Australian Privacy Commissioner Carly Kind found that chain hardware retailer Bunnings breached privacy laws through the use of facial recognition technology, according to a report released on Tuesday.
The Office of the Australian Information Commissioner (OAIC) released the findings of an investigation initiated under section 40(2) of the Privacy Act in July 2022 to determine whether Bunnings had been compliant with certain Australian Privacy Principles (APPs). Privacy Commissioner Carly Kind found Bunnings Group Limited “interfered with the privacy of the individuals whose personal information and sensitive information it collected through its facial recognition technology (FRT) system.” According to the Commissioner’s findings, Bunnings operated the FRT system across 63 of its stores in the Australian states of Victoria and New South Wales between November 2018 and November 2021.
The FRT system, estimated to have gathered the images of hundreds of thousands of individuals during the relevant period, used CCTV to capture the faces of every person who entered the stores. These facial images were compared against the images of people Bunnings had enrolled in a database of individuals “deemed to pose a risk to its operations.” The database included, for instance, individuals who had engaged in violent or threatening behavior or those who had been involved in theft or other criminal conduct. Bunnings informed the Commission that facial images that did not match those in the database were automatically deleted within an average of 4.17 milliseconds.
The Privacy Commissioner found Bunnings in breach of several APPs, including failing to notify individuals that their personal and sensitive information was being collected and not disclosing this information was being collected in its privacy policy. The Commissioner also found Bunnings failed to adequately implement “practices, procedures and systems” necessary to comply with the Privacy Act.
Commissioner Kind acknowledged the potential of FRT to protect against serious issues, noting it “may have been an efficient and cost effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity,” but recognized “just because a technology may be helpful or convenient, does not mean its use is justifiable,” considering “deploying facial recognition technology was the most intrusive option” in the present case.
Declarations the Privacy Commissioner made required that Bunnings not repeat or continue the acts and practices that led to the interference with individuals’ privacy. Bunnings must also publish a statement regarding their conduct and destroy all personal and sensitive information collected through the FRT a year from the publication of the statement. The OAIC has also published a new privacy guide for commercial and retail businesses considering using FRT.
Bunnings has expressed disappointment with the Commissioner’s determination and have issued a statement expressing their intention to “seek review of the Privacy Commissioner’s Determination, before the Administrative Review Tribunal.” Bunnings asserts its position that its FRT “appropriately balanced” its privacy obligations, affirming it was used for “safeguarding” and “protecting” the business, team customers and suppliers.