Privacy Commissioner Carly Kind has found Bunnings Group Limited breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.
The system, via CCTV, captured the faces of every person – likely hundreds of thousands of individuals – who entered 63 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” Commissioner Kind said.
“We acknowledge the potential for facial recognition technology to help protect against serious issues, such as crime and violent behaviour. However, any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society.
“Facial recognition technology may have been an efficient and cost effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression. However, just because a technology may be helpful or convenient, does not mean its use is justifiable.
“In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals,” said Commissioner Kind.
As well as addressing issues of proportionality and necessity, the determination highlights the lack of transparency around Bunnings’ use of facial recognition technology.
Commissioner Kind found Bunnings collected individuals’ sensitive information without consent, failed to take reasonable steps to notify individuals that their personal information was being collected, and did not include required information in its privacy policy.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” said Commissioner Kind.
“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
The determination also points to governance shortcomings, with Commissioner Kind finding Bunnings failed to take reasonable steps to implement practices, procedures and systems required to comply with the Privacy Act.
Bunnings has been cooperative throughout the investigation and paused its use of facial recognition technology pending the outcome. The Commissioner has made various orders, including that Bunnings must not repeat or continue the acts and practices that led to the interference with individuals’ privacy.
“This decision should serve as a reminder to all organisations to proactively consider how the use of technology might impact privacy and to make sure privacy obligations are met,” said Commissioner Kind.
“Organisations should be aware that ensuring the use of emerging technologies aligns with community expectations and regulatory requirements is high among our priorities.”
Bunnings has the right to seek review of the determination.
To assist businesses to meet privacy obligations, the Office of the Australian Information Commissioner has published a new privacy guide for businesses considering using facial recognition technology in a commercial or retail setting.
Commissioner Kind has published a blog post with further takeaways for other retailers considering using facial recognition technology.
