Australian Privacy Commissioner’s FRT ruling could have major implications for retail

The Australian government has found a major retail chain has breached Australians’ privacy in a case that could have major implications.

Privacy Commissioner Carly Kind has found Bunnings Group Limited breached citizens’ privacy by collecting personal and sensitive information through a facial recognition technology system.

The system used CCTV to capture the faces of every person who entered 63 Bunnings stores in the Australian states of Victoria and New South Wales between November 2018 and November 2021.

Bunnings argued the system was used to protect stores from “violent and organized crime.” The retail group is seeking a review of the Commissioner’s decision and commented that it was “deeply disappointed” with the finding.

But Kind weighed the “possible benefits” against the impact on privacy rights. “Facial recognition technology may have been an efficient and cost effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression,” she said.

“However, just because a technology may be helpful or convenient, does not mean its use is justifiable,” she continued. Commissioner Kind found Bunnings collected individuals’ sensitive information without consent, failed to take reasonable steps to notify individuals that their personal information was being collected, and did not include required information in its privacy policy.

“We can’t change our face,” she said. “The Privacy Act recognizes this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”

Bunnings has been ordered to destroy the personal and sensitive information it collected and not to repeat the practice in future.

“This decision should serve as a reminder to all organizations to proactively consider how the use of technology might impact privacy and to make sure privacy obligations are met,” Kind said.

Australia’s Office of the Information Commissioner (OAIC) has expanded its role as privacy regulator for the country’s digital ID system, balancing its roles as both watchdog and shepherd.

Article Topics

Australia  |  biometric identification  |  biometrics  |  criminal ID  |  data privacy  |  facial recognition  |  regulation  |  retail biometrics