The OAIC has concluded its Commissioner initiated investigation into the inadvertent reactivation of facial recognition technology (FRT) by 7-Eleven Stores Pty Ltd (7-Eleven).
The OAIC is satisfied that 7-Eleven has implemented practices and procedures to prevent any further recurrence of the conduct and undertaken a review of its privacy practices to enhance the protection of personal information that it holds.
Background
In late 2021 the Australian Information Commissioner (Commissioner) issued a determination under section 52 of the Privacy Act 1988 (Cth) (Privacy Act) regarding 7-Eleven’s use of FRT in a customer feedback survey.[1]
The Commissioner declared that 7-Eleven had interfered with the privacy of individuals whose personal and sensitive information was collected through the survey in breach of Australian Privacy Principles (APP) 3.3 and 5.
The determination included a declaration that 7-Eleven not repeat or continue this conduct.
In April 2023 7-Eleven voluntarily notified the Commissioner that its service provider had inadvertently re-enabled FRT functionality in 54 7-Eleven stores across Australia during the maintenance of devices used to conduct the survey.
The functionality was active for approximately 12 months before it was identified and promptly deactivated. During this period, 45,874 facial images were captured.
7-Eleven’s privacy uplift
The Commissioner has investigated the acts and practices that resulted in the reactivation of FRT and considered the remediation steps undertaken by 7-Eleven following discovery of the incident.
The OAIC is satisfied that:
- the reactivation was entirely inadvertent and a result of an automatic setting in new devices deployed across the impacted stores
- upon discovery of the incident, 7-Eleven promptly directed its service provider to delete all facial images that had been captured (to the extent any were retained) and received confirmation that this has occurred
- 7-Eleven and its service provider were unaware that facial images were being captured at the affected 54 stores at all times until the incident was discovered in late March 2023
- 7-Eleven did not have access to the facial images at any time
- shortly after the discovery of the incident 7-Eleven and its service provider implemented a new feature which disabled the FRT functionality on a company level, which overrides individual device settings, for all 7-Eleven stores, as well as a mechanism to scan all 7-Eleven devices hourly to ensure that FRT is disabled.
Accordingly, the OAIC considers that 7-Eleven has adequately addressed the privacy deficiencies that led to the incident. Having regard to all the circumstances, the OAIC has decided that further action in relation to this matter is not warranted and has closed its investigation.
The OAIC recognises and appreciates the decision of 7-Eleven to voluntarily report the incident. In doing so, 7-Eleven has acted consistently with the principles of good corporate governance and has assisted the OAIC in promoting and upholding the privacy rights of Australians.
The OAIC remains concerned about the proliferation of FRT. The use of this technology continues to be a regulatory priority for the agency and entities should ensure that they embed privacy into each new planned use of FRT at the outset and implement iterative testing of the robustness of their privacy protections.
