An investigation by the privacy commissioner has found hardware giant Bunnings “breached Australians’ privacy” through its use of facial recognition technology over a period of three years.
The system used CCTV to capture the faces of “likely hundreds of thousands of individuals” across 62 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021, the Office of the Australian Information Commissioner (OAIC) said.
Bunnings has been ordered to no longer infringe Australians’ privacy and to destroy any information it collected using facial recognition after one year.
Privacy Commissioner Carly Kind said while facial recognition “may have been an efficient and cost-effective option” for Bunnings to address unlawful customer behaviour, its decision to deploy the technology led to it “disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals”.
“Any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society,” she said.
“… Just because a technology may be helpful or convenient, does not mean its use is justifiable.”
Bunnings had collected individuals’ sensitive information without consent, had failed to take reasonable steps to notify customers, and had omitted required information from its privacy policy, the commissioner alleged.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” she said.
“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
Bunnings ‘deeply disappointed’ by findings
Bunnings, which had paused its use of facial recognition during the investigation, said it was “deeply disappointed with the commissioner’s determination” and would seek a review before the Administrative Review Tribunal.
Bunnings’ managing director Mike Schneider said the company believed its use of facial recognition “balanced our privacy obligations and the need to protect our team, customers, and suppliers against the ongoing and increasing exposure to violent and organised crime, perpetrated by a small number of known and repeat offenders”.
Bunnings says it updated signs outside some stores after it began trialling facial recognition. Image: Reddit
The company’s use of facial recognition was “never about convenience or saving money” and reduced the amount of theft and the number of safety incidents in stores which used it, Schneider said in a statement.
“We believe that customer privacy was not at risk,” he said.
“The electronic data was never used for marketing purposes or to track customer behaviour.
“Unless matched against a specific database of people known to, or banned from stores for abusive, violent behaviour or criminal conduct, the electronic data of the vast majority of people was processed and deleted in 0.00417 seconds – less than the blink of an eye.”
Bunnings did acknowledge, however, that it did not mention its use of facial recognition on posters at entrances to its stores when its trial of the technology first began, and said it had later updated the signs and its privacy policy.
Bunnings saw a 50 per cent increase in abuse, threats, and assaults in stores in 2023, and provided examples of such incidents to OAIC, Schneider said.
“We believe that in the context of the privacy laws, if we protect even one person from injury or trauma in our stores, the use of facial recognition has been justifiable,” he said.
Bunnings is part of the Wesfarmers group of companies, which also includes retailers such as Target, Officeworks, Priceline, and Kmart — which is still facing its own investigation into its use of facial recognition technology.
Commissioner Kind said the decision against Bunnings “should serve as a reminder to all organisations to proactively consider how the use of technology might impact privacy and to make sure privacy obligations are met".
“Organisations should be aware that ensuring the use of emerging technologies aligns with community expectations and regulatory requirements is high among our priorities,” she said.
