Background to the Bunnings complaint
In recent years, the use of facial recognition technology (FRT) has proliferated across various industries, including retail. Some retailers – Bunnings among them – have identified FRT as an effective way to reduce in-store theft. Over a three year period (from November 2018 to November 2021) Bunnings used a FRT system to monitor CCTV footage and process the facial images of individuals entering its stores. These images were then matched against the images of previously registered individuals. Non-matched facial images were deleted within a few milliseconds after collection.
Facial images are a form of biometric information, and are classified as sensitive information under the Privacy Act.
On 12 July 2024, the OAIC opened an investigation into Bunnings following a complaint from consumer advocacy group CHOICE. CHOICE raised two key concerns:
- that reliance on an online privacy policy and small signage within stores to provide notice and obtain consent was insufficient and non-compliant with the Privacy Act; and
- that Bunnings' large scale collection and use of sensitive information was a disproportionate measure in mitigating the threats of theft and anti-social behaviour within stores.
Bunnings' response
"The electronic data of the vast majority of people was processed and deleted in 0.00417 seconds – less than the blink of an eye... We never used data for marketing purposes or to track customer behaviour."
- Michael Schneider, Managing Director, Bunnings
Bunnings responded to initial OAIC inquiries by asserting that its actions did not contravene the Privacy Act, on that basis that:
- the FRT only held customers' sensitive information for a few milliseconds (specifically, 4 milliseconds) and Bunnings was therefore not 'collecting' information;
- Bunnings' conduct fell under the 'general permitted situation' exception, as Bunnings reasonably believed the collection was necessary to prevent a serious threat to safety and collecting prior consent from customers was unreasonable and impractical; and
- Bunnings suspected customers were engaging in serious misconduct or unlawful activity and reasonably believed that FRT was necessary to take appropriate action.
Bunnings acknowledged that it initially failed to inform customers about its use of FRT on entry signage. However, following the commencement of the OAIC investigation, Bunnings updated its entry signs and privacy policy to include this information.
The OAIC's determination
On 19 November 2024, the OAIC published a determination (Determination) in which it found that Bunnings had breached the Privacy Act, by:
- collecting individuals' sensitive information without their consent;
- failing to take reasonable steps to notify individuals about the collection of their personal information;
- failing to take reasonable steps to implement practices, procedures, and systems to ensure it complied with the Australian Privacy Principles (APPs), and in particular, APPs 1.2, 1.3, 3.3 and 5.1; and
- insufficient transparency in its privacy policies about the kinds of personal information it collected and held, and how it collected and held this information.
The OAIC's orders
The OAIC did not impose a fine on Bunnings, citing its compliance throughout the investigation. However, Bunnings was ordered to:
- cease all acts and practices that were found to constitute interferences with privacy;
- following a 12 month period, destroy all personal information (including sensitive information) collected via the FRT; and
- publish a statement about its contravening conduct.
Bunnings continues to defend FRT
Since the Determination's release, Bunnings has shared footage of violent incidents in its stores with various media outlets. Bunnings' Managing Director published an op ed, highlighting a 50% increase in 'abuse, threats and assaults' in the past 12 months as a key justification for initiating the FRT trial.
Bunnings is also seeking a review of the Determination, arguing that its use of FRT appropriately balances privacy obligations with its need to protect staff, customers and suppliers from crime. A Bunnings spokesperson has also stated that Bunnings intends to roll out FRT technology in all Bunnings stores if the appeal is successful.
"The notion that this [4.17 milliseconds] constitutes data collection deserves to be tested before the courts."
- Michael Schneider, Managing Director, Bunnings
Key takeaways for organisations
The Determination highlights two important lessons for organisations:
- The length of time for which information is held by a system is irrelevant in determining whether personal information is 'collected' under the Privacy Act. Even a system that caches or stores information for a fraction of a second will still 'collect' that information.
- Businesses using (or considering using) FRT must first consider less intrusive alternatives, carefully balance the benefits against potential privacy impacts, and ensure that their practices are sufficiently transparent.
Tips for best practice
The OAIC acknowledged that FRT can be an efficient and cost-effective tool for businesses to address serious issues such as crime and violence. However, these potential benefits must be carefully weighed against their impact on individuals' privacy rights.
To assist businesses in understanding and discharging their privacy obligations when using FRT, the OAIC has published a new privacy guide. This guide emphasises that businesses that wish to implement FRT should conduct a privacy impact assessment (PIA) as a first step. Additionally, businesses must ensure that sensitive information, such as facial images, is handled in compliance with the Australian Privacy Principles (APPs). Key principles to consider include:
- APP 3: Necessity and proportionality
Personal information for FRT must only be collected if it is necessary, proportionate to the circumstances and cannot be reasonably achieved through less privacy-intrusive means.
- APPs 3 and 5: Consent and transparency
Individuals should proactively be provided with sufficient notice and clear information to allow them to provide meaningful consent to the collection of their personal information.
- APP 10: Accuracy, bias and discrimination
Businesses must consider the accuracy of the information used in FRT and take steps to mitigate the risks of bias and discrimination.
- APP 1: Governance and ongoing assurance
Organisations that use FRT must establish robust privacy risk management practices and policies, ensure that they are effectively implemented, and regularly review them.
Where to from here?
The Determination highlights the need for businesses to remain vigilant and proactive in adapting to evolving privacy obligations as technology advances. It also serves as a reminder that regulatory scrutiny in this area is intensifying, with the OAIC actively investigating similar practices, including those of Kmart Australia Limited.
MinterEllison offers full-service IT, legal and consultancy services with expertise in privacy and data protection. Our team has extensive experience in navigating complex privacy regulations and can provide tailored advice to you. Please contact us if you would like assistance with your organisation's privacy practices.