AUSTRALIA | Following CHOICE’s 2022 investigation into Bunnings’ use of facial recognition technology, the Office of the Information Commissioner (OAIC) has announced that Bunnings has breached the Privacy Act.
Privacy Commissioner Carly Kind has found Bunnings Group Limited breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.
The system, via CCTV, captured the faces of every person who entered 63 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” said Commissioner Kind.
“We acknowledge the potential for facial recognition technology to help protect against serious issues, such as crime and violent behaviour. However, any possible benefits must be weighed against the impact on privacy rights and our collective values.”
Kind added that facial recognition technology may have been an efficient and cost-effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, including violence and aggression incidents. However, just because a technology may be helpful or convenient does not mean its use is justifiable.
In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.
It was found that Bunnings collected individuals’ sensitive information without consent, failed to take reasonable steps to notify individuals that their personal information was being collected, and did not include required information in its privacy policy.
This addressed issues of proportionality and necessity and highlighted Bunnings' lack of transparency regarding its use of facial recognition technology.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even briefly,” added Commissioner Kind.
“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
Bunnings failed to take reasonable steps to implement the practices, procedures, and systems required to comply with the Privacy Act. It has been cooperative throughout the investigation and paused its use of facial recognition technology pending the outcome.
The Commissioner has made various orders, including that Bunnings must not repeat or continue the acts and practices that led to the interference with individuals’ privacy.
“This decision should remind all organisations to consider how technology might impact privacy proactively and ensure privacy obligations are met. Organisations should be aware that ensuring emerging technologies align with community expectations and regulatory requirements is high among our priorities.”
The Office of the Australian Information Commissioner has published a new privacy guide for businesses considering using facial recognition technology in a commercial or retail setting.
“This landmark decision will prompt all businesses to think carefully about using facial recognition in Australia going forward,” said CHOICE Senior Campaigns and Policy Advisor Rafi Alam.
“We know the Australian community has been shocked and angered by the use of facial recognition technology in several settings, including sporting and concert venues, pubs and clubs, and big retailers like Bunnings.”
Alam said that while the Commisioner’s decision was a vital step in the right direction, more must be done.
“Australia’s current privacy laws are confusing, outdated and difficult to enforce. CHOICE first raised the alarm on Bunnings’ use of facial recognition technology over two years ago. In the time it took to reach today’s determination, the technology has only grown in use.”
