Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

Carly Kind

Carly Kind
Privacy Commissioner

Published:  

Today, the OAIC published my determination that retailer Bunnings Group Limited breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.

We recognise that many people have been eagerly awaiting the decision and have been looking to the OAIC to provide clarity on how and under what circumstances new technologies can be used consistently with the Privacy Acts.

To that end, alongside the determination, we have published today:

  • a one-page summary of the investigation and determination
  • guidance on the application of the Privacy Act to facial recognition technology, which explains the relevant considerations for entities wishing to use technology for facial identification
  • a one-page summary of the facial recognition guidance.

While the decision speaks to the specific facts and circumstances of Bunnings’ use of facial recognition technology, there are some important takeaways for the regulated community, especially around the use of facial recognition technology in retail settings.

The first of those takeaways may seem obvious, but it is important to emphasise – the use of facial recognition technology interferes with the privacy of anyone who comes into contact with it.

Even though advanced facial recognition technology tools may only involve the retention of personal information for mere milliseconds, they nevertheless amount to a collection of sensitive personal information to which the Privacy Act applies. Using facial recognition technology to collect biometric information of individuals not only enlivens the requirements of the law, but it exposes individuals to risks, such as being subject to an inaccurate match with a ‘watchlist’ and being expelled from a retail setting, or being contacted by police. Facial recognition technology may occasion additional interferences when individuals’ biometric information is added to such watchlists and retained for comparison within the system.

Because facial recognition technology is a high-privacy-risk technology, it is not justifiable for entities to use it merely because it is available, convenient or desirable. Rather, businesses will need to consider a number of factors to satisfy themselves that it is reasonably necessary to collect this information in order to carry out their functions and activities.

Rather than being caught up in technological hype, entities should consider how suitable facial recognition technology is to their needs. How effective is facial recognition technology in achieving the objectives entities have for it, and is there a less privacy-intrusive way that the same outcome could be achieved? In this context, it is relevant that facial recognition technology can often deliver false positives and that it can be circumvented through relatively simple means such as the use of face masks or balaclavas. In my determination, I found that as the technology was geared towards identifying repeat offenders in Bunnings stores, it was relevant only to a small portion of the security threats faced by the retailer. Entities should ask whether other, less intrusive methods could achieve the same outcome.

Even if entities are able to satisfy themselves that facial recognition technology is sufficiently effective in achieving the necessary aims, they also need to look at whether the benefits gained outweigh the privacy interference caused. To that end it will be relevant how many customers are affected by facial recognition technology, and how transparent the entity is about its use of the technology, including whether informed consent has been obtained. In the Bunnings matter, hundreds of thousands of people likely had their personal information collected, without their knowledge. This kind of covert and indiscriminate surveillance undermines individuals’ control over their personal information, and can have larger societal impacts.

Going forward, if entities wish to use facial recognition technology in retail settings, they must first consider the privacy considerations and risks. Entities should adopt a privacy by design approach, assessing the level of risk associated with the practice, and the appropriate tool to mitigate that risk, and documenting this exercise. If entities determine that the use of this technology is necessary and proportionate to the outcome they want to achieve, they will need to ensure individuals can provide informed consent to the collection of this sensitive information, and that they are transparent about their use of facial recognition technology in the circumstances.

Far from undermining the effectiveness of facial recognition technology, being transparent and clearly communicating that facial recognition technology is in use may have the effect of positively shaping customer behaviour, helping entities to achieve their objectives. In any event, it will empower customers to make a choice about whether they want to frequent that retail setting, in full knowledge that facial recognition technology is in use.

More than a quarter of Australians (27%) feel that facial recognition technology is one of the biggest privacy risks faced today, and only 3% of Australians think it’s fair and reasonable for retailers to require their biometric information when accessing their services. For entities considering using facial recognition technology, being mindful and acting on the takeaways I’ve identified above will help to ensure the technology is used in a way that is consistent with the Privacy Act and community expectations.