Despite being found to have contravened Australian Privacy Principles in its use of facial recognition technology (FRT) at its stores, Bunnings wins appeal to roll out the technology for safety purposes.
Last week (4 February), in an appeal made by Bunnings, the Administrative Review Tribunal (ART) ruled that the hardware company contravened Australian Privacy Principles (APP) 1 (open and transparent management of personal information) and 5 (notification of the collection of personal information) in its rollout of FRT at its stores.
Despite this ruling, the tribunal dismissed the privacy commissioner’s finding that it had contravened APP 3.3 (collection of solicited personal information) as the FRT use was “for the limited purpose of combating retail crime and protecting their staff and customers from violence, abuse and intimidation within their stores”, said the Office of the Australian Information Commissioner (OAIC).
“This important decision is consistent with the robust and technologically neutral approach to privacy regulation enshrined in the Privacy Act and embodied by the OAIC’s regulatory approach,” an OAIC spokesperson said.
Not a widespread endorsement of biometric technologies
Clayton Utz partner Steven Klimt said this decision is not a widespread endorsement of biometric technologies.
“Even where information is not sensitive, the decision highlights the need for businesses to actively identify and mitigate privacy risks to comply with APP 1.2,” said Klimt.
According to the OAIC website, APP 1.2 provides that an APP entity is obligated to “take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and any binding registered APP code, and is able to deal with related inquiries and complaints”.
“In this case, the tribunal accepted that the scale and nature of violence and theft in Bunnings’ stores, including repeat offending, as well as features of the store environment such as multiple entry and exit points and the availability of items capable of being used as weapons, justified a targeted security response,” said Holding Redlich general counsel Lyn Nicholson.
“The ruling illustrates that organisations seeking to rely on exceptions under the Privacy Act must be able to substantiate the risk, demonstrate why biometric collection is warranted, and ensure that privacy policies and customer notifications accurately reflect how the technology operates.”
No blanket prohibition on FRT
Nicholson said this decision highlights that “the Privacy Act does not impose a blanket prohibition on the use of facial recognition technology … Its lawful use depends on a reasonable suspicion of unlawful activity and a proportionate response to that risk.”
For Nicholson, this ruling acts as further guidance on the assessment of proportionality under the Privacy Act.
“The tribunal assessed proportionality by reference to the seriousness of the harm being addressed, the limited purpose for which the technology was deployed, and the extent to which privacy impacts were mitigated through system design,” she said.
Despite this, Nicholson emphasised that other obligations under the Australian Privacy Principle still remain in place.
A ‘partial win’ by Bunnings
Klimt stressed that businesses should “carefully consider the privacy consequences of the collection of information, particularly in relation to emerging technology and where the information is sensitive information”.
He said: “One of the most significant aspects of the ruling is the confirmation that even momentary or automated processing of facial images amounts to ‘collection’ under the Privacy Act, even if that information is deleted within four milliseconds”.
“This has broad implications not just for retailers, but for any business using AI-driven or real-time technologies. Businesses may wish to reassess practices they may not currently regard as involving the collection of personal or sensitive information.”
“Retailers and other businesses should undertake privacy risk assessments early, particularly where sensitive information is involved.”
Klimt said the decision is expected to influence how FRT and other biometric technology use is designed and justified by businesses.
“We expect this decision to influence how businesses design and justify use of FRT and other technologies. However, we also expect that OAIC will continue closely scrutinising the use of FRT and other emerging technologies, particularly any reliance on exemptions to avoid obtaining consent, how such technology is disclosed in privacy notices and policies and how (and when) an entity satisfies its obligations under APP 1.2 to take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities that will ensure the entity complies with the APPs,” he said.
This decision is subject to an appeal period.
Carlos Tse is a graduate journalist writing for Accountants Daily, HR Leader, Lawyers Weekly.
