Hardware giant Bunnings breached the privacy of "likely hundreds of thousands" of Australians through its use of facial recognition technology, the Privacy Commissioner ruled today.
"Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly," the commissioner Carly Kind said.
The ruling is the culmination of a two-year investigation. Bunnings claimed it is "deeply disappointed" by the decision, and is seeking a review.
The commissioner did not seek to impose a fine on Bunnings for the breach of privacy.
If the ruling stands, it could have big implications for Australian shoppers and retailers. It also strengthens the case for removing a significant loophole in Australia's privacy law.
Right now, that loophole allows businesses to collect your biometric information without your explicit consent by simply putting up signs.
Bunnings is a hardware and garden supplies chain with more than 500 stores across Australia and New Zealand. It is owned by Wesfarmers and in 2023 had a total revenue of $18.54 billion.
Bunnings ran a trial of a facial recognition technology system between January 2019 and November 2021 in at least 62 stores in Victoria and New South Wales. This followed an earlier two-month trial in one store, which started in November 2018.
The system was incorporated into security cameras and captured the facial image of every person who entered a store. The system then analysed these images to create a searchable database of facial images.
The person's file could be assigned to a range of categories. These included:
Bunnings stated its "sole and clear intent" in conducting the trial was to keep team members and customers safe and prevent unlawful activity.
The privacy commissioner launched an investigation into Bunnings in July 2022. This followed a report from consumer advocacy group CHOICE about the company's use of facial recognition technology.
The commissioner acknowledged the potential of facial recognition technology to reduce violence and theft. However, she added:
any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society.
In this case, the commissioner found Bunnings' use of facial recognition technology breached Australian privacy law because the company did not obtain consent from its customers nor inform them it was collecting their biometric information.
The commissioner ordered Bunnings not to continue or repeat the practice in the future. She also ordered Bunnings to destroy all of the personal and sensitive information of its customers it still holds (after 12 months), and to publish a statement about the ruling online within 30 days.
However, the commissioner has not applied to the Federal Court to impose a financial penalty on Bunnings for the privacy breach. If she had done so, as a "body corporate" Bunnings could have faced a maximum fine of $50 million.
Despite the lack of a fine against Bunnings, this ruling may still have a number of significant implications for Australian shoppers and retailers.
First, it could lead to a more thoughtful and ethical use of technology in retail environments. Alongside the ruling, the commissioner's office released clear guidance on the application of the Privacy Act to facial recognition technology in the hope it will help companies follow the letter of the law.
Second, the ruling reinforces a broad definition of biometric information introduced by the privacy commissioner last year, in a case against facial recognition company Clearview AI.
During a hearing at the Administrative Appeals Tribunal, the commissioner stated that "even a photograph could be described as one of the lower levels of biometric recognition". The tribunal accepted this definition.
In this case against Bunnings, the privacy commissioner has applied that definition. This puts retailers on notice. They will no longer be able to hide behind claims that they "just collect video information but not biometric data". Any image of a face is a potential source of biometric data and therefore should be protected under privacy law.
The ruling against Bunnings also strengthens the case for a more thorough update to Australian privacy law.
At present, the law doesn't specifically require businesses to obtain express consent when collecting biometric information. It only requires them to obtain "consent".
This assumes that implied consent is valid, which is achievable, for example, by erecting signs informing customers upon entry that there is a facial recognition camera on the premises. This suggests that if you enter, you agree for your facial information to be collected.
This loophole was overlooked in the proposed privacy reforms released by the federal government earlier this year.
The Bunnings case clearly demonstrates the need for an updated and clear legal definition of consent to protect peoples' privacy. It also demonstrates the need for additional legal tools to protect biometric information, such as a technical standard for facial recognition technology.
This standard could then be enforced by a statutory authority, which would issue licences to businesses wanting to use facial recognition technology, as well as conduct regular audits and checks to ensure the standard is being upheld.