Hardware giant Bunnings breached the privacy of potentially hundreds of thousands of Australians when it used facial recognition technology on in-store CCTV footage, the privacy watchdog has found.
In a long-awaited finding on Tuesday, Privacy Commissioner Carly Kind determined that the retailer’s use of the facial recognition system without consent over three years was disproportionate to the risk of violence or theft posed to stores.
The landmark determination follows a two-year investigation into Bunnings and Wesfarmers’ sister retailer Kmart prompted by research conducted by consumer advocacy group Choice. The Kmart investigation is ongoing.
Choice found that Bunnings and Kmart, as well as The Good Guys, analysed CCTV footage to create profiles or ‘face prints’ without properly informing customers or receiving clear consent, resulting in a complaint to the privacy watchdog.
The companies initially defended their use of facial recognition, which they said was needed to reduce theft and keep employees safe and was signposted at stores and in online privacy policies, but later paused their use of the technology.
On Tuesday, Ms Kind said facial recognition technology had the potential to help protect against crime and aggression in store, but that its use must be “weighed against the impact on privacy rights, as well as our collective values as a society”.
“Facial recognition technology may have been an efficient and cost-effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression,” she said.
“However, just because a technology may be helpful or convenient, does not mean its use is justifiable.
“In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.”
Ms Kind found Bunnings collected sensitive information without consent when it captured the faces of every person who entered 63 of its stores in Victoria and New South Wales between November 2018 and November 2021.
She also said that the company failed to take reasonable steps to notify individuals that their personal information was being collected and did not include required information in its privacy policy.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” she said.
“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
Bunnings has been ordered not to “repeat or continue” the use of facial recognition, which has been paused since the investigation by the Office of the Australian Information Commissioner began in July 2022.
In response to the orders, Bunnings managing director Mike Schneider said the company would be seeking a review of the determination before the Administrative Review Tribunal.
Mr Schneider said the company’s use of the technology “appropriately balanced” privacy obligations with the need to protect staff and customers from violence by a “small number of known and repeat offenders” in stores.
“We know that some 70 per cent of incidents are caused by the same group of people. While we can physically ban them from our stores, with thousands of daily visitors, it is virtual impossible to enforce these bans,” he said.
“The trial demonstrated the use of FRT was effective in creating a safer environment for our team members and customers, with stores participating in the trial having a clear reduction of incidents, compared to stores without FRT.”
The Bunnings determination comes less than two months after the OAIC closed a similar investigation into the use of facial recognition technology at 7-Eleven convenience stores. Like Bunnings, it ordered 7-Eleven no to repeat the practice.
Do you know more? Contact James Riley via Email.