Bunnings faces off against the Privacy Commissioner over facial recognition technology

As Australian businesses increasingly turn to new technologies to mitigate risk, the boundaries of what is permissible under the Privacy Act 1988 (Cth) (Privacy Act) are being tested like never before. The recent Administrative Review Tribunal (ART) decision involving Bunnings’ use of facial recognition technology illustrates this shift. It was held that Bunnings’ use of facial recognition technology did not breach Australian Privacy Principle (APP) 3.3 concerning the collection of sensitive information under the Privacy Act.

The ART’s decision reinforces that while privacy-impacting technologies can be justified in certain circumstances, businesses should not treat this as blanket approval. Organisations should take a cautious approach when implementing these technologies by regularly assessing risks and communicating with customers to ensure compliance and maintain trust.

How Bunnings used facial recognition technology

In 2018 Bunnings introduced facial recognition technology to reduce retail crime and harm against its staff, collecting biometric information from customers in a select number of its stores. The Privacy Act classifies biometric information as sensitive information­—personal information that is sensitive in nature and must therefore be afforded greater protection.

The technology worked by capturing images of customers as they walked into its stores and then matching those images against a database of persons Bunnings considered to be high risk. If the system returned a match, Bunnings’ National Investigation Team was notified by email. If no match was returned, the information was immediately deleted.

Bunnings communicated to its customers that it had implemented the facial recognition technology by placing an entry poster and a privacy poster around its stores.

On 29 October 2024 the Privacy Commissioner issued a determination, finding that Bunnings:

• collected sensitive information when it was not permitted to,
• did not notify customers of its collection of personal information,
• did not implement appropriate practices, procedures and systems to comply with its obligations under the Australian Privacy Principles (APPs), and
• did not have a clearly expressed and up-to-date privacy policy.
• Bunnings applied to the ART for a review of the Privacy Commissioner’s determination, seeking to overturn the Privacy Commissioner’s findings on the above four issues.

Issue 1: Was Bunnings collection of sensitive information legally permissible?

Bunnings’ use of facial recognition technology raised the question of whether its collection of sensitive information was permitted under an exception. APP 3.3 prohibits organisations from collecting sensitive information unless an exception under APP 3.4 applies, such as a “permitted general situation”. These situations are outlined within section 16A of the Privacy Act. In this case, the relevant circumstance is where:

• the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
• the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.

The ART accepted that Bunnings had a “very serious problem with violence and theft being committed by repeat offenders”, satisfying the first limb.

The ART next considered whether Bunnings held a “reasonable belief” that implementing facial recognition technology was necessary to take appropriate action in the matter. In assessing the second limb, the ART considered several factors, including:

• Bunnings’ reasonable belief, as informed through its senior management,
• whether facial recognition technology was suitable for the purpose of its introduction,
• whether there were any alternative systems that Bunnings could have introduced, and
• whether the introduction of facial recognition technology was proportionate to the issue being faced

The ART concluded that Bunnings held the reasonable belief that facial recognition technology was necessary to take appropriate action against the violence and theft affecting its stores and therefore did not contravene APP 3.3. The ART also noted that the use of facial recognition technology involved a significant invasion of individuals’ privacy. However, it considered this impact to be minimised because the information was permanently deleted after the matching assessment and could not be accessed thereafter. The ART noted the emphasis the Privacy Act places on the entity holding a reasonable belief that the collection is necessary.

Ultimately, a business does not need to prove that the collection of information was necessary, only that it reasonably believed it was necessary at the time. However, an entity can contravene the Privacy Act if it fails to conduct the necessary due diligence to form that reasonable belief, even if the collection later turns out to have been necessary.

Issue 2: Did Bunnings properly notify customers about facial recognition data collection?

The ART held that Bunnings had not adequately notified consumers of its collection by using the entry posters and privacy posters, failing to meet the notification standard required under APP 5.1.

To comply with APP 5.1, an entity needs to ensure that:

• The entitity clearly states how the information is collected.
  A business cannot expect customers to draw inferences. For example, if a business is specifically using “facial recognition technology”, then vaguely stating that the business uses “video surveillance” is not enough.
• The entity clearly states the purpose of collection.
  For example, if a business uses facial recognition technology to combat violence and theft in-store, stating the purpose of collection as “completing transactions, tailoring advertising and tailoring customer’s shopping experience” is not sufficient.
• The entity uses specific and accurate language.
  Using imprecise language such as “may” does not convey to customers that the business is, in fact, collecting their information.

This raises several important lessons for all businesses, discussed further below.

Issue 3: Did Bunnings implement sufficient compliance systems?

The ART held that Bunnings did not take reasonable steps to implement sufficient practices, procedures and systems to ensure that Bunnings complied with the APPs.

Although Bunnings sought legal advice, provided some training for its staff, limited staff access to the facial recognition technology, and subsequently developed minimum standards, these measures were insufficient to comply with APP 1.2. The ART expressed that it “would have been reasonable in the circumstances for Bunnings to conduct a formal, structured and documented risk assessment of the [facial recognition technology] from the outset”.

This finding brings further focus to the importance of conducting, formalising and documenting Privacy Impact Assessments for particularly high-risk activities that may impact the privacy of individuals.

Issue 4: Was Bunnings’ privacy policy up to date?

Bunnings’ privacy policy did not specifically refer to its use of facial recognition technology and instead described only the more general activity of video surveillance. Thus, the ART held that it had contravened APP 1.3.

A business’ privacy policy must be sufficiently tailored so that it accurately reflects what personal information is collected and for what purpose.

What the ART’s decision means for businesses

This case highlights the contrast between the operational interests of businesses and the protection of individuals’ personal information under the Privacy Act. While the ART accepted that Bunnings reasonably believed that its collection of sensitive information was necessary, (and acknowledged that Bunnings had taken steps to minimise the intrusion into the privacy of individuals), it was still held that Bunnings had contravened the Privacy Act.

In particular, Bunnings should have:

• taken greater steps to notify customers of the collection of their personal information;
• provided clearer information regarding what was being collected and the legitimate purpose(s) for those collections before the information was obtained;
• conducted formal, structured, and documented risk assessments prior to implementing the technology (and thus prior to collecting the information); and
• updated its privacy policy to accurately reflect its business practices.

This decision also serves as a reminder that privacy compliance isn’t something organisations can set once and forget. As technology evolves and expectations around privacy continue to rise, businesses must review their practices regularly and ensure their policies and processes keep up to date so that they are well-placed to avoid future compliance risks.

If your business is implementing new technologies or intends to collect personal or sensitive information from your customers, it is important to ensure that it is done correctly. Appropriate due diligence should be completed beforehand. Macpherson Kelley is an industry leader in this space, providing advice and assisting businesses to meet their obligations under the Privacy Act. Please contact Mark Metzeling or any of our privacy experts for further guidance.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.