Skip to main content
You are here: News


The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.


Working with Industry 2: Are you ready for the GDPR?

This guest post was contributed by Nicola Hermansson, APAC Data Protection & Privacy Leader at EY. It is the second in our Working with Industry series of guest posts. The Working with Industry series do not necessarily reflect the views of our office and are published to inform and stimulate debate on topical privacy issues and developments.

Friday 25 May is D-Day for the European Union’s General Data Protection Regulation (GDPR), yet many organisations in this part of the world don’t know what it is and how it will impact them. Only 12 percent of Asia Pacific businesses impacted by GDPR have a plan to address it.

GDPR: What is it, who does it apply to, and why should you care?

The GDPR is an EU regulation, but it has global reach. Essentially, it requires that organisations doing business in the EU or processing data of individuals in the EU implement a number of data protections. A failure to do so can be met with fines of up to 4 percent of global annual turnover or €20million, whichever is greater. Many New Zealand organisations with EU connections are affected and will need to change their processes to be compliant.

Data breaches happen too often. The failure of organisations to protect and respect their customers’ personal data has led to customer trust being eroded. The GDPR requires organisations to be more responsible for their customer and employee personal data, and gives control back to individuals. In addition, the GDPR is setting a new global standard for the management of personal data, which is causing change well beyond the borders of the EU.

What does it mean for your organisation?

Organisations need to be accountable and proactive. A good start is to document all personal data processing activities and map data flows so that the organisation is aware of what data it has and how that data is used and managed.

The GDPR focuses on facilitating the rights of individuals, including the right to have data collected, used and disclosed in a robust manner, rights of access to data, the portability of data between various organisations, and the right to be “forgotten”.

Consent for processing personal data must be freely given, specific, informed and unambiguous. It cannot be bundled with other written agreements. A catch-all tick box is no longer good enough. Having privacy notices hidden in general terms and conditions is no longer acceptable.

Organisations need to incorporate data protection into the way that they manage their business using privacy impact assessments and Privacy by Design principles to embed privacy into the way that business is done.

Certain breaches must be disclosed within 72 hours, to both supervisory authorities and potentially to affected individuals.

Key challenges of GDPR

In this data-driven era, organisations desire more and more personal data, but have not been demonstrating the same desire to protect it. Many organisations are struggling to identify what personal data they possess, where it is, who has access to it, what third parties they have given it to, and what they are using it for.  A set and forget approach cannot be adopted when business is constantly challenged to use existing data sets in new ways.

The GDPR demands accountability – organisations need to get their data under control and demonstrate compliance. Many organisations who have not previously focused on data protection are finding that complying with the GDPR is taking more effort than they anticipated. Becoming GDPR compliant requires work, forethought, planning and very importantly, senior stakeholder buy-in.

For organisations that have done little to prepare, it may seem overwhelming, but taking a balanced approach, with a focus on high-risk personal data processing, can make the challenge more palatable. Organisations that really embrace the purpose and spirit of the GDPR can make privacy a valuable differentiator. They can turn compliance from a challenge to an opportunity, from a chore into a chance to differentiate and a tangible demonstration of their company values.

If your organisation has yet to fully understand how GDPR impacts it, your new compliance obligations and the extent of your personal data processing, you need to act now. It is never too late to start thinking about data protection. This Friday marks a significant date in what should be an ongoing journey towards data management maturity for every organisation – whether impacted by the GDPR or not.

Image credit: GDPR via Tech Talks


Office of the Privacy Commissioner, New Zealand
Source: Blog
24 May 2018, 8:58am AEST

FTC Action Halts Deceptive Robocalls Aimed at Small Business Owners

The Federal Trade Commission has charged a Florida-based scheme with deceiving small business owners by falsely claiming to represent Google, falsely threatening businesses with removal from Google search results, and falsely promising first-place or first-page placement in Google search results.

According to the FTC, the Point Break defendants have no relationship with Google, and yet they barrage consumers with robocalls threatening that Google will label their business “permanently closed” unless they “press one” to speak with a “Google specialist.” Telemarketers tell those who respond that, for a purported one-time fee ranging from $300 to $700, they can “claim and verify” their Google listing and have unique “keywords” so their business will appear prominently when people search for their products or services.

Consumers who pay receive a follow-up call from the defendants’ telemarketers, pitching a second program that the defendants falsely claim can guarantee top search result placements for a one-time payment of $949.99 and recurring monthly payments of $169.99 or $99.99.

According to the FTC’s complaint, in October 2017, the defendants temporarily lost the ability to accept payments by credit card due to high chargeback rates (when consumers dispute credit card transactions).  As a result, they took money, usually $100, from at least 250 of their customers’ checking accounts without the customers’ advance knowledge, consent, or authorization, and with no apparent reason or justification.

The defendants, who are charged with violating the FTC Act, are Pointbreak Media, LLC, also d/b/a Point Break Media, Point Break Solutions and Kivanni Marketing; DCP Marketing, LLC, also d/b/a Point Break; Modern Spotlight LLC; Modern Spotlight Group LLC, also d/b/a Modern Spotlight; Modern Internet Marketing LLC; Modern Source Media, LLC, also d/b/a Modern Source; Perfect Image Online LLC; Dustin Pillonato; Justin Ramsey; Aaron Michael Jones, also known as Michael Aaron Jones and Mike Jones; Ricardo Diaz; Michael Pocker; and Steffan Molina.

The court has appointed a temporary receiver over the operation and has frozen the defendants’ assets during litigation. The FTC seeks to end the alleged illegal practices and obtain money for return to consumers.

The Commission vote approving the complaint was 2-0. The U.S. District Court for the Southern District of Florida entered a temporary restraining order against the defendants on May 8, 2018.

The FTC acknowledges the assistance of Google during the investigation of this case.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. The case will be decided by the court.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
23 May 2018, 10:00pm AEST

FTC Announces Refund Claim Process for Consumers Who Bought the NutriMost Weight-Loss System in the Pittsburgh Area

The Federal Trade Commission today announced a refund claim process in its case against NutriMost. The Commission has posted a refund claim form online. Consumers who bought the NutriMost Ultimate Fat Loss System in the Pittsburgh, Pennsylvania area between October 1, 2012 and August 9, 2016, are eligible to apply for a refund.

Specifically, consumers who bought the System at one of the following Pittsburgh locations are eligible: 1) Churchill/Penn Hills; 2) Greensburg; 3) Greentree/Crafton; 4) Irwin; 5) Murrysville/Delmont; 6) North Versailles; 7) Ross Park Mall; and 8) Upper St. Clair.

Analytics, LLC, the refund administrator for this matter, will process the claim forms. Consumers have until June 16, 2018 to file a claim. To apply for a refund, consumers can visit, click on “Apply for a Refund,” and complete and submit the form. Consumers who would like a paper form mailed to them can call 1-877-884-6069 to request one. Paper claim forms must be completed and mailed back to Analytics at the address on the form before the deadline.

According to the FTC’s April 2017 complaint, beginning in late 2012, NutriMost, LLC, NutriMost Doctors, LLC, and their owner Raymond Wisniewski deceptively marketed the NutriMost weight-loss system to consumers. Sold at Wisniewski’s eight locations in the Pittsburgh area, the System claimed to use new technology that would allow users to safely lose substantial amounts of weight – typically 20 to 40 pounds or more in 40 days – without following a restrictive diet.

The FTC also alleged the defendants used deceptive endorsements in marketing the program, and required consumers to sign a non-disparagement agreement that prevented them from speaking or publishing truthful, negative reviews about the System.

The court order settling the FTC’s charges prohibits the defendants from making weight-loss and health claims unless they are not misleading and are supported with competent and reliable scientific evidence. It bars the defendants from misrepresenting that users do not need to follow a restrictive diet. It also prohibits the defendants from using deceptive endorsements and from including in their customer contracts non-disparagement clauses that prohibit consumers from speaking or publishing truthful, negative comments about the System. Finally, it imposes a $32 million judgment against the defendants, which is suspended upon payment of $2 million that the FTC is using to provide consumer refunds.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
17 May 2018, 10:00pm AEST

FTC Testimony Highlights Agency's Work to Protect Consumers, Promote Competition

In testimony before the Senate Appropriations Subcommittee on Financial Services and General Government, the Federal Trade Commission described its work to protect consumers and promote competition through vigorous enforcement, education, advocacy, and policy work, and by anticipating and responding to changes in the marketplace.

Testifying on behalf of the Commission, Chairman Joe Simons noted that the FTC is the only federal agency with jurisdiction to both protect consumers and maintain competition in most sectors of the economy. When possible, the FTC returns money to consumers who have been harmed. During FY 2017 alone, the agency returned more than $543 million in redress to consumers and deposited $94 million into the U.S. Treasury.  

In FY 2019, the agency is requesting an additional $3.4 million for expert witnesses to support the increased numbers of complex investigations and litigation in both competition and consumer protection matters, according to the testimony.

To protect consumers from unfair, deceptive and fraudulent practices in the marketplace, the FTC pursues law enforcement actions, and educates consumers and businesses about their rights and responsibilities. For example, the Commission’s anti-fraud program targets schemes ranging from imposter scams to emerging frauds to robocalls.  Recent examples include “Operation Tech Trap,” a nationwide and international crackdown on tech support scams, and obtaining a $280 million penalty against Dish Network with the agency’s state and federal partners – the largest penalty ever issued in a Do Not Call case, the testimony states.   

According to the testimony, the agency’s priorities in privacy enforcement include financial privacy, children’s privacy, health privacy, data security and the Internet of Things. For example, last year, Internet-connected smart television manufacturer Vizio agreed to pay $2.2 million to settle charges that it installed software on its TVs to collect the viewing data of 11 million consumers without their knowledge or consent. 

In the past year, the FTC has continued to bring cases challenging false and unsubstantiated health claims, including those targeting older consumers, those affected by the opioid crisis, and those with serious medical conditions. The Commission has brought cases challenging products that claim to improve memory and ward off cognitive decline, relieve joint pain and arthritis symptoms, and even reverse aging, the testimony states.   

The FTC also vigorously enforces U.S. antitrust law, working in tandem with the Antitrust Division of the U.S. Department of Justice, the testimony states. The FTC’s competition enforcement covers many sectors that directly affect consumers and their pocketbooks, such as health care, consumer products and services, technology, manufacturing, and energy, according to the testimony. Since the beginning of fiscal year 2016, the Commission has challenged 45 mergers, after the evidence showed that they would likely be anticompetitive. While most of these cases were resolved via divestiture settlements, the Commission has voted to initiate litigation to block seven mergers in the last year alone; three of these deals were abandoned by the parties, while four are still being litigated. The Commission also maintains a robust program to identify and stop anticompetitive conduct, with a number of cases in active litigation, the testimony explains. The Commission further promotes competition through a robust policy and research agenda, and international cooperation and coordination, the testimony states.                                                                                       

The Commission vote authorizing the testimony was 5-0.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
17 May 2018, 10:00pm AEST

2018 PAW Business Breakfast

The European Union’s General Data Protection Regulation (EU GDPR) and the complexity of the modern privacy landscape were the key discussion points for the Privacy Awareness Week (PAW) Business Breakfast yesterday morning.

Office of the Australian Information Commissioner
Source: News - OAIC
14 May 2018, 11:40pm AEST

Appearance before the Standing Committee on Access to Information, Privacy and Ethics to discuss the breach of personal information involving Cambridge Analytica and Facebook

Good morning, I very much appreciate the invitation to appear this morning — my first time before you as BC’s new Information and Privacy Commissioner. It is also a great pleasure to do so with my colleague Commissioner Elizabeth Denham. In fact it was only a few short weeks ago, that I was in the UK assisting Commissioner Denham with the investigation she touched on a moment ago.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
12 May 2018, 6:00am AEST

Supreme Court’s Alsford decision affirms role of the Privacy Act

R v Alsford is an important privacy decision. The Supreme Court has clarified the law in relation to voluntary requests for personal information by law enforcement agencies, and affirms the obligations and responsibilities of both the law enforcement requester and the responding agency.

The decision affirms the importance and policy of the Privacy Act, and its relationship with other relevant statutes, including the production order regime in the Search and Surveillance Act 2012, the test for the admissibility of evidence under section 30 of the Evidence Act 2006 and the test for an unreasonable search under section 21 of the New Zealand Bill of Rights Act 1990.

The Privacy Commissioner’s transparency reporting trial revealed confusion in the private sector about the lawful basis for law enforcement requests for personal information.

The Alsford case was a criminal pre-trial matter and it presented an opportunity for judicial clarification. The Privacy Commissioner was granted leave to be heard on the privacy issue. The Court’s decision was released in March 2017, subject to non-publication orders that have now been lifted.

The Court considered whether a production order should have been used to obtain power consumption data from electricity providers in an investigation of suspected cannabis cultivation, and whether the power consumption data was obtained in breach of privacy principle 11(e)(i) of the Privacy Act.

The Police made requests to three electricity providers for power consumption data from the defendant’s properties. All three companies disclosed the information sought under privacy principle 11(e)(i) of the Privacy Act. This manner of obtaining the power consumption information and its use to support subsequent production order and search warrant applications to uncover evidence of offending was one of the grounds of appeal.

The majority of the Supreme Court (4:1) affirmed the Police’s ability, in the circumstances and in the absence of a production order, to ask for power consumption information in the form of monthly aggregated data, despite finding that one of the three requests did not provide sufficient information to justify the resulting disclosure. That particular disclosure was therefore not justified in terms of principle 11(e) and, to that extent, there was a breach of the Privacy Act.

The decision also affirms that where the Police obtain information from service providers about customers on a voluntary basis, they must not infringe section 21 of the New Zealand Bill of Rights Act (the right to be secure against unreasonable search and seizure). 

The Supreme Court decision can be read here. 

You can also read the Privacy Commissioner's rules for information disclosures here.

Lastly, there is also the Privacy Commissioner's Commentary on R v Alsford.

Image credit: Kōtuku - Department of Conservation - New Zealand Birds A-Z

Office of the Privacy Commissioner, New Zealand
Source: Blog
11 May 2018, 1:26pm AEST

Celebrating 30 years of The Privacy Act

As part of our lead up to Privacy Awareness Week (PAW) 2018 we are taking the opportunity to celebrate thirty years since the introduction of the Australian Privacy Act 1988. For those of us who are old enough to cast our minds back to daily life thirty years ago, it really is remarkable to consider how differently we do things today, compared to 1988 — and how technology now shapes our everyday lives.

Office of the Australian Information Commissioner
Source: News - OAIC
11 May 2018, 12:01am AEST

Privacy regulators advise organizations to put privacy principles into practice

May 7-11 is Privacy Awareness Week and, to mark the occasion, members of the Asia Pacific Privacy Authorities (APPA) are reminding organizations to include privacy protection in their systems, processes, and corporate culture.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
8 May 2018, 6:00am AEST

Working with Industry 1: How Uber is driving privacy initiatives

This guest post was contributed by Richard Menzies, General Manager, Uber NZ, to mark Privacy Week. It is the first in our Working with Industry series of guest posts. The Working with Industry series do not necessarily reflect the views of our office and are published to inform and stimulate debate on topical privacy issues and developments.

As the adoption and integration of new technologies continues to grow, so does the importance of data protection, security and privacy. Globally as a company, Uber facilitates around 15 million trips every day and operates Uber Eats in more than 200 cities. More and more people look to ridesharing as a safe, affordable and reliable way to get around their cities and have great, tasty food delivered to their door. This year, like every year, Privacy Week is a great chance for all of us to take stock of our digital footprint.

Every one of these trips and deliveries creates a digital footprint - data which can be used to further improve Uber’s services, but that might also include personal information. We have a duty to protect that data and the privacy of our users, and we take that seriously.

Learning from past mistakes

Last year, our new CEO, Dara Khosrowshahi, publicised a security incident that took place in 2016. The incident involved two individuals from outside the company that inappropriately accessed old copies of user data stored on a third-party cloud-based service that we used at the time. The user data included names, email addresses and mobile phone numbers of 57 million Uber users, including approximately 100,000 Kiwis.

Our security engineering team was able to respond quickly and contain the risk for our users and the incident did not breach our corporate systems or infrastructure. We took steps to confirm that the two individuals did not further use or disseminate the information.

In addition to technical improvements made to prevent similar attacks in the future, we recommitted the company to more transparent disclosure practices in the future. Our CEO said at the time: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Uber’s approach to privacy

As Dara emphasised, we are committed to being open and upfront with our users and regulators. Under the direction of Tony West, Uber’s new general counsel, former general counsel for PepsiCo, and former US Associate Attorney General in the Department of Justice, our security and privacy teams are working toward a global standard for data protection and privacy beyond legal requirements. This includes improvements in the way we design and build our products, as well as how we manage all the user data we hold.

New features and products at Uber are developed with a review process to evaluate potential security and privacy risks, even down to the code level. Uber’s security engineering team works with our privacy team to ensure our data practices are not only compliant with applicable law, but also supported by the required engineering capabilities to enforce adoption across the company. Based on the level of sensitivity, we are able to leverage privacy protecting technologies such as differential privacy, which enables data scientists to analyse large data sets without exposing the identity of individual users. As well, we open-sourced these tools to make them available for use by privacy professionals at other organisations.

We’re also bringing privacy to the forefront of our products with user controls inside our mobile apps and websites. For example, users who choose not to share their device’s location information with Uber can choose to turn this off in their privacy settings and manually input their pick-up location. We also built a self-service tool for riders in the app if they choose to delete their Uber account. We are investing more resources in giving users more control over the data they share with us and there will be more features coming later this year.

Long term global vision

Last year, Uber updated its privacy policy to provide more, simplified information about how we collect user information and what it’s used for. As stewards of public trust, and across the industry as a whole, we need to understand the expectations of our users. Privacy is more than just a compliance checkbox or consent taking exercise - we want to make sure that we are only using our customers’ data in ways that are consistent with their expectations. As an industry, we’re increasingly seeing users react negatively when their data is used in ways that don’t meet their expectations.

We’re learning that we can no longer only build seamless protections behind the scenes in an effort to spare users the technical details. In fact, users are telling us they want to be more engaged in the process, so we are working on products improvements that will better assure our users that we have their back. Our CEO has made it very clear that moving forward, we will stand for safety, and that includes safeguarding the security and privacy of user information. Privacy and security are key business goals for us.

Building for New Zealand

We are particularly pleased to work closer with the Office of the Privacy Commissioner in New Zealand in its pursuit of mandatory breach notifications via the new Privacy Bill. We believe in working with government bodies which can hold all businesses to high standards, and will continue to support local representatives.

In a day and age when data has become an increasingly important cornerstone of modern commercial business, people need to know companies have their best interests at heart when it comes to protecting the privacy of their personal information.

All companies can learn from each other as we develop new technologies that offer better protection for consumers.

Companies owe it to their customers to treat their information with respect and to take every action and precaution possible to protect their privacy. Uber is committed to leading the way both locally and globally.

Image credit: Photo by Elliott Brown via Flickr

Office of the Privacy Commissioner, New Zealand
Source: Blog
7 May 2018, 7:00am AEST

Presentation to Social Media Camp: Why Privacy is Good Business

There are many tools for organizations, businesses, and public bodies to connect with citizens, potential customers, members, or users of your systems or products. But how you use these powerful social media tools is incredibly important because you will almost always be collecting people’s personal information. More often than not, that information can be very sensitive. Trust is at the heart of the transaction between users and social media platforms… trust that the personal information gathered about users is used properly and in accordance with privacy laws.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
4 May 2018, 6:00am AEST

Privacy Awareness Week 2018 website launched

This year’s Privacy Awareness Week (PAW) is all about promoting privacy as part of your everyday business. Running from 13 to 19 May, this year’s theme, ‘Privacy: from principles to practice’, will focus on the need for organisations to develop and reassess systems, processes, culture and practice to make sure they put their customers’ personal information first.

Office of the Australian Information Commissioner
Source: News - OAIC
26 Apr 2018, 1:17am AEST

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST