Lowest prices were just the beginning for hundreds of thousands of Australians whose facial data was recorded by Bunnings without their consent.
The Office of the Australian Information Commissioner (OAIC) has ruled the retail giant breached privacy laws when it used CCTV-linked facial recognition technology (FRT) to capture the face of every person who entered 63 stores in NSW and Victoria in the three years to November 2021.
Bunnings managing director Mike Schneider said the company launched the technology to tackle shoplifting and violence in its stores and would appeal the ruling.
“FRT was trialled at a limited number of Bunnings stores in Victoria and NSW between 2018-2021, with strict controls around its use, with the sole and clear intent of keeping team members and customers safe and preventing unlawful activity,” Schneider said in a statement.
About 70 per cent of incidents were caused by “the same group of people”, the company said.
“FRT provided the fastest and most accurate way of identifying these individuals and quickly removing them from our stores.”
In her ruling, privacy commissioner Carly Kind acknowledged the potential of the technology to protect against crime and violent behaviour.
“However, any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society,” she said.
The determination found Bunnings had taken customers’ private information without consent, failed to take steps to notify them and had left gaping holes in its privacy policy.
Bunnings has used facial recognition technology in its stores. Source: AAP / /
Kind said the technology was an intrusive option that interfered with all customers’ privacy, not just high-risk individuals.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” she said.
“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
Bunnings has been ordered not to repeat or continue the practice and must destroy all personal and sensitive information it collected through FRT within a year.
Against a backdrop of rapid technological change, the determination followed a two-year investigation and was a landmark ruling for Australian privacy laws.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” Kind said.
The OAIC said the ruling should be a reminder to businesses about their privacy obligations and has released a for companies considering using facial recognition tech.
Consumer advocate CHOICE, which raised the alarm on Bunnings’ practices more than two years ago, said the technology had only grown in use since.
“While the decision from the Office of the Information Commissioner is a strong step in the right direction, there is still more to be done,” CHOICE’s campaigns and policy advisor Rafi Alam said.
“CHOICE is continuing to call for a specific, fit-for-purpose law to hold businesses accountable as soon as they breach customer privacy.”