Tribunal Overturns Privacy Commissioner's Ruling on Facial Recognition
Australia's Administrative Review Tribunal has reversed a decision by the Privacy Commissioner, ruling that hardware retailer Bunnings did not breach privacy laws by using artificial intelligence (AI) facial recognition technology to monitor customers. The Privacy Commissioner, Carly Kind, had determined in 2024 that Bunnings violated privacy laws by scanning customer faces without adequate consent.
Background of Technology Use and Legal Challenge
Bunnings conducted a two-month trial of facial recognition technology in one store in November 2018. Between January 2019 and November 2021, the use of this AI technology expanded to 62 additional stores across New South Wales and Victoria. The technology, supplied via a third party, enabled Bunnings to create an "enrolment database" containing biometric markers of customers' faces captured by CCTV cameras. These scans were cross-checked against a list of "enrolled individuals" suspected of committing theft, refund fraud, or threatening staff or the public. The number of individuals on this list sometimes reached into the hundreds.
Bunnings Managing Director Mike Schneider stated the technology's purpose was to protect individuals from violence, abuse, serious criminal conduct, and organized retail crime.
In 2024, Schneider also indicated that repeat offenders caused approximately 70 percent of incidents in Bunnings stores.
The Office of the Australian Information Commissioner (OAIC) initiated an investigation following a 2022 report by consumer advocacy group Choice, which revealed Bunnings, Kmart, and The Good Guys were using facial recognition. All three retailers subsequently ceased the practice.
Tribunal's Decision and Rationale
The tribunal found that Bunnings was entitled to use facial recognition technology for the limited purpose of combating significant retail crime and protecting staff and customers from violence and intimidation.
Key factors in the decision included the extent of retail crime faced by Bunnings and the technological features of the system. The tribunal noted that the system minimized privacy intrusion by permanently deleting collected sensitive information for non-matches (within an average of 4.17 milliseconds) and limiting its susceptibility to cyber-attack. The advanced technology was deemed to have a proportionate impact on privacy when weighed against the benefits of providing a safer environment.
Despite the ruling, the tribunal recommended that Bunnings improve its privacy policy and customer notification regarding the use of AI-based facial recognition technology, an aspect Bunnings acknowledged it "didn't get everything right."
Industry Implications and Future Outlook
The decision could establish a legal precedent for other retailers considering the adoption of AI-based facial recognition technology to mitigate crime risks. Gary Mortimer, a professor of retail and consumer behaviour at the Queensland University of Technology, expressed support for the tribunal's ruling. He stated that retailers are obligated to ensure safety for workers and customers and protect inventory, suggesting that high-tech, innovative solutions like computer vision and AI systems represent the future.
Professor Mortimer anticipates that this technology will become more common across various sectors beyond retail, citing potential applications for government workers and public transport operators.
The OAIC affirmed that the decision reinforces the Privacy Act's protections for individual privacy concerning emerging technologies. The OAIC welcomed the tribunal's confirmation that even momentary collection of personal information by advanced digital tools constitutes a collection under the Privacy Act, highlighting ongoing public concern about privacy and data protection.