Between November 2018 and November 2021, Bunnings Group Limited (Bunnings) trialled the use of a facial recognition technology (FRT) system at 63 of its stores across Victoria and New South Wales, likely capturing the faces of hundreds of thousands of individuals. On 29 October 2024, the Office of the Australian Information Commissioner (OAIC) found Bunnings’ use of its FRT system was a breach of Australian privacy laws (OAIC’s Determination).
FRT is a technology many of us rely upon on a daily basis to access our smart phones. An FRT system collects a digital image of an individual’s face and extracts the individual’s unique facial geometry into a biometric template, or “faceprint”. An individual’s faceprint is then compared against a database of other faceprints, for the purpose of facial verification or identification.1
In the wake of the OAIC’s Determination, Bunnings issued a video where its managing director, Mike Schneider, stated the following:
We used the [FRT system] with the sole and clear intent of keeping our team and our customers safe and preventing unlawful activity by repeat offenders. When a person walked into one of our trial stores, FRT would scan the person’s face using existing CCTV footage. This data was compared against a limited database of people who were either banned from our stores or who had previously committed violent or threatening acts. If a person didn’t match to this offenders database, the data was deleted in less than a blink of an eye. If a person was identified as a potential match, an alert was sent to a small specially trained team and a member of that team would carry out a manual check and if verified as an accurate match, decide on what steps would be taken to keep our team and customers safe. This often resulted in calling police to attend our stores.
The video also included extracts of confronting CCTV footage from Bunnings stores depicting individuals displaying threatening and violent behaviour towards Bunnings workers. When asked about this CCTV footage by 6PR Perth broadcaster Gary Adshead, Privacy Commissioner Carly Kind, who handed down the OAIC Determination, responded:
… your heart goes out to Bunnings staff who are really incredible in countering that kind of violence. The question that I was asked was to take a step back from the emotion of the situation and ask whether [Bunnings’ use of FRT] was compliant with the law as we have it.
“Biometric templates” and “biometric information that is to be used for the purpose of automated biometric verification or biometric identification” are classified as two forms of “sensitive information” under section 6 of the Privacy Act 1988 (Cth) (Privacy Act).
Under Australian Privacy Principle (APP) 3.3 of the Privacy Act, an APP entity (which Bunnings is) must not collect sensitive information about an individual unless:
Bunnings did not provide any evidence that it sought, or otherwise obtained, the consent of customers whose faceprints had been collected. The stores did not display a prominent physical notice at the entrances expressly stating customers who entered the stores would have their sensitive information collected through an FRT system. Notices stating video surveillance was in use were found to be insufficient.
Bunnings alternatively asserted an APP 3.4 exception applied as its collection of the customers’ sensitive information was a “permitted general situation” as set out under section 16A of the Privacy Act. Commissioner Kind was accordingly tasked with determining whether Bunnings reasonably believed the collection of the customers’ personal information was necessary for either of the following permitted general situations.
First Permitted General Situation:
Second Permitted General Situation:
As previously noted, Bunnings justified its use of the FRT system as a tool to prevent and mitigate unlawful and threatening behaviours in its stores. Bunnings argued this purpose would be undermined by notifying customers of the FRT system. Commissioner Kind disagreed, finding that such notification would indeed have the intended preventative effect. At [215] of the OAIC’s Determination, she stated:
Contrary to the assertion that prominent display of the notice would undermine that proactive approach, I am of the view that such notice would likely act as a warning or a deterrent for individuals who may have otherise intended to engage in criminal activities or other antisocial behaviour in the respondent's stores.
The lack of individuals’ consent to have their sensitive information collected was one of the reasons Commissioner Kind found Bunnings’ use of the FRT system as disproportionate to the purported benefit. Weight was also given to:
Under section 52(1A) of the Privacy Act, Commissioner Kind declared Bunnings must not repeat or continue the acts and practices found to be interferences with the privacy of individuals. In addition to this, Bunnings was required to publish a statement on its website setting out the OAIC’s finding and a detailed description of its former use of the FRT system.
Bunnings, as a body corporate, faced a maximum fine of $50 million. However, Bunnings was fortunate to avoid a pecuniary penalty completely. Nevertheless, other APP entities should not take this as any reassurance. Australian laws are playing catch up with privacy concerns in public life and this OAIC decision is a landmark and cautionary one. Next time, the OAIC may not be so kind.
The Litigation and Dispute Resolution team at Lavan has extensive experience in respect of privacy obligations under the Privacy Act. If you require advice in this area, please contact Iain Freeman to discuss the matter.
Thank you to Freya Surma-Litchfield, Solicitor, for her valuable research and assistance with this article.
