Today's decision by the Administrative Review Tribunal relating to Bunnings Group Limited's use of facial recognition technology (FRT) is an important reiteration of the key principles and protections contained in Australian privacy law.
The Tribunal affirmed the Privacy Commissioner's finding that Bunnings contravened Australian Privacy Principles (APP) 1 (open and transparent management of personal information) and 5 (notification of the collection of personal information) when rolling out FRT in its stores.
The Tribunal found that Bunnings failed to provide appropriate notice to individuals of its use of FRT and should have completed a 'formal, structured and documented' risk assessment of its FRT system which considered the privacy implications.
The Tribunal also affirmed the Privacy Commissioner's statement of the relevant factors when considering whether Bunnings was entitled to rely on an exemption to the requirement to obtain consent for the collection of personal information, namely whether the FRT was a suitable and effective response to the problem of repeat offenders, whether less privacy-intrusive alternatives were available, and whether the use of FRT was proportionate.
However, the Tribunal departed from the Privacy Commissioner's ultimate finding that Bunnings had contravened APP 3.3 (collection of solicited personal information).
The Tribunal was satisfied that Bunnings was entitled to rely on exemptions to the requirement to obtain consent, for the limited purpose of combatting retail crime and protecting their staff and customers from violence, abuse and intimidation within their stores.
"Today's decision confirms the Privacy Act contains strong protections for individual privacy that are applicable in the context of emerging technologies. It underscored the importance of APP entities maintaining good privacy governance and complying with the Australian Privacy Principles in adopting new tech, and that limited exemptions are subject to robust criteria that must be assessed on a case-by-case basis," said an OAIC spokesperson.
"We particularly welcome that the decision reaffirmed a range of key interpretive positions taken by the OAIC, including that even momentary collection of personal information by advanced digital tools constitutes a collection under the Privacy Act."
"This important decision is consistent with the robust and technologically-neutral approach to privacy regulation enshrined in the Privacy Act and embodied by the OAIC's regulatory approach.
"The Australian community continues to care deeply about their privacy, and is increasingly worried about the challenges in protecting their personal information. The Australian Community Attitudes to Privacy Survey (ACAPS, 2023) found that 62% of Australian see protection of their personal information as a major concern in their life. Only 32% believe they are in control of their privacy, while many say they have no choice but to accept the terms of how services and businesses use their data. 84% of Australians also told the OAIC, that they want more to be done to protect their privacy, giving them more control and choice over the collection and use of their information."
The OAIC is carefully considering this decision and its implications. An appeal period applies to the ART's decision.
