Australian privacy commissioner puts facial recognition on watch in new plan

Australia’s Office of the Information Commissioner (OAIC) is prioritizing its role as privacy regulator for the country’s digital ID system, according to its newly released corporate plan for the next three years.

“We will be undertaking work to ensure Australians’ privacy is protected as the Digital ID system is expanded,” the document says. “Digital ID will allow Australians to verify their identity online in a secure, convenient and voluntary way while reducing the amount of personal information that needs to be shared.”

The role involves a bit of a balancing act, in that OAIC is promising to be both watchdog and shepherd, helping stakeholders understand digital ID privacy standards with published resources and direct support – even as they police violations.

“The OAIC will foster community trust in and uptake of Digital ID through our new role as privacy regulator for the system,” it says, noting that digital identity will eliminate the need to share and store of identity documents, thereby reducing “a significant source of risk in Australians’ digital lives.”

On the other hand, it will also “provide assurance to the community of the privacy protections in the Digital ID system by using our range of enforcement powers to ensure individuals’ privacy is protected.” A later section in the document outlines the OAIC’s newly honed harm-focused and risk-based approach to regulation.

Biometrics among new technologies OAIC intends to flex on

The plan also includes some of the finer details on Australia’s digital ID rollout. The organization will “ensure there are strong privacy safeguards for people who choose to use Digital ID with an accredited provider. Digital ID will have a phased roll out of the government system to non-government participants.”

Outside of digital ID, the OAIC’s general move to grow its regulatory functions and powers also extends to so-called “emergent technologies” that have “a large impact on privacy,” including facial recognition and AI. It notes, as others have, that these technologies offer new benefits but also bring new risks.

Some offenders have already drawn the regulatory’s increasingly watchful eye. The OAIC is investigating the personal information handling practices of certain corporate entities linked to high-profile data breaches, and is “also investigating Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.”

Regulator finally happy with 7-Eleven after facial recognition fiasco

Australia’s 7 News reports that the office recently wrapped up an investigation into 7-Eleven’s use of facial recognition technology, which came after the retailer was determined to be in breach of the Privacy Act in capturing 1.6 million faces on tablets, ostensibly for customers to offer feedback. Recorded faces were sent to an unnamed third party service provider, which used software to generate “an encrypted algorithmic representation of the face (face print) in the form of a string of characters.”

The provider then ran the faceprint through two processes: a “Detect API” that “assessed and recorded inferred information about the customer’s approximate age and gender” for broad demographic profiling; and a “Similarity API”, which “looked for faceprints that were similar” to weed out repeat survey respondents.

While 7-Eleven promised to stop the practice, “the controversial technology within the customer survey tablets was activated again in stores throughout 2023, and captured an additional 45,874 faces.” In a rather doubtful reassurance, the OAIC found that the second implementation was an accident triggered by an update by the third party provider, and that neither 7-Eleven nor the provider knew face biometrics were still being collected.

The OAIC is now satisfied that 7-Eleven “has implemented practices and procedures to prevent any further recurrence of the conduct and undertaken a review of its privacy practices to enhance the protection of personal information that it holds.”

However, it also notes – once again – that it intends to keep a watchful eye on facial recognition in general, calling it “a regulatory priority for the agency,” and likely to remain so for a long time.  “Work in this space is complex and lengthy, and the volume is expected to increase as the OAIC continues to prioritize our regulatory effort based on risk of harm to the community.”

Article Topics

Australia  |  biometrics  |  data privacy  |  facial recognition  |  Office of the Information Commissioner (OAIC)  |  regulation