All posts by privacybrief

Privacy row over FBI iris scan database

The FBI has collected nearly 430,000 iris scans over the past three years, an investigation by technology website The Verge, has revealed.

Privacy International said it was “deeply concerning” that hundreds of thousands of iris scans were being added to a database without public debate, proper safeguards “or even awareness that such data has been taken and is being stored”.

“If our biometric data is to be collected at all, such systems should not be introduced or continued before a public debate, strong legal frameworks, and strict safeguards are in place,” the organisation told the BBC.

Link: Radio New Zealand

Law Commission begins joint review of the Search & Surveillance Act 2012

The Minister of Justice has asked the Law Commission and Ministry of Justice to review the operation of the Search and Surveillance Act 2012.  The Act controls how police and certain other government agencies search people or property, as well as the use of surveillance devices for the purpose of investigating crime.

The Law Commission and Ministry of Justice will be calling for public submissions later this year and will report to the Minister by the end of June 2017.

Link: Law Commission media release

Privacy scrutiny for Oculus Rift

Concerns have emerged this week over the privacy policy wording of Facebook’s virtual reality company (and Facebook subsidiary) Oculus Rift.

First to press was ZDNet, highlighting wording that purports to disclaim responsibility for data breaches.  This was followed by a letter (PDF) to the company from Senator Al Franken, demanding more detailed disclosures on what information Oculus collects from users and what it does with that data.

All in all, this is a timely reminder of the PR implications of privacy policies, especially for high profile businesses.  In jurisdictions like New Zealand, it is also an open question as to whether disclaimers of the kind highlighted above might attract attention from regulators under  unfair contract terms legislation.

Link: ZDNet  |  TechCrunch
Hat-tip: IAPP

UK lawyers condemn ‘snooper’s charter’

More than 200 senior members of the legal profession – including QCs, law professors, senior lawyers and former judges – have signed an open letter to the UK Government condemning the Investigatory Powers Bill currently before Parliament.  The letter describes the Bill as “unfit for purpose”, citing its failure to reflect international standards for surveillance powers, especially in relation to bulk data collection, targeting, and grounds for the issuing of warrants.

Link: Guardian article  |  Draft Bill

New scrutiny for Privacy Act exceptions for SIS and GCSB

Radio NZ has coverage on the results of the recent review of New Zealand’s Security Intelligence Service (SIS) and Government Communications Security Bureau (GCSB).

Of particular interest to the media is the exemption in s57 of the Privacy Act, which provides that certain aspects of the Act do not apply to information collected, obtained, held, used, or disclosed by, or disclosed to,  the SIS and GCSB.

This means the Privacy Act does not prohibit private entities such as banks and telcos from disclosing customers’ personal information to the SIS or GCSB, though of course other restrictions such as customer confidentiality may still be relevant in the absence of a warrant that compels disclosure.

The Radio NZ report notes that the Privacy Commissioner is calling for a tightening of the rules on collection of personal information by the SIS and GCSB.

Link: Radio NZ Report

IP addresses as personal information

Over at, data protection lawyer Kathryn Wynn sets out her views on why IP addresses are best treated as personal information, regardless of which way the European Court of Justice rules in a pending case in Germany.

The ECJ has been asked to rule on whether website operators’ collection of IP addresses automatically qualifies as the collection of personal information, by virtue of the fact that additional information in the hands of third party ISPs could be used to identify individuals based on those IP addresses.

Link: Out-Law

Face-reading technology: coming soon to a retailer near you

CBC has an interesting article on face-reading technology and its potential applications in “bricks and mortar” retail stores.  The article also links to a report (PDF) on automated facial recognition from The Office of the Information Privacy Commissioner of Canada.  There’s plenty to think about here for any retailer looking to optimise their marketing and sales strategies using information gleaned from in-store tracking or monitoring of any kind.

Link: CBC
Hat Tip: Barry Sookman