Facial recognition practices found to breach the Privacy Act
19 November 2024Introduction
In July 2022, the Office of the Australian Information Commissioner (OAIC) opened an investigation into the Bunnings Group Limited’s (Bunnings) use of facial recognition technology (FRT). [1] The investigation followed a report published by the consumer advocacy group CHOICE about Bunnings’ use of FRT to capture the biometric data of its customers. [2]
In a landmark decision dated 29 October 2024, the Privacy Commissioner found that Bunnings interfered with the privacy of the individuals whose personal information and sensitive information it collected through its FRT system in 62 of its retail stores between 6 November 2018 and 30 November 2021. This article will explore the decision in Commissioner Initiated Investigation into Bunnings Group Ltd (Privacy) [2024] AICmr 230 and highlight some of the key implications for Australian Privacy Principle (APP) entities.
The decision
In short, the decision considered whether use of FRT systems in retail settings is compatible with the Privacy Act 1988 (Cth) (the Privacy Act). In arriving at its decision, the Privacy Commissioner acknowledged that FRT has a role to play for business, but this needs to be balanced against privacy risks, stating the following:
Businesses have identified FRT as potentially effective in reducing retail theft and crime, as well as creating convenience for consumers. However, consumer groups and the Australian community have expressed concern about the impact of FRT on individuals’ personal privacy. Reconciling these opposing viewpoints is a pressing and complex societal and legal challenge.
Generally speaking, Bunnings used FRT to compare the faces of customers against individuals it had stored in database who had been identified as having had engaged in, or were reasonably suspected of having had engaged in, actual or threatened violence, ‘Organised Retail Crime’, serious cases of theft, or other forms of criminal conduct (identified individuals). The FRT system captured and processed the facial images of every individual who entered a relevant store, “regardless of their age, appearance demeanour or intentions” and ‘matched’ it against the facial images of identified individuals.
The Privacy Commissioner relevantly found that Bunnings breached APP 1.2 and 1.3 in respect of transparency, APP 3.3 in relation to the collection of sensitive information, and APP 5.1 in relation to adequate notice.
Materially, the OAIC’s decision provides useful guidance on APP entities obligations when collecting sensitive information and the limits of the exceptions in APP 3.4.
Collection of sensitive information
Sensitive information is a category of personal information and includes, relevantly, information or an opinion about an individual’s criminal record, biometric information that is to be used for the purpose of automated biometric verification or biometric identification, and biometric templates. An individual must give their consent to the collection of their sensitive information unless an exception in APP 3.4 applies.
Bunnings did not have the consent of customers to collect their biometric information. Bunnings argued, instead, that it did not ‘collect’ personal information (or sensitive information) of individuals who were not on the identified individuals list and that the FRT had been deliberately designed to effectively scan the image of a customer and then delete it. This process took a mere 4.17 millisecond to complete. The Privacy Commissioner did not agree and found (at paragraphs [73] and [74]) that the FRT system ‘collected’ the image of all customers who entered a store to perform the matching process and notwithstanding that process was “momentary” it was a collection of sensitive information in circumstances where the FRT system could not operate without the inclusion of sensitive information. That fact that the FRT system automatically deleted information without human intervention was also irrelevant.
Exceptions to collection without consent
In circumstances where Bunnings did not have customer consent, the OAIC considered whether an exception in APP 3.4 applied. Bunnings argued that its collection was exempt because the collection was reasonably necessary:
- to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and
- in circumstances where Bunnings had reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in (s 16A, items 1 and 2).
The OAIC was not satisfied that either exception applied.
While the Privacy Commissioner accepted that the FRT system was efficient and cost effective, it was also found to be privacy intrusive and involved the wholesale and indiscriminate collection of personal information of every individual (including children) who entered a Bunnings store during the relevant period. The privacy impact was found to be disproportionate to benefit – both in terms of the benefit to the safety of its staff and in relation to actual or suspected unlawful activity in a store.
Use of the FRT system was not necessary on that basis and the exceptions in APP 3.4 found not to apply.
Key takeaways
We encourage all APP entities to read the decision in full, as it contains detailed commentary on the OAIC’s position on collection and the elements that an APP entity will need to establish to demonstrate that a permitted general situation exception applies (key takeaway – the OAIC’s position is the exceptions will be construed narrowly and will need contemporaneous evidence from the APP entity as to necessity, suitability, alternatives and proportionality). The decision is also a timely reminder that notwithstanding technology is relatively cheap and can assist APP entities with their activities, any technology use needs to be carefully balanced with protecting the privacy rights of individuals.
In the face of ongoing Privacy Act reform, APP entities should take the opportunity to review their personal information handling practices and assess how current (and future) information handling practices comply with the APPs.
The OAIC made particular mention of the fact that Bunnings did not conduct a Privacy Threshold Assessment (PTA) or a Privacy Impact Assessment (PIA) prior to the introduction of the FRT system and that this is a reasonable step Bunnings could have taken to ensure that it complied with the APPs. While a PIA is optional for organisations (but not for agencies) the Privacy Commissioner encourages all APP entities who are using or considering installing FRT to undertake a PIA to ensure the technology complies with the APPs.
Sparke Helmore’s team of specialist information lawyers will be closely monitoring developments in this space – please reach out if we can assist your agency or organisation to comply with the Privacy Act and get ready for Privacy Act reform.
[1] OAIC opens investigations into Bunnings and Kmart | OAIC.