News

Corporate Plan 2019–20 sets out OAIC vision and strategic priorities

OAIC joins with global privacy regulators to call for more information from the Libra Network

OAIC welcomes privacy law update to protect Australians’ personal information

Privacy in the news (16 – 22 August 2019)

Privacy in the news (16 – 22 August 2019)

Welcome to our latest weekly round-up of privacy stories.

Property managers told not to go through tenants' bank statements

Landlords have been told not to perform the "KFC test" on prospective tenants. The issue was raised last year after a property manager said it was usual practice to ask to see potential tenants’ bank statements to see how they spend their money. The Privacy Commissioner has released guidelines showing what information is appropriate to request when choosing a tenant. Read more here.

Hard for tenants to say ‘no’ to intrusive questions - advocate

Advocates for tenants are worried new guidelines for landlords won't stop them asking potential tenants dodgy questions. The Privacy Commissioner John Edwards has released guidelines about what landlords can and cannot ask potential renters, but Manawatu Tenants' Union coordinator Ben Schmidt says tenants aren't always in a position to say no. Listen to the full interview here.

Receptionist sacked for blabbing about patients' sexual health

A medical receptionist who discussed a couple's sexual health at a party has been fired, with a complaint going to the Privacy Commissioner. The couple whose information was disclosed said the incident had caused them extreme humiliation and emotional distress. Read more here.

Robbie Magasiva among celebrities who fell for Instagram privacy hoax

Kiwi actor Robbie Magasiva appears to be one of a number of celebrities who have been sucked in by an internet hoax. Magasiva posted an image that purported to be a message about new rules around Instagram's use of personal information. Internationally, celebrities including Julia Roberts, Pink, Tom Holland, and Usher reposted the image, which has been confirmed as a hoax. Read more here.

Facebook rolls out tool to block off-app data gathering

Facebook is launching a tool that lets you limit what information the social network can gather about your activity on external websites and apps. The company said it is adding a feature where you can see what Facebook is tracking outside its service. You can choose to turn off the tracking or allow it to continue. Read more here.

EU data protection regulator Giovanni Buttarelli passes away

European Data Protection Supervisor Giovanni Buttarelli has passed away at the age of 62. The Supervisor oversees the privacy practices of all EU institutions, but also plays a broader role in defining general visions for other regulators. Read more here.

When parents eavesdrop on nannies

The Matahari Women Workers’ Center in Boston has started a started a “Nanny Cam Campaign” to help inform nannies in the US of their rights regarding surveillance while they work. According to surveys by Matahari, 63% of nannies do not know whether their voices are being recorded and less than half know about their privacy rights inside the homes where they work. Read the full story here.

Image credit: American Magpie via John James Audubon's Birds of America.

Privacy in the news (9 – 15 August 2019)

Welcome to our latest weekly round-up of privacy stories.

Fears Airpoints members' personal information leaked in data breach

An Air New Zealand data breach may have affected up to 112,000 Airpoints customers, and some are concerned personal information may have been exposed to hackers. The airline claims a phishing scam affecting two staff accounts resulted in the breach, and personal information from customer membership profiles may have been visible to hackers in internal documents. Read more here.

Privacy Commissioner would be concerned if facial recognition used in CCTV

The Privacy Commissioner would have concerns if Auckland Transport used facial recognition technology in its CCTV system. Authorities in Auckland are working to combine the city’s CCTV into a single system, which could involve facial recognition capabilities. Commissioner John Edwards says facial recognition is an intrusive technology that requires oversight. Watch the full interview here.

First full body scanners for Kiwi domestic travellers open at Dunedin Airport

New Zealand’s first body scanners for domestic flights have opened at Dunedin Airport. The scanners, which are also in place at Auckland’s international terminal, can detect dangerous objects such as knives, as well as illicit drugs. The scanners identify areas of concern on a generic outline of the human body, but no personal information is revealed. Read more here.

Intimate medical data exposed in clinical trial database breach

Intimate medical data of tens of thousands of Kiwis and Australians was exposed in a database breach at clinical trial company Neoclinical. The Sydney-based company said the company server "was temporarily opened" but all data stayed password-protected. Read more here.

Australian government contractor sends sensitive data to unknown email

The personal health information of 317 people applying for Australian visas was accidentally emailed to a member of the general public. The security bungle occurred when a spreadsheet was sent by mistake to an unknown individual's email address due to a typo. Read more here.

Facebook is building tech to read your mind

Facebook wants to create a device that can read your mind. The company is funding research on brain-machine interfaces that can pick up thoughts directly from your neurons and translate them into words. The technology could help patients with paralysis, but also raises ethical concerns around the use of brain data. Read more here.

Biostar security software 'leaked a million fingerprints'

More than a million fingerprints and other sensitive pieces of information have been exposed online by biometric security firm Biostar 2. The company’s technology is used by thousands of companies worldwide, including the UK's Metropolitan Police, and it is not clear how long the information was exposed. Read more here.

Facebook admits contractors listened to users' recordings

Facebook has admitted that employees were listening to recordings of users’ conversations without their knowledge. The practice involved contractors transcribing conversations alongside an automatic tool to check its accuracy. Facebook is the fourth major company to have been exposed using humans to listen in on audio recordings without users’ knowledge. Read more here.

Going from Hong Kong to Mainland China? Your phone is subject to search

Chinese border officers have begun routinely searching the phones of people who enter mainland China from Hong Kong, raising concerns that Beijing is trying to identify travellers sympathetic to the territory’s ongoing protest movement. The searches have come to light as the protests enter their third month and have grown increasingly violent and disruptive. Read more here.

Image credit: Yellow-Crowned Heron via John James Audubon's Birds of America.

Have you read your privacy policies?

In 2019, privacy policies are omnipresent. We’ve all seen them, we’ve all scrolled quickly to the bottom of the page, and we’ve all clicked “I accept,” granting us access to the wonders of the internet. But when you are presented with a privacy policy on a website, how often do you actually read it?

If your answer to the above question is somewhere in the realm of never, you are not alone. In fact, according to consumer advocates across the ditch, 94% of Australians do not read all the privacy policies that apply to them. As much as we might like to think we’re better readers than Australians, the figures in New Zealand are probably very similar.

The reality is most privacy policies are far too long and complex for any regular internet user to read and understand. As far back as 2008, researchers estimated it would take the average person 244 hours to read the privacy policies on all the websites they visit each year.

More recently, The Atlantic estimated it would take 76 work days to read the privacy policies of every website you visit in a year. That means you would have to read full-time from the first of January through to mid-April before you knew all the ways your information could be used by online companies. 

By 2014, the privacy policies of the 50 most popular American websites had collectively ballooned to 145,000 words, about as long as The Grapes of Wrath. When plotted on a graph alongside other works of classic literature, the privacy policies of many popular websites are considered more difficult to read than Charles Dickens’ Great Expectations, Stephen Hawking’s A Brief History of Time, and Immanuel Kant’s infamously dense Critique of Pure Reason.

For a visual representation of the problem, Dima Yarovinsky’s art project I agree makes it very clear. Yarovinsky printed out the terms of service for seven major tech companies to highlight their length and complexity. Instagram, Snapchat, and Facebook’s terms of service are so long they sprawl off the gallery walls onto the floor.

Despite their ubiquity, long and intricate privacy policies are inaccessible to the average internet user. Most people don’t read them, and many people wouldn’t understand them if they did. The internet is an increasingly complex place, particularly when it comes to individual privacy. As the online world continues to envelop every aspect of our lives, calls for privacy policies that people can realistically read and understand will only get stronger.

Privacy Commissioner responds to media reports on open letter issued by purported PCPD staff

Criminal Investigation Procedures Commenced on 430 Cases of Online Disclosure of Personal Data in Accordance with the Law

Privacy Commissioner Has Started Reviewing Related Websites and Urges Netizens to Respect Others' Privacy

FTC Approves Final Order Imposing Conditions on UnitedHealth Group’s Proposed Acquisition of DaVita Medical Group

Order will preserve competition in the Las Vegas area of Nevada

Following a public comment period, the Federal Trade Commission has approved a final order settling charges that UnitedHealth Group’s proposed $4.3 billion acquisition of DaVita Medical Group from DaVita, Inc. will likely harm competition in healthcare markets in Clark and Nye Counties, Nevada.

The order requires United, no later than 40 days after the acquisition is final, to divest DaVita Medical Group’s healthcare provider organization in the Las Vegas Area (known as HealthCare Partners of Nevada) to Intermountain Healthcare, a Utah-based healthcare provider and insurer.

According to the complaint, which was first announced in June 2019, without a remedy in the Las Vegas Area, the proposed acquisition would likely have reduced competition in the markets for managed care provider organization services sold to Medicare Advantage insurers, and Medicare Advantage plans sold to individual Medicare Advantage members. The proposed acquisition also would have positioned UnitedHealth Group to raise the costs of its managed care provider organization services to rival Medicare Advantage insurers, or even withhold such services from these rivals, the complaint alleged.

The Commission vote approving the final order was 4-0-1. Chairman Joseph J. Simons was recused. The staff contact is Joshua Smith, Bureau of Competition, 202-326-3018.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

FTC Refunds Consumers Who Bought FlexiPrin Joint Pain Supplement

Case brought jointly by FTC and Maine Attorney General

The Federal Trade Commission is mailing 2,897 checks totaling more than $113,000 to fully refund consumers who bought FlexiPrin, a deceptively marketed joint pain supplement. The average check amount is $39.18.

In February 2017, the FTC and the Maine Attorney General charged XXL Impressions LLC, Jeffrey R. Powlowsky, J2 Response LLP, Justin Bumann, Justin Steinle, Synergixx, LLC, Charlie Fusco, Ronald Jahner, and Brazos Minshew with making false and misleading claims regarding FlexiPrin’s effectiveness for treating joint pain. The complaint also alleged the defendants failed to disclose that Jahner, who was presented as an objective medical expert, was paid a percentage of FlexiPrin sales.

The court order settling the charges barred the defendants from the illegal conduct alleged in the complaint and required them to pay money to the FTC to provide refunds to deceived consumers. While the defendants sold multiple dietary supplements, this mailing is only to consumers who bought FlexiPrin.

In April 2018, the FTC sent a similar refund mailing to consumers who bought CogniPrin, another supplement the defendants deceptively marketed as a “memory improvement” aid.

Rust Consulting, Inc., the refund administrator, will begin mailing checks today. Recipients should cash their checks within 60 days, as indicated on the check. The FTC never requires consumers to pay money or provide information to cash refund checks. Consumers who have questions about the mailing should call 1-800-598-3025.

FTC law enforcement actions led to more than $2.3 billion in refunds for consumers in a one-year period between July 2017 and June 2018. To learn more about the FTC’s refund program, visit www.ftc.gov/refunds.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Promoters of Deceptive Chain Referral Schemes Involving Cryptocurrencies Agree to Settlement with FTC

Defendants are permanently barred from multi-level marketing as part of settlement

The promoters of recruitment-based cryptocurrency schemes are permanently banned from operating or participating in any multi-level marketing program, as part of a settlement with the Federal Trade Commission.

The FTC obtained a court order in March 2018 against Thomas Dluca, Eric Pinkston, Louis Gatto, and Scott Chandler that stopped their deceptive marketing practices and froze their assets. The FTC action alleged that Dluca, Pinkston, and Gatto falsely promised participants could earn large returns by paying cryptocurrency such as bitcoin or Litecoin to enroll in schemes marketed under the names Bitcoin Funding Team and My7Network.

According to the FTC, Bitcoin Funding Team and My7Network were chain referral schemes—a type of pyramid scheme. These schemes depend on continual recruitment of new participants to generate revenue. A fourth defendant, Scott Chandler, promoted Bitcoin Funding Team and another deceptive cryptocurrency scheme, Jetcoin, which promised participants a fixed rate of return, but failed to deliver on these claims, the FTC alleged.

The defendants promoted the cryptocurrency programs through websites, YouTube videos, social media, and conference calls, claiming, for example, that Bitcoin Funding Team could turn a payment of the equivalent of just over $100 into $80,000 in monthly income. The FTC alleges, however, that the structure of the schemes ensured that few would benefit. In fact, most participants failed to recoup their initial investments.

As part of their proposed settlements with the FTC, Dluca will pay $453,932, and Chandler will pay $31,000. Pinkston also agreed to a $461,035 judgment, which will be suspended upon payment of $29,491, due to his inability to pay the full amount. If he is later found to have misrepresented his finances, he will be required to pay the full amount.

In addition to the monetary judgment, all three defendants, along with Gatto, are permanently prohibited from operating, participating in, or assisting others in promoting or operating any multi-level marketing program, pyramid, Ponzi, or chain referral scheme. They also are prohibited from misrepresenting as part of a business venture or investment opportunity the amount of income that participants will receive or other aspects of the business venture or investment opportunity.

The Commission vote approving the stipulated final order was 5-0. The FTC filed the proposed order in the U.S. District Court for the Southern District of Florida.

NOTE: Stipulated final orders or injunctions, etc. have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

OIPC to join IAPP KnowledgeNet panel about global privacy cooperation

The OIPC will join an IAPP-led panel discussion on different privacy cultures and approaches to regulation around the world as well as the importance of strengthening ties and sharing knowledge across borders.

Statement from BC Information and Privacy Commissioner regarding independent oversight over government’s duty to document and use of personal communication tools

BC Information and Privacy Commissioner has issued the following statement regarding independent oversight over government’s duty to document and use of personal communication tools.

Protecting privacy is everyone’s responsibility: BC Information and Privacy Commissioner statement on Privacy Awareness Week 2019

As Privacy Awareness Week (May 6-11) gets under way today, Michael McEvoy, information and privacy commissioner for British Columbia, is calling on everyone – businesses, the public and government – to take action to better protect personal information. He has released the following statement.