A seemingly minor decision handed down last week by the Administrative Review Tribunal may open the door to widespread use of facial recognition technology in shops and other privately owned spaces in Australia.
Author
- Margarita Vladimirova
Sessional Academic, Faculty of Law, Monash University
The decision held that Bunnings was entitled to an exception to some rules around the use of facial recognition technology. In particular, it said the hardware giant did not need to seek the consent of customers before using the technology on them.
The tribunal's decision may yet be appealed to the Federal Court - but if it stands, it raises worrying questions about the future of privacy, biometric data, surveillance and consent in Australia.
What the Bunnings case is about
Between January 2019 and November 2021, Bunnings conducted a trial of facial recognition technology across at least 62 stores in Victoria and New South Wales, following an initial two-month pilot in November 2018.
The technology was integrated into in-store security cameras and captured the facial images of all individuals entering the premises. These images were then analysed to generate a searchable database of facial identifiers.
In November 2024 the Privacy Commissioner ruled that Bunnings breached the privacy of "likely hundreds of thousands" of Australians through its use of facial recognition technology.
There were five key points in the finding:
customers did not consent to the collection of their facial information
customers did not know their biometrics were being collected, due to signage that was unclear and sometimes missing
Bunnings lacked relevant staff training on using facial recognition technology
Bunnings lacked clear policy describing how they managed collected personal information, and
the use of the technology was more than the " minimum, reasonably required to mitigate " organised retail crime and threatening situations.
Overall, the use of facial recognition technology on thousands of people to prevent retail crime was declared to be unproportionate. However, the commissioner acknowledged the technology's potential to reduce violence and theft.
The tribunal decision on exception
In its review of the Privacy Commisioner's determination , the Administrative Review Tribunal supported all the Privacy Commissioner's findings but one: the one related to consent.
The tribunal set aside the Privacy Commissioner's finding that Bunnings violated one of the privacy principles by collecting facial information from customers without consent, arguing that Bunnings' actions fall under an exception to the requirement for consent.
What is the exception?
Australia's privacy act protects personal sensitive information, including facial information. It states that such information can be collected only with consent of an individual.
However, there is a list of exceptions provided in section 16 (A) .
The exception the tribunal considers applies to Bunnings is:
the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
The tribunal collected personal testimonies from Bunnings workers. It found the workers reasonably believed the technology is necessary to combat retail crime and protect staff and customers from violence, abuse and intimidation within their stores . These sometimes involved weapons, acts of physical violence or aggression, death threats or other threats of violence.
The future of biometrics and consent
This decision has consequences well beyond Bunnings. It may be crucial to the control of individuals' biometric information in Australia.
If the decision is not appealed to the Federal Court, we may see a future in which retailers and other organisations can use biometric technologies on members of the public without consent. All they will need to justify their actions is a risk-management narrative based on personal statements.
This shift would make consent an optional constraint. It could be displaced whenever biometric surveillance is framed as efficient, preventative or protective.
The Bunnings case risks eroding the basic structure of privacy law.
Biometric data is unique, permanent and non-revocable. Yet the decision treats biometric data collection as dependent on the needs and beliefs of the entity collecting it. The choice of the individuals affected does not come into it.
Privacy law and surveillance
The circumstances of the Bunnings case seem different from what was envisioned in 1988 when the privacy laws were drafted. For example, the OAIC Guidelines of the Privacy Act 1988 focused on more severe cases:
a potentially harmful threat […] such as a threatened outbreak of infectious disease. This allows […] preventative action to stop a serious threat from escalating before it materialises.
[…] if time permits, attempts could be made to seek the consent from the relevant individuals for the collection, use or disclosure, before relying on this permitted general situation.
These guidelines considered consent to be a cornerstone of biometric collection, and not easily waived.
However, if facial recognition becomes normalised, privacy protection becomes more difficult. Data management protocols may need to be tightened, and laws may need to be changed .
The ruling lowers the threshold for more surveillance. If non-consensual biometric processing is accepted in retail, the same logic can apply to workplaces , schools and other public but privately owned spaces. Each expansion can be justified using the same language of safety, deterrence or necessity.
Most importantly, the decision reshapes the meaning of consent itself. Consent risks becoming symbolic rather than operative. It may be formally recognised in law, but practically irrelevant.
Margarita Vladimirova used to work for the Office of the Australian Information Commissioner.
