Australia’s data protection regulator has found that a retail chain’s use of facial recognition breached privacy law – but the company plans to appeal against the decision.
https://www.shutterstock.com/g/StepanSkorobogadko
Australia’s data protection regulator has found that a retail chain’s use of facial recognition breached privacy law – but the company plans to appeal against the decision.
Bunnings Group, which operates more than 500 hardware stores across Australia and New Zealand, had used its CCTV system to capture the faces of visitors to 63 of its branches in Victoria and New South Wales between November 2018 and November 2021. That facial data was then checked against an internal database of individuals deemed to pose a risk, such as through past criminal behaviour.
The Office of the Australian Information Commissioner (OAIC) said today that this activity breached those individuals’ privacy rights by collecting sensitive data without consent, failing to properly notify them, failing to ensure compliance with legal privacy principles, and failing to include sufficient information in its privacy policy.
Privacy commissioner Carly Kind said: “Facial recognition technology may have been an efficient and cost effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression. However, just because a technology may be helpful or convenient, does not mean its use is justifiable.”
“In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.”
Bunnings must now cease the prohibited activity, publish a statement on its conduct and delete all the relevant data.
The company has already said that it will challenge the finding before Australia’s Administrative Review Tribunal, arguing that its use of facial recognition technology appropriately balanced privacy concerns against the need to counter crime and violent behaviour.
“We know that some 70% of incidents are caused by the same group of people,” the company said in a statement. “While we can physically ban them from our stores, with thousands of daily visitors, it is virtually impossible to enforce these bans. FRT [facial recognition technology] provided the fastest and most accurate way of identifying these individuals and quickly removing them from our stores.”
Bunnings said that it had never used the data for marketing or other commercial purposes, and that unless the facial data was matched with an entry in its database it was deleted in under a second.
The company acknowledged that it did not publicise its use of facial recognition technology when first starting the programme, but said it did later include references to it on its entry signs and in its privacy policy.
The OAIC has previously issued findings against retailers for their use of facial recognition, including against 7-Eleven in 2021. The investigation into Bunnings was launched in July 2022, alongside an inquiry into Kmart’s use of the technology, after consumer advocacy group CHOICE submitted information on the companies’ practices.
The regulator also issued a similar finding against Clearview in November 2021, successfully defending the action at the Administrative Appeals Tribunal in May 2023.