fbpx
Data

Unfair suck of the saveloy: regulator says Bunnings breached customer privacy with facial recognition technology

- November 19, 2024 3 MIN READ
Bunnings.
Where lowest privacy is just the beginning. Photo: AdobeStock
The use of facial recognition technology in Bunnings stores across Victoria and NSW over three years was a breach of privacy and consent laws, Australian Privacy Commissioner Carly Kind has ruled.

The landmark decision on breaches to the Privacy Act follows a two-year investigation by the Office of the Australian Information Commissioner, which found that Bunnings failed to take reasonable steps to implement practices, procedures and systems required to comply with the Privacy Act.

Commissioner Kind also concluded that Bunnings collected sensitive information on customers without consent, failed to take reasonable steps to notify them that their personal information was being collected, and did not include required information in its privacy policy.

Bunnings used CCTV to capture the faces of everyone – likely hundreds of thousands of people– who entered 63 stores in the two states between November 2018 and November 2021.

Kind said that facial recognition technology is one of the most ethically challenging new technologies to emerge in recent years, and any possible benefits need to be weighed against the impact on privacy rights, as well as society’s collective values.

“Facial recognition technology may have been an efficient and cost effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression,” she said.

“However, just because a technology may be helpful or convenient, does not mean its use is justifiable. In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.”

The investigation into Bunnings was sparked by a 2022 investigation by consumer lobby group CHOICE into the hardware chain’s use of facial recognition tech.

CHOICE policy advisor Rafi Alam said the decision should prompt all businesses to think carefully about the use of facial recognition in Australia.

“We know the Australian community has been shocked and angered by the use of facial recognition technology in a number of settings, including sporting and concert venues, pubs and clubs, and big retailers like Bunnings,” he said.

“While the decision from the OAIC is a strong step in the right direction, there is still more to be done. Australia’s current privacy laws are confusing, outdated and difficult to enforce.”

Alam said that in the two years the Bunnings investigation has been underway, the use of facial recognition technology has grown dramatically in business.

“CHOICE is continuing to call for a specific, fit-for-purpose law to hold businesses accountable as soon as they breach customer privacy, and protect consumers from the harms that can occur without proper and clear regulation of facial recognition technology,” he said.

The commissioner made a similar point is saying there was a lack of transparency around its deployment at Bunnings, along with governance shortcomings.

“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” Kind said.

“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”

Bunnings cooperated with the investigation and paused its use of facial recognition technology pending the outcome.

The Commissioner has ordered that Bunnings must not repeat or continue the acts and practices that led to the interference with individuals’ privacy.

“This decision should serve as a reminder to all organisations to proactively consider how the use of technology might impact privacy and to make sure privacy obligations are met,” said Commissioner Kind.

Bunnings can seek review of the determination.

The Office of the Australian Information Commissioner has published a new privacy guide for businesses considering using facial recognition technology in a commercial or retail setting.