Australia’s OAIC rules on Kmart’s use of facial recognition, says consent must have ‘high bar’

Australia’s privacy watchdog has reached its second ruling on using facial recognition technology in retail. On Thursday, the Office of the Australian Information Commissioner (OAIC) concluded that department store chain Kmart breached the country’s privacy laws by collecting customers’ biometric data through its FRT system, designed to identify people committing refund fraud.

The ruling follows a similar decision on hardware retailer Bunnings. In October 2024, the watchdog ruled that the chain store breached citizens’ privacy by collecting information through CCTV cameras equipped with facial recognition, introduced to cross-check individuals against a database of customers flagged for abusive behavior.

In a statement clarifying the Kmart decision, Privacy Commissioner Carly Kind noted that in both cases, the retailers failed to comply with the Australian Privacy Act and its requirement to obtain consent from individuals to collect, use, or disclose their personal information, particularly sensitive information.

The decisions, however, do not mean that there is no proper place for surveillance technologies in public spaces, she adds.

“It may be tempting to suggest that my successive determinations amount to an effective ban on the use of this technology,” says Commissioner Kind. “However, that is incorrect; the Privacy Act is technology-neutral.”

Privacy Act must retain high bar for consent: OAIC

In its Thursday statement, the OIAC also addressed criticism from retail organizations, which highlighted uncertainty around consent and exemptions in the Privacy Act.

The agency states that the primary focus of both the Kmart and Bunning rulings was to clarify the threshold for obtaining a consent exception.

During the investigation, both chain stores cited exceptions to the Privacy Act’s consent requirement as their legal ground for deploying FRT. The exceptions, known as “permitted general situations” (PGS), allow organizations to collect sensitive information in certain situations, including addressing unlawful activity or serious misconduct or preventing serious threats to the life, health, or safety of an individual.

“The effect of this determination is, I hope, to further clarify the threshold for reliance on the exemptions in the Privacy Act in relation to the need to gain consent for the collection of sensitive information,” she says. “It is a high bar that must be cleared, and for good reason.”

Retailers strike back

Despite the OAIC decision, it may not be game over for retailers – at least some of them.

In November last year, Bunnings released shocking footage showing its staff being abused at work, which supports its claims that facial recognition systems are necessary for security.

Following the release, a poll conducted by news.com.au revealed that 78 percent of nearly 11,000 respondents supported the company’s use of its facial recognition program, calling it an “important tool” to keep its team and customers safe.

Earlier this year, Bunnings launched an appeal to OAIC’s decision, claiming that it’s “unreasonable or impracticable” for it to obtain individuals’ consent to collect facial recognition data. The appeal is currently being assessed by the Administrative Review Tribunal.

Kmart’s case, however, could see a different fate.

During its investigation, launched in 2022, OAIC found that the retailer used the facial recognition system to record the faces of each person entering one of its 28 retail stores, including everyone attempting to refund items at their refund counter. The deployment lasted from June 2020 and July 2022.

The Privacy Commissioner concluded that the indiscriminately and disproportionately collected biometric information of every individual who entered a store and that there were less intrusive methods to address refund fraud.

Deploying the facial recognition system also had limited utility, according to the Commissioner.

“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” says Kind.

Article Topics

Australia  |  biometrics  |  data privacy  |  facial recognition  |  Office of the Information Commissioner (OAIC)  |  retail biometrics  |  video surveillance