News

OAIC commences consultation on draft CDR Privacy Safeguard Guidelines

New guide released to help health sector improve privacy practice

Information Access Commissioners and Ombudsman release survey results on community attitudes

Privacy in the news (11 – 17 October 2019)

Welcome to our latest weekly round-up of privacy stories.

Prime Minister warned not to give Police information sharing 'blank cheque’

The Privacy Commissioner wrote to the Prime Minister asking the Government not to give Police a “blank cheque for information sharing". In the letter, the Commissioner expressed "significant concerns" about the national firearms registry legislation. Police Minister Stuart Nash said changes were made to the draft legislation before it was introduced to reflect the issues raised. Read more here.

Government's digital expert warns agencies about protecting people's data

The Government's chief digital officer has asked all Government departments and some connected agencies to ensure they're protected from a data breach. The move comes after a string of incidents in Government departments which left people's personal details and confidential information exposed online. Read more here.

Landlord stung after TV crew films flat inspection

A Dunedin landlord who allowed a TV crew to film a flat inspection without permission from the tenants has been ordered to pay $3500 in compensation. The tenants of the Dunedin flat took Click Property Management Limited to the tenancy tribunal over claims the landlord breached their privacy by allowing a cameraman to film their flat inspection in February. Read more here.

Are we ready for satellites that see our every move?

When US President Trump tweeted an image of Iran’s Imam Khomeini Space Center in August, amateur satellite trackers were shocked by the image’s high resolution. That the technology to clearly see something as small as a coffee mug (or smaller) could already exist or be developed very soon should not be taken lightly. Read more here.

Apple's good intentions often stop at China's borders

Last October, as Facebook grappled with the Cambridge Analytica scandal, Apple CEO Tim Cook gave a speech attempting to distance the company from its peers. The aim was to reaffirm Apple’s position as the Patron Saint of Privacy. But the company’s recent actions in China show that Apple’s privacy, security, and human rights virtues don’t always extend beyond Beijing’s borders. Read more here.

Opinion: Without encryption, we will lose all privacy.

The US, UK and Australia are taking on Facebook in a bid to undermine the only method that protects our personal information: encryption. Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe. Read Edward Snowden’s blog on The Guardian here.

Image credit: Fork-tail Petrel via John James Audubon's Birds of America.

Privacy in the news (27 September – 10 October 2019)

Welcome to our latest weekly round-up of privacy stories.

NZ First reports leak of members' data to police

New Zealand First is reporting a breach of party member details to the police. The database included the names, occupations, phone numbers and addresses of members and people affiliated with the party and was leaked to the news media and opposition MPs. Read more here.

Computer equipment with 200 Commerce Commission transcripts stolen

Computer equipment containing more than 200 transcripts relating to Commerce Commission work has been stolen. The transcripts on the equipment may date back to early 2016 and contain some confidential information about businesses and individuals. Two independent reviews have been initiated in response. Read more here.

More PHO data breaches uncovered involving up to a million patients

Tū Ora Compass Health, whose website was hacked in August, has found evidence of earlier, previously unknown attacks on its systems. The primary health organisation, which is responsible for analysing data from medical centres, was hacked in a global cybersecurity incident. A subsequent investigation into the incident uncovered previous attacks dating back to 2016. Read more here. 

Cell phone tower data used to help Government make decisions

Data from cell phone towers is being used to help the Government make decisions around infrastructure and plan for emergencies. The project uses information from Spark and Vodafone to show the number of people in a location at a given time. However, the Privacy Commissioner says it is “no Big Brother” and people's data is protected. Read more here.

Recruiter told employer about job-seeking client

A recruitment agency who told a woman's employer she was looking for a new job has apologised and paid her compensation following an investigation by the Privacy Commissioner. The woman said the disclosure had caused her severe emotional distress and compromised her employment. Read more here.

Australian public servants seek Freedom of Information changes

Australian public service leaders want official Freedom of Information guidelines changed to support their standard practice of shielding the names and contact details of junior staff wherever possible. Many agencies cite cases of harassment staff members have suffered after their identities were released in documents. Read more here.

The rise of facial recognition technology and the surveillance state

In the past year, as the use of facial recognition technology by police and private companies has increased, the debate has intensified over the threat it could pose to personal privacy and marginalised groups. In particular, there are concerns around a lack of regulation and risks associated with racial profiling. Read more here.

Facebook and Twitter use phone numbers for marketing

Twitter has admitted it allowed marketers to access the phone numbers that users had registered on the site. Many had given their numbers to enable two-factor authentication and did not realise they were giving marketers access to their data. The revelation comes a year after Facebook admitted to misusing phone numbers for ad targeting. Read more here.

Amazon wants to surveil your dog

While other big tech companies appear to be taking notice of a digital privacy reckoning, Amazon is trying to strap the surveillance state to your dog. The company recently announced a suite of new products with sensors and tracking abilities, including dog collars, and these are being seen as part of Amazon’s quest to become “The Everything Store.” Yet, Amazon’s vision of the future feels increasingly at odds with the ability to be anonymous in public. Read more here.

Image credit: Yellow-breasted Chat via John James Audubon's Birds of America.

Google wins EU right to be forgotten case

A fortnight ago, Europe’s top court, the European Court of Justice (ECJ) ruled that Google will not be required to apply the ‘right to be forgotten’ globally. This means that search results suppressed within Europe at the request of the individual, will still be available to searches outside Europe.

Sometimes referred to as the "right to erasure", the rule gives EU citizens the power to demand data, including search links, about them be deleted.

In 2015, French national privacy regulator – CNIL – ordered Google to remove search listings linking to pages that contained false or defamatory information about individuals.

Google implemented a geo-blocking feature that would prevent people searching from within the EU from being able to access search results that had been delisted. They did not impose the same restrictions on searches outside the EU. CNIL tried to fine Google 100,000 Euros for failing to delist the search results from Google sites worldwide. Google appealed against the fine to the European Court of Justice.

Google argued they wished to ensure the right to be forgotten was enforced in the EU while also balancing individuals’ rights to access information.

The Court ruled that EU law did not require search engine operators to “carry out such a de-referencing on all the versions of its search engine.” In other words, Google would only be required to delist results from Google sites based within the EU.

History of right to be forgotten

Although it had been discussed and ruled upon in European jurisdictions to varying degrees throughout the early 2000s, the right to be forgotten from search engine results in EU law derives from the case in which Spanish man, Mario Costeja González, took Google to court in Spain in 2014. Mr González was concerned that a Google search of his name brought up a 1998 Spanish newspaper article detailing how he had been forced to sell his property to repay social security debts. In the European Court of Justice, Mr González contended that this record was no longer relevant to his life as he had paid his debts to society. He argued that having the record so readily accessible to someone who searched his name on Google put a stain on his reputation. 

The European Court of Justice declared that Google must remove the man's data from their indexes.  The newspaper that originally published the article was allowed to keep the story of the forced sale on their site as it had been lawfully published.

In the five years since the 2014 ECJ ruling, Google has removed more than 800,000 URLs after receiving a request for erasure. It has retained more than a million others in its index.

In 2014, Privacy Commissioner John Edwards wrote this blog on the right to be forgotten. In the blog, the Commissioner wrote that that term “right to be forgotten” is inaccurate, imprecise and impossible.” It could mean removal of content from a public source, leaving a social network and taking your data with you but it could not mean an “enforced right to be forgotten.”

When the General Data Privacy Regulation (GDPR) was passed into law in the European Union in May 2018, Article 17 outlined circumstances in which someone can exercise the right to have their data erased.

The GDPR rule  

The GDPR provision sets out that data must be erased immediately in the following circumstances:

1. Where it is no longer required for processing purposes
2. The subject of the data has withdrawn their consent or objected and there is no other legal ground for processing
3.  Erasure is required to fulfil a statutory obligation under the EU law or right of Member States

The goal of the provision is not internet censorship but rather, that it should be difficult for someone to discern personal data without substantial effort.

What does this mean for New Zealand?

Neither New Zealand’s current Privacy Act 1993 nor the Privacy Bill currently before Parliament contain an equivalent to the EU’s right to be forgotten.

The Commissioner recommended the Bill offer the right to erasure, allowing people to require a company to delete all of their personal data and halt third-party processing of that data.

Our Office will continue to monitor judgments relating to the right to be forgotten with interest.

Privacy Commissioner’s Response to Media Enquiries about Chief Executive’s Suggestion of the Need for Legislative Amendment to Tackle Doxxing

Privacy Commissioner’s Response on Whether the CCTV Footage of a Tertiary Institution Should Be Disclosed

District Council Election Upcoming: Doxxing, Cyber-bullying Will Break the Law Privacy Commissioner Reminds Candidates, Government Departments and Public Opinion Research Organisations to Comply with the Privacy Ordinance

FTC Releases FY 2019 National Do Not Call Registry Data Book

Imposter calls topped list of complaint categories in the past year

The Federal Trade Commission today issued the National Do Not Call Registry Data Book for Fiscal Year 2019. The FTC’s National Do Not Call (DNC) Registry lets consumers choose not to receive most legal telemarketing calls. The data show that the number of active registrations on the DNC Registry increased over the past year, while the total number of consumer complaints decreased for the second year in a row.

Now in its eleventh year, the Data Book contains information about the DNC Registry for FY 2019 (from October 1, 2018 to September 30, 2019). The Data Book provides the most recent information available on robocall complaints, the types of calls consumers reported to the FTC, and a complete state-by-state analysis.

FY 2019 Registration and Complaint Data

According to the Data Book, at the end of FY 2019, the DNC Registry contained 239.5 million actively registered phone numbers, up from 235.3 million at the end of FY 2018. The number of consumer complaints about unwanted telemarketing calls decreased, from 5.8 million in FY 2018 to 5.4 million in FY 2019. This reflects that the FTC could not accept complaints during the recent government shutdown. Of those complaints, 71 percent were about robocalls.

During the past fiscal year, the FTC continued to receive many consumer complaints about telemarketing robocalls, with the total number of complaints decreasing slightly. In FY 2019, the Commission received 3.78 million complaints about robocalls, compared with 3.79 million in FY 2018. For every month in the fiscal year, robocalls—defined under FTC regulations as calls delivering a prerecorded message—made up the majority of consumer complaints about DNC violations.

Significant Changes in the FY 2019 Data

This year, consumers most frequently reported robocalls about imposter scams, with more than 574,000 complaints received. This represents a significant increase from FY 2018, when such complaints comprised only the third most reported category, with approximately 393,000 complaints received.

The upward trend in imposter fraud calls complaint volume regarding began in May 2019 and increased over the remainder of the fiscal year. Calls about medical issues and prescriptions made up the second-largest category, followed by complaints about debt-reduction programs, which was the most reported topic last year.

With respect to state data, New Hampshire now leads the nation in active DNC registrations per capita. The states reporting the most complaints per 100,000 population has not changed: the top five states are Colorado (2,294 per 100k population), Oregon (2,227 per 100k population), Arizona (2,211 per 100k population), New Jersey (2,188 per 100k population), and Nevada (2,186 per 100k population).

Finally, to make the information in the FY 2019 Data Book more accessible for the public, updated and interactive DNC data dashboards are available at ftc.gov/exploredata.

To make the Data Book as user-friendly as possible, it includes the following features:

• The number of DNC complaints about robocalls versus live callers.
• Information about the topics of calls reported to the FTC.
• A state-by-state analysis of DNC complaints.
• The underlying data in the report is publicly available at: https://www.ftc.gov/reports/national-do-not-call-registry-data-book-fiscal-year-2019.

Information for Consumers

Information for consumers about the DNC Registry, company-specific DNC requests, and telemarketer caller ID requirements can be found on the FTC’s website, and consumers can sign up for the DNC Registry for free. Other information about robocalls and what consumers can do about them is also available. To report unwanted telemarketing calls, consumers can file a complaint at www.donotcall.gov or call 1-888-382-1222.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

FTC Extends Deadline for Comments on COPPA Rule until December 9

The Federal Trade Commission is extending the deadline to submit comments on the effectiveness of the amendments the agency made to the Children’s Online Privacy Protection Rule (COPPA Rule) in 2013 and whether additional changes are needed. The deadline was originally October 23, 2019; it is now December 9, 2019.

The FTC announced in July that it would accept comments on a wide range of issues related to the COPPA Rule, including whether rapid changes in technology, such as the expanded use of education technology, warrant modifications to the Rule at this time.

In response to requests from the public, the FTC will soon publish a notice in the Federal Register announcing the comment deadline extension. Instructions on how to submit comments will be included in the Federal Register notice.

The Commission voted 5-0 to submit the notice to the Federal Register for publication.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Administrative Law Judge Partially Rules in Favor of FTC’s Complaint that Dental Products Distributors Conspired Not to Provide Discounts to Buying Groups

Judge dismisses complaint against respondent Henry Schein, Inc.

In an Initial Decision announced today, Chief Administrative Law Judge D. Michael Chappell has held that two of three respondents named in a Federal Trade Commission complaint violated U.S. antitrust laws by conspiring to refuse to provide discounts to, or otherwise serve, buying groups representing dental practitioners.

The FTC’s February 2018 administrative complaint named the nation’s three largest dental supply companies: Benco Dental Supply Company, Henry Schein, Inc., and Patterson Companies, Inc. As full-service dental distributors, these companies offer gloves, cements, sterilization products and a range of other consumable supplies, as well as equipment, such as dental chairs and lights. Collectively, the big three control more than 85 percent of all distributor sales of dental products and services nationwide. The U.S. market for dental products is valued at approximately $10 billion.

Judge Chappell held that Benco and Patterson were part of the conspiracy, but Schein was not. The FTC has demonstrated “that Respondents Benco and Patterson conspired to refuse to offer discounted prices or otherwise compete for the business of buying groups and that such an agreement is a per se violation of Section 5 of the FTC Act,” Judge Chappell wrote in the decision.

Judge Chappell added that the evidence fails to prove a conspiracy involving Schein, and dismissed the complaint against Schein. Judge Chappell also dismissed another violation in the FTC’s complaint, which alleged that Benco invited a fourth competing distributor to join the conspiracy.

Buying groups seek to leverage their bargaining skills and collective purchasing power of the individual practices to negotiate lower prices. According to the FTC’s complaint, the respondents deprived solo and small-group dental practices of the benefits of participating in buying groups that purchase dental supplies from national, full-service distributors.

The Appeals Process. The Judge’s Initial Decision is subject to review by the full Federal Trade Commission on its own motion, or at the request of any party. The Initial Decision will become the decision of the Commission 30 days after it is served upon the parties, unless a party files a timely notice of appeal – and thereafter files a timely appeal brief – or the Commission places the case on its own docket for review or stays the effective date of the decision.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Letter to Ministers Eby and Robinson Re: Bill 35––Miscellaneous Statutes Amendment Act (No. 2), 2019

Letter to Ministers Eby and Robinson Re: Bill 35––Miscellaneous Statutes Amendment Act (No. 2), 2019

OIPC review finds privacy protections lacking at BC medical clinics

Medical clinics throughout British Columbia need to do more to protect the often highly sensitive personal information in their custody, according to a newly released review from the Office of the Information and Privacy Commissioner for British Columbia (OIPC). Audit and Compliance Report P19 01: Compliance Review of Medical Clinics looked at how 22 BC medical clinics, each with five or more licensed physicians on staff, were meeting their legal obligations under the Personal Information Protection Act (PIPA). PIPA governs how private organizations collect, use, and disclose personal information.

Commissioner to release report on privacy law compliance by BC medical clinics

On Wednesday, September 25, 2019 at 9:30am, Information and Privacy Commissioner Michael McEvoy will release a compliance review on how medical clinics throughout British Columbia are meeting their legal obligations to protect personal information. The Office of the Information and Privacy Commissioner (OIPC) review looked at the privacy management programs, privacy policies, and collection and safeguarding of personal information at 22 BC clinics to gauge compliance with the Personal Information Protection Act.