Written by Despina Bouletos

In a significant development in Australian privacy law, Bunnings Warehouse (“Bunnings”) has been found to have breached its customers’ right to privacy through its use of facial recognition technology in stores. The finding was made by the Office of the Australian Information Commissioner (“OAIC”) earlier this month following a two-year long investigation. The OAIC determined that Bunnings had breached the privacy of hundreds of thousands of its customers in 63 stores across NSW and Victoria over a three year time span from 2018 to 2021.

What was the OAIC’s Determination?

A key aspect of the OAIC’s finding was that Bunnings did not obtain consent from each of its customers to use facial recognition technology, that is, targeted customers were not aware at the time that they were in the store that facial recognition technology was being utilised by Bunnings and that their private information was being retained.

How was the Data Retained and Used?

The unique “face prints” which were captured by Bunnings’ facial recognition technology are considered sensitive biometric data in accordance with Australia’s privacy laws. The OAIC found that Bunnings had been using the face prints to cross reference against a database of previous Bunnings customers who were considered to present a security risk, on the basis of inappropriate conduct in stores such as stealing or acting aggressively towards staff. When a face print matched a customer in this database, an alert was generated on Bunnings’ systems.

How has Bunnings Responded?

In its response to the OAIC, Bunnings indicated that it had deployed the facial recognition technology in an attempt to protect the safety of its staff members and customers. Bunnings’ view is that the deployment of the facial recognition software is the quickest and most accurate way to identify and remove individuals who pose a threat to the safety of others in Bunnings stores. Bunnings maintains that the data collected was not used for marketing purposes. Bunnings also advised the OAIC that, where the face print did not generate a match in Bunnings’ database, then the data was automatically deleted in less than a second. Bunnings has indicated that it will be seeking a review of the decision of the OAIC.

What Penalty was Imposed?

As a result of the OAIC’s findings, Bunnings was ordered not to deploy its facial recognition software going forward and to destroy any personal and sensitive information that was collected within one year. Bunnings is also required to publish a statement on its website within 30 days apologising, explaining its use of the technology and providing information to customers who may wish to make a complaint in respect of the collection of their data.

Implications

The OAIC’s determination is likely to have significant implications for how Australian businesses use data collection technology in future. Businesses will need to carefully consider how the use of software such as facial recognition may impact upon the privacy of customers and appropriate frameworks for implementing such technologies. This is particularly pressing given that a number of other stores are also deploying facial recognition technology.

Uther Webster & Evans is well-versed in dealing with regulators such as the OAIC and can provide you with detailed advice as to how your business interacts with Australia’s privacy legislation or if you have concerns regarding a privacy breach.

The contents of this post are for informational purposes only. They do not constitute legal advice, are not intended to be a substitute for legal advice and should not be relied upon as such. If you require legal advice or representation, please contact our team.