Partial tribunal victory allows Bunnings to keep facial recognition system

The Administrative Review Tribunal of Australia has partially upheld a ruling by the Privacy Commissioner that major retail chain Bunnings breached the country’s data privacy rules with its use of facial recognition for theft prevention. The retailer will not have to switch its biometric system off, however, as its grounds for operating have been found adequate, leaving significant but more easily-fixed compliance issues.

The Office of the Australian Information Commissioner (OAIC) ruled in November, 2024 that Bunnings deployment of Hitachi facial recognition to identify people entering its stores after being caught shoplifting was in violation of Australian Privacy Principles 1, 3 and 5.  APP 1 requires open and transparent management of personal information, APP 3 sets the conditions under which personal information can be collected and APP 5 mandates notifications when collection occurs.

The Tribunal found specifically that Bunnings breached APP 1.2, 1.3 and 5.1.  Under 1.2, the chain is responsible for implementing the necessary practices, procedures and systems for compliance.  An appropriate and compliant privacy policy is required under 1.3, and 5.1 directs businesses to take reasonable steps to notify affected individuals.

Bunnings won decisions on APP 3.3 and 3.4. The Tribunal ruled that the retailer was allowed to collect sensitive information without gathering consent, as required in APP 3.3, because subclause 3.4 provides an exception for “permitted general situations.”  These are defined in section 16A of the Privacy Act, and include being necessary for the entity to function and safety considerations.

The partial victory allows Bunnings to continue using its facial recognition theft prevention system, as long as it resolves its privacy policy and public notification issues.

Commissioner Carly Kind made clear following her initial verdicts against Bunnings and Kmart that she does not see the Privacy Act as actually prohibiting facial recognition use in public spaces, arguing that it merely sets a high bar for consent.

“Today’s decision confirms the Privacy Act contains strong protections for individual privacy that are applicable in the context of emerging technologies. It underscored the importance of APP entities maintaining good privacy governance and complying with the Australian Privacy Principles in adopting new tech, and that limited exemptions are subject to robust criteria that must be assessed on a case-by-case basis,” said an OAIC spokesperson in the announcement.

The OAIC particularly welcomed the affirmation that collected personal information does not need to persist to count as collection under the country’s Privacy Act. Bunnings had argued that it does not require informed consent from data subjects due to the immediate deletion of photos once biometric templates are generated.

The regulator says it is considering the Tribunal’s decision, and could appeal.

Article Topics

Australia  |  biometrics  |  data privacy  |  facial recognition  |  Office of the Information Commissioner (OAIC)  |  retail biometrics