News

Human element a key factor in data breaches

Corporate Plan 2019–20 sets out OAIC vision and strategic priorities

OAIC joins with global privacy regulators to call for more information from the Libra Network

Privacy in the news (6-12 Sept 2019)

Welcome to our latest weekly round-up of privacy stories.

Mental health test participants could be identified, group warns

An internet advocacy group says anonymous results from an online mental health test, could be used by third parties to identify people. Read more here.

Media Council ruling: Photograph should not have been published

A photo of a distressed and vulnerable mentally ill woman should not have been published, the Media Council has ruled in a majority decision. Read more here.

Customer seeks explanation after bank dumps him

Westpac NZ has apologised unreservedly for telling a customer he had three weeks to pay off his home loan and close all his accounts – and for refusing to tell him why. Read more here.

These apps may have told Facebook about the last time you had sex

At least two menstruation-tracking apps, Maya and MIA Fem, are sharing intimate details of users’ sexual health with Facebook and other entities, according to a new report from Britain-based privacy watchdog Privacy International. Read more here.

Image credit: Columbian hummingbird via John James Audubon's Birds of America

 

What is a “compliance advice letter”?

Investigating complaints is an important function of our office and a considerable part of our workload. When we receive a complaint, we make an initial assessment about what steps we will take next. In some circumstances, we will investigate. In other instances, our office may decline to investigate.

There are also occasions when we cannot investigate, but we may decide that the complainant has raised legitimate concerns that should be brought to the attention of a respondent agency.

For instance, we may not have enough evidence of a breach of the Privacy Act or of a code of practice, but we have concerns about the conduct or practices of an agency. At this stage, we may offer a complainant the option of our Office contacting the agency with a compliance advice letter.

Compliance advice letter 

What our compliance advice letter contains will depend on the circumstances of the complaint. We may take the opportunity to:  

• relay a complainant’s concerns directly to an agency
• remind an agency of its obligations under the Privacy Act and codes
• identify what conduct and practices of the agency we think conflict with its obligations
• express any general concerns we have
• make recommendations to an agency - such as a change to a policy, or an action it may wish to take with the complainant, such as offering an apology or an assurance
• suggest the agency undertake our online privacy training to better understand its obligations.

How does it work?

But is a compliance advice letter from our office just a ‘slap on the wrist with a wet bus ticket’? Consider this:

• it gives the agency the opportunity to take proactive action and to rectify any practices which are not in line with the Act, codes, or guidelines
• it is a prompt outcome which is much faster than most other resolution options at our disposal.
• it tells an agency that it is ‘on our radar’. If we receive similar complaints about the same agency in future, we will weigh this factor up when deciding whether we need to take further action
• it is not a punishment or penalty. Our focus is on educating an agency and improving privacy practices.

Am I in trouble?

A compliance advice letter does not mean your agency is in trouble. It means:

• we are aware we have only heard one side of the story
• we are not making a finding about the factual correctness of the complaint or about if there has been a breach of your obligations
• your agency has no obligation to respond to our correspondence
• unless we have said that we will, it’s unlikely we will be taking any further action.

While a compliance advice letter is not a full investigation, an agency that receives one should take our correspondence seriously because we keep a record of the complaint and our letters for future reference. If we were to use a traffic analogy, consider it a warning for speeding, and not an actual speeding ticket.

Image credit: Free letter via Clipart.

Privacy in the news (30 Aug - 5 Sept 2019)

Welcome to our latest weekly round-up of privacy stories.

Google lobbyists try to water down US privacy law

Google and its industry allies are making a late bid to water down the first major data-privacy law in the United States, seeking to carve out exemptions for digital advertising, according to documents obtained by Bloomberg. Read more here.

YouTube plans sweeping changes to kids’ videos after US$170 million fine

YouTube has announced massive changes to how it treats kids’ videos, as the US Federal Trade Commission hit Google with new rules and a record US$170 million penalty to settle a probe into the privacy of children's data on the giant video site. Read more here.

Chinese deep fake app Zao sparks privacy row after going viral

A Chinese app that lets users swap their faces with film or TV characters has rapidly become one of the country’s most downloaded apps, triggering a privacy row. Read more here.

Huge data base of Facebook users’ phone numbers found online

Hundreds of millions of phone numbers linked to Facebook accounts have been found online. The exposed server contained more than 419 million records over several databases on users across geographies. Read more here.

Facebook to tell you how to turn off facial recognition

Facebook has announced an important change to its stance on facial recognition identification. Now, all facial recognition, including tagging, will be turned off by default for new users, who can choose to opt in. If you already had facial recognition turned on, you won’t receive a notice to turn it off. Read more here.

Twitter CEO's hacked account sends racist tweets

The account of Twitter Chief Executive Jack Dorsey was hacked last week, sending public tweets and retweets including racial slurs and curse words to four million followers before Twitter secured the account. Read more here.

Tourists to be tracked in Gold Coast plan to boost tourism

Tourists’ mobile phones and credit card spending may soon be tracked by Gold Coast Council in a Big Brother-like programme designed to give the city the edge over other tourist destinations. Read more here.

Image credit: King duck via John James Audubon's Birds of America.

Direct Marketing Offence Admitted: Telecommunications Company Fined HK$84,000

Privacy Commissioner Responds to Media Enquiries regarding Disclosure of Personal Data for Doxxing Purposes on Websites or Instant Messaging Platforms Registered Outside Hong Kong

Privacy Commissioner Responds to Interviewee's Comments in Today's TVB News Programme "On the Record" in Relation to PCPD's Follow-up Actions on Online Disclosure of Personal Data in Recent Months

FTC Puts Conditions on NEXUS Gas Transmission, LLC’s Acquisition of Generation Pipeline LLC

Complaint alleges that non-compete agreement in Nexus’s purchase of Ohio pipeline would harm competition

Joint venture NEXUS Gas Transmission, LLC, and its member companies, DTE Energy Company and Enbridge Inc., will settle Federal Trade Commission charges that the joint venture’s acquisition of an Ohio pipeline would likely harm competition to provide natural gas pipeline transportation in a three-county area that includes Toledo, Ohio.

According to the FTC’s complaint, NEXUS, which is owned in equal shares by DTE and Enbridge, agreed in January to pay $160 million for Generation Pipeline LLC. Generation owns and operates a 23-mile pipeline in the Toledo, Ohio area.

The complaint alleges that NEXUS’s purchase of Generation from North Coast Gas Transmission LLC (“North Coast”) and several other owners is anticompetitive due to a non-compete clause that keeps North Coast from competing to provide natural gas pipeline transportation, for three years after the acquisition closes, in parts of the Ohio counties of Lucas, Ottawa, and Wood.

North Coast’s primary asset is a 280-mile natural gas transmission pipeline system that spans 13 Ohio counties, including Lucas, Ottawa, and Wood. The complaint alleges that the sale agreement’s clause prohibiting North Coast from competing in parts of Lucas, Ottawa, and Wood counties violates federal antitrust law. According to the complaint, the non-compete clause eliminates actual and potential competition for three years between North Coast and any other pipeline. It also is not reasonably limited in scope to protect a legitimate business interest, according to the complaint.

The Generation pipeline and the North Coast pipeline may be the best alternatives for some large industrial customers in the Toledo area who are located reasonably close to both pipelines. By prohibiting North Coast from competing with the Generation pipeline, the non-compete clause would harm customers who otherwise would benefit from that competition.

According to the complaint, no affordable or practical alternatives exist to replace pipeline transportation and delivery of natural gas, and entry would be complicated, expensive, and time consuming.

The proposed consent agreement preserves competition by requiring the parties to eliminate the non-compete clause from the sales agreement. Also, absent prior Commission approval, Nexus, DTE, and Enbridge are barred from participating in a written or oral agreement that restricts competition between any of them and another provider of natural gas pipeline transportation in the Ohio counties of Lucas, Ottawa, and Wood. The order also requires Nexus, DTE, and Enbridge to provide prior notice if any of them seek to acquire the North Coast system or any other natural gas pipeline in Lucas, Ottawa, and Wood counties.

Further details about the consent agreement are set forth in the analysis to aid public comment for this matter.

The Commission vote to issue the complaint and accept the proposed consent order for public comment was 5-0. Commissioner Christine S. Wilson issued a concurring statement, and Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a joint concurring statement. The FTC will publish the consent agreement package in the Federal Register shortly. Instructions for filing comments appear in the published notice. Comments must be received 30 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

FTC Approves Final Order Imposing Conditions on Quaker Chemical Corp.’s Acquisition of Houghton International Inc.

Following a public comment period, the Federal Trade Commission has approved a final order settling charges that chemical company Quaker Chemical Corp.’s $1.4 billion acquisition of Houghton International Inc. is anticompetitive.

According to the complaint, which was first announced in July 2019, as proposed, the acquisition would have harmed competition in the North American market for aluminum hot rolling oil, or AHRO, and associated technical support services, and in the North American market for steel cold rolling oil, or SCRO, and associated technical support services. According to the complaint, the SCRO market includes sheet cold rolling oil, tin plate rolling oil, or TPRO, and pickle oil. AHRO is a critical input in the production of aluminum sheet. SCRO, TPRO, and pickle oil are critical inputs in the production of steel sheet.

Quaker and Houghton are the only two commercial suppliers of AHRO in North America and the two largest commercial suppliers of SCRO in North America, according to the complaint.

Under the final order, Quaker is required to divest Houghton’s North American AHRO and SCRO product lines and related assets to Total. The proposed settlement agreement also requires Quaker to divest to Total certain product lines used in conjunction with AHRO and SCRO, including steel cleaners and AHRO compatible hydraulic fluids.

The Commission vote approving the final order was 5-0. The staff contact is Terry Thomas, Bureau of Competition, 202-326-3218.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

FTC Takes Action against Operators of Student Loan Debt Relief Schemes and the Financing Company that Assisted Them

Defendants allegedly bilked millions out of consumers by charging illegal upfront fees and falsely promising to lower or even eliminate consumers’ loan payments or balances

The Federal Trade Commission charged the operators of two similar student loan debt relief schemes, and a financing company that assisted them, with bilking millions of dollars from consumers.

The defendants allegedly charged illegal upfront fees that they led consumers to believe went towards consumers’ student loans, and falsely promised that their services would permanently lower or even eliminate consumers’ loan payments or balances. The defendants also signed customers up for high-interest loans to pay the fees without making required disclosures.

In one action, brought jointly by the FTC and the State of Minnesota, the student debt relief company and the financing company involved agreed to be banned from the debt relief business in order to settle the charges. In the second action, the financing company has agreed to settle but the FTC’s litigation continues against the student debt relief defendants.

“Working with our law enforcement partners across the country, we have brought dozens of cases against debt relief scams like these,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “The difference here is that a state-licensed finance company was knowingly participating in the scheme by financing the thousands of dollars in illegal fees that these scammers tricked consumers into paying. This is yet another example of how we are holding accountable companies that facilitate fraud by others.”

According to the FTC’s complaint against Manhattan Beach Ventures and Equitable Acceptance Corporation, MBV deceptively promoted payment reduction programs to consumers looking for help with their student loans. MBV charged consumers up to $1,400 and funneled them into financing this fee through a high-interest loan with third-party financier Equitable Acceptance Corporation, another defendant in the scheme. The State of Minnesota is a co-plaintiff in the action against MBV.

In its complaint against Student Advocates Team and Equitable Acceptance Corporation, the FTC alleges that a different set of defendants engaged in deceptive and abusive practices for several years that were similar to those alleged against MBV, charging consumers up to $1,400 and also enrolling their customers in EAC’s financing program.

The FTC alleges that the defendants in both cases violated the FTC Act and provisions of the Telemarketing Sales Rule (TSR). EAC is charged in both cases with violating the assisting and facilitating provision of the TSR by providing substantial assistance to MBV and Student Advocates when it knew, or consciously avoided knowing, that the defendants were engaged in deceptive and abusive telemarketing practices. EAC is also charged in both cases with violating the Truth in Lending Act by failing to clearly and conspicuously disclose in writing necessary information concerning the closed-end credit that it offered.

The stipulated order with MBV and its owners bans these defendants from selling any kind of debt relief products or services, making unsubstantiated claims about financial products and services, and also from making material misrepresentations about any other kind of product or service. It also imposes a $4.2 million judgment, in which all but $156,000 is suspended based on inability to pay. MBV is required to notify its customers that none of their prior payments have gone towards a Department of Education repayment program or towards their student loans.  Under the stipulated orders against EAC in both the MBV matter and the Student Advocates matter, EAC is required to pay nearly $28 million, all but $1 million of which is suspended based on inability to pay. EAC is also required to relinquish its right to collect on any outstanding balances from current or former customers of MBV and Student Advocates. EAC must also notify these customers that it will not collect further payments from them.

In the MBV matter, the defendants are Manhattan Beach Venture (also doing business as Student Loan Relief Department); Equitable Acceptance Corporation; and individuals Christopher Lyell and Bradley Hansen.

In the Student Advocates matter, the defendants are Student Advocates Team, LLC; Progress Advocates Group, LLC; Student Advocates Group, LLC; Assurance Solution Services, LLC; Equitable Acceptance Corporation; and individuals Bradley Hunt and Sean Lucero.

How to Avoid Student Loan Debt Relief Scams

To help consumers avoid falling victim to such fraud, the FTC has consumer education related to student loan debt relief scams at ftc.gov/StudentLoans.

Only scammers promise fast loan forgiveness, and they often pretend to be affiliated with the government. Consumers should never pay an upfront fee for help, and should not share their FSA ID with anyone.

Consumers can apply for loan deferments, forbearance, repayment, and forgiveness or discharge programs directly through the U.S. Department of Education or their loan servicer at no cost. These programs do not require the assistance of a third-party company or payment of application fees. For federal student loan repayment options, visit StudentAid.gov/repay. For private student loans, contact the loan servicer directly.

The Commission vote authorizing the staff to file the complaint and stipulated final orders in the MBV matter was 5-0. The FTC filed the complaint and final orders fully resolving the matter in the U.S. District Court for the Central District of California.

The Commission vote authorizing the staff to file the complaint against the Student Advocates defendants and the complaint and stipulated final order against EAC in the Student Advocates matter was 5-0. The complaint and final order were filed in the U.S. District Court for the Central District of California.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final injunctions/orders have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Just in time for school: games, activities make learning about privacy fun

The games are fun, the message serious: in the digital age, children need to understand the value of their privacy and the importance of protecting their personal information online. A new series of activity sheets released by the Office of the Privacy Commissioner for Canada and privacy authorities throughout the country aims to help teachers and parents start the important conversation about digital privacy with young children.

OIPC to join IAPP KnowledgeNet panel about global privacy cooperation

The OIPC will join an IAPP-led panel discussion on different privacy cultures and approaches to regulation around the world as well as the importance of strengthening ties and sharing knowledge across borders.

Statement from BC Information and Privacy Commissioner regarding independent oversight over government’s duty to document and use of personal communication tools

BC Information and Privacy Commissioner has issued the following statement regarding independent oversight over government’s duty to document and use of personal communication tools.