Today my office published a determination which considers the use of facial recognition technology (FRT) in retail environments in Australia. This decision concerned an investigation into Kmart's historical use of FRT to tackle refund fraud and comes on the heels of my decision in October 2024 against Bunnings for its use of FRT in the context of staff and customer security.
In both decisions I found that the respective organisation had not complied with the Privacy Act 1988 (Cth) when rolling out FRT. It may be tempting to suggest that my successive determinations amount to an effective ban on the use of this technology. However, that is incorrect; the Privacy Act is technology-neutral.
FRT systems require the collection of biometric information, which is considered sensitive personal information under the Privacy Act. Collection and use of this information must be proportionate and transparent. If entities are using FRT and other systems to collect biometric information or generate biometric templates, which constitutes sensitive information, they need to notify and have the consent of individuals, unless an exception applies.
The OAIC has previously published guidance to help entities ensure they're using FRT consistently with the Privacy Act: Facial recognition technology: a guide to assessing the privacy risks .
My decision that Kmart's use of FRT for refund fraud detection was disproportionate in the circumstances provides further guidance on how the regulator will approach this assessment and the matters we will take into account when deciding whether use of FRT is permissible in the circumstances.
As Privacy Commissioner, I will consider each use of FRT that my office investigates on a case by case basis, taking into account the specific contextual factors at play. The Kmart determination analyses a different set of facts and circumstances, and indeed a different FRT system altogether, than that considered in the Bunnings decision.
Kmart used FRT in 28 of its stores between June 2020 and July 2022 to detect and prevent refund fraud, and to identify people who had been suspected of committing refund fraud or theft. Everyone who entered the relevant Kmart stores, and everyone who presented to a returns counter during the relevant period, had their facial images captured and analysed by the FRT system. Kmart used the FRT to detect where individuals might be committing refund fraud.
It wasn't contested that, in both the Bunnings and Kmart cases, consent was not obtained. Rather, both organisations sought to rely on exceptions to the requirement for consent, known as the 'permitted general situations' (PGS,) which allow organisations to collect, use and disclose sensitive information in certain situations. For example, when it is necessary to address unlawful activity or serious misconduct, or to lessen or prevent a serious threat to the life, health or safety of any individual.
My analysis in both determinations primarily focused on the application of the exceptions provided for in the Privacy Act, in the particular facts and circumstances. In the Kmart decision, I concluded that the collection of biometric information on all people who entered the 28 Kmart stores, when only a small proportion may have been involved in or suspected of refund fraud, was a disproportionate interference with privacy. I also considered that the FRT system had limited utility and there were other less privacy-intrusive methods available to address refund fraud.
The effect of this determination is, I hope, to further clarify the threshold for reliance on the exemptions in the Privacy Act in relation to the need to gain consent for the collection of sensitive information. It is a high bar that must be cleared, and for good reason.
The Privacy Act, while acknowledging the rights and interests of businesses in carrying out their reasonable activities, is beneficial legislation that protects both individuals' rights to privacy and the public interest in privacy. It rightly sets robust standards for the collection, use and disclosure of personal information, particularly sensitive information.
While the Privacy Act may have been adopted in 1988, its principles-based nature allows it - and demands of it - to be interpreted in light of new and emerging technologies, many of which have the potential to create fundamental challenges to long-held societal conventions and public expectations. This is not to say that there may not be a proper place for surveillance technologies in public spaces. The interpretation of Privacy Act exemptions enables consideration of a whole range of factors to ascertain whether the use of a technology such as FRT really is necessary.
In exercising my statutory functions I have only considered two discrete examples of FRT operating in a retail environment, and there are other deployments currently underway in Australia, including at airports and as mandated by law in gaming environments in some states to give effect to gambling self-exclusion schemes.
Each deployment will give rise to unique questions that require consideration under the Privacy Act, including: what are individuals' expectations of privacy in certain public places, and how does that change depending on the place? Is this a place that people must go as part of daily life, for example an essential service such as a supermarket or pharmacy, or do they have other choices or alternatives? Is this a technology of convenience - is it being used only because it's cheaper, or as an alternative to employing staff to do a particular role, and are there other less privacy-intrusive means that could be reasonably used?
In the absence of parliamentary intervention to specifically authorize the use of FRT systems without consent, these are the kinds of considerations I will continue to bring to my application of the Privacy Act to these emerging technologies, on a case-by-case basis.
