In 2024, I issued a decision that sought to clarify the safeguards applicable to facial recognition technology. Bunnings had been using facial recognition technology for a number of years, across more than 60 stores, in an attempt to tackle serious crime and theft by repeat offenders. I concluded that they had not done so in accordance with the requirements of the Privacy Act. Facial recognition technology is a highly privacy-invasive tool, allowing for the unique identification of individuals in public and semi-public spaces, potentially without their knowledge, and must meet a high bar to be considered lawful under the Privacy Act.
Recently, the Administrative Review Tribunal's Guidance and Appeals Panel provided further guidance in this important matter. I have not filed an appeal of this decision.
In relation to Bunnings' deployment of FRT, the Tribunal pointed to the fact that Bunnings faces a serious problem with violence and theft being committed by repeat offenders, that Bunnings encounters unique threats because of the size and layout of its stores, and that "many of the products on sale at a Bunnings store can be used as a weapon, such as an axe, a screwdriver or a drill." The Tribunal highlighted the data security and minimisation protections in place and concluded that although the use of facial recognition "involves a significant intrusion into the privacy of individuals… Bunnings was entitled to use FRT for the limited purpose of combatting very significant retail crime and protecting their staff and customers from violence, abuse and intimidation within its stores."
Beyond the question of necessity and proportionality, the Tribunal did not disturb the original findings that Bunnings' use of the technology was not properly notified to Bunnings customers, that there weren't appropriate policies and procedures in place to govern its use, and that the Privacy Act's safeguards apply in the context of biometric technologies, even those that only collect and keep personal data for mere milliseconds.
For some time, Australian retailers have expressed a desire and need to deploy facial recognition technology in their respective entities, and have demanded greater certainty about how the Privacy Act applies to this emerging technology. The Tribunal's decision shows that Australian privacy law allows for the balancing of competing interests – the individual and public interests in privacy, on the one hand, and the need to protect public safety and address unlawful activity on the other.
Specific updates to existing guidance will be made to reflect the Tribunal's decision and ensure that retailers have up-to-date information about our regulatory application of the law. Those updates will also emphasise that the decision in Bunnings confirms a high bar for the use of facial recognition technology in Australia, and that entities will need to conduct a detailed risk assessment specific to their circumstances before deploying the technology. Retailers should view the decision as a useful case study, rather than a green light for deployment of biometric technologies.
