevant email address at the agency concerned. Using AboutMe, a person can request personal information about themselves from nearly 300 public and private sector agencies. If an agency is not listed on AboutMe, simply enter the email address you want your request to go to.

I followed the easy instructions to request my personal information from the local authority. It was one of the agencies listed on AboutMe, and the whole process took about one minute to complete. I received a reply the following day from the local authority acknowledging my request. 

As it turns out, the local authority resolved the issue of the bill which was the only reason I was seeking the information about me. This was a bonus. Trying to resolve disputes with large agencies (this particular one has almost 10,000 employees) can sometimes involve sitting on the phone for hours or sending emails that may be overlooked.

The next time I need personal information, I will definitely be using AboutMe.   

Office of the Privacy Commissioner, New Zealand
Source: Blog
17 Mar 2017, 8:57am AEDT

Data + Privacy Asia Pacific Conference 2017

You can now register for the Data + Privacy Asia Pacific conference held in Sydney on 12 July — an event which will set the agenda on the latest privacy and data protection trends, and deliver insights into upcoming regulation and policy developments.

Office of the Australian Information Commissioner
Source: News - OAIC
8 Mar 2017, 4:00am AEDT

Commissioner to audit ICBC information sharing agreements

Acting Information and Privacy Commissioner Drew McArthur has determined that the office will audit information sharing agreements of the Insurance Corporation of British Columbia (ICBC).

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
24 Feb 2017, 7:00am AEDT

Swiping right and privacy rights

Dating apps are all about getting personal.

But they can also share a lot of your personal information, and not just with your hook ups.

So before sending your smoothest icebreaker, check how you can protect your personal information when sharing your dating profile.

Office of the Australian Information Commissioner
Source: News - OAIC
13 Feb 2017, 11:04pm AEDT

From Regulated to Regulator: Two Perspectives on Privacy

Keynote address at 2017 Reboot conference.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
10 Feb 2017, 7:00am AEDT

Privacy and Security in Health Care

Presentation delivered via Skype

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
10 Feb 2017, 7:00am AEDT

Easy ways to protect your privacy this Safer Internet Day

This Safer Internet Day, take charge of how much personal information you share and make public with these quick privacy tips for using Snapchat, Instagram and Facebook.

Office of the Australian Information Commissioner
Source: News - OAIC
7 Feb 2017, 4:08am AEDT

Good Data Protection Policies Enhance Trust in HR Consultancy

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
7 Dec 2016, 1:00pm AEDT

Data Protection by Design Cornerstone of Market Research Firm's PDPA Compliance

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
30 Nov 2016, 12:00pm AEDT

Online Grocer Grows Personal Data Protection Along with Business

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
23 Nov 2016, 1:00pm AEDT

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST