Australian hardware store chain used facial recognition unlawfully
The Australian hardware store chain Bunnings violated Australia’s privacy laws with its use of facial recognition technology. The determination was made by the Office of the Australian Information Commissioner (OAIC), which announced the findings of its investigation on Tuesday. The company captured sensitive personal data from potentially hundreds of thousands of people, the data protection authority found.
Privacy Commissioner Carly Kind said in a statement that Bunnings had used the technology in 63 stores in the states of Victoria and New South Wales between November 2018 and November 2021.
Cameras captured the face of every person who entered one of these stores – making it likely that the privacy rights of hundreds of thousands of people were infringed upon. The images were compared against a database kept by the retailer that contained photos of people who had previously been banned from Bunnings locations.
Sensitive data
Facial recognition technology processes data considered sensitive under Australia’s Privacy Act – given its sensitivity, this data comes in for special protections. Bunnings, however, processed this sensitive data without obtaining the consent of those affected or sufficiently informing them about how their data was being processed.
Said Privacy Commissioner Kind: “We can’t change our face. The Privacy Act recognizes this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
Bunnings Managing Director Mike Schneider argued in a response to the OAIC’s decision that the company had begun using facial recognition technology to protect employees and customers from the aggressive behavior of certain individuals.
The OAIC for its part acknowledged that facial recognition technology may help protect from violent behavior. “However,” Kind said, “any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society.”
“Just because a technology may be helpful or convenient, does not mean its use is justifiable,” Kind added. In this case “facial recognition technology was the most intrusive option,” encroaching on the privacy of every customer who entered the stores.
The regulator has instructed Bunnings to delete any facial recognition data it still holds. The company must also publish a statement explaining its actions and advising customers on how to file a complaint.
Bunnings has already announced its intention to seek a review of the decision.
Consumer advocates demand update of data privacy laws
Australian media are calling the regulator’s decision a “landmark finding” that will have substantial consequences for the use of facial recognition by companies in the future.
In 2022, the Australian consumer advocacy organization CHOICE asked major Australian retailers about their use of facial recognition technology and analyzed their privacy policies. CHOICE found that in addition to Bunnings, the department store chain Kmart and the electronics retailer The Good Guys were using the controversial surveillance tool in their stores. CHOICE warned that customers were not being sufficiently informed about the use of the technology – and filed a complaint with the OAIC.
The regulator responded by opening investigations into Bunnings and Kmart. Both retailers paused use of the technology while the OAIC conducted its investigations. The result of the Kmart investigation has yet to be announced.
The Good Guys also stopped using facial recognition in the wake of the CHOICE report. According to media reports, the company has not been investigated.
CHOICE welcomed Tuesday’s decision. Rafi Alam, CHOICE Senior Campaigns and Policy Advisor, said in a statement: “This is a landmark decision that will prompt all businesses to think carefully about the use of facial recognition in Australia going forwards.” He added that Australians had been “shocked and angered” by the use of facial recognition technology by big retailers – but also in “sporting and concert venues, pubs and clubs.”
Kate Bower of CHOICE told ABC News that the decision was a warning to other companies – she was disappointed, however, that the OAIC had chosen not to impose a fine on Bunnings.
CHOICE also criticized Australia’s current data privacy laws, calling them “confusing, outdated and difficult to enforce.” The organization calls for updated legislation. (js)