Bunnings has released a shocking CCTV montage of attacks against its employees after Australia’s privacy watchdog slammed its use of facial recognition surveillance technology.

On Tuesday, the Office of the Australian Commissioner (OAIC) declared home improvement retailer Bunnings “breached Australians’ privacy” by collecting personal, sensitive information through a facial recognition technology system.

The system – which was incorporated into CCTV – captured the faces of “likely hundreds of thousands of individuals” across 63 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021, the commissioner said.

After copping online blowback and being ordered to “not repeat or continue” the acts which “led to interference with individuals’ privacy”, Bunnings retorted with a brutal, CCTV-caught collection of violent attacks against its staff.

One attack shows a staff member suddenly punched in the face, another shows a knife brandished to an employee’s throat, while the worst of the bunch sees a man in a balaclava entering the store with a shotgun.

Speaking with ABC Radio Perth, Bunnings managing director Mike Schneider confirmed the company will challenge the OAIC’s findings.

“Facial recognition alone is not a silver bullet,” said Schneider.

“We’ve seen significant spikes in not only the usual shoplifting we’ve all become accustomed to, but really aggressive violent behaviour.

“We believe this tool, along with the other tools we have, is a really important asset in the fight against this sort of crime.”

A staff member had a knife brandished at their neck by a member of the public. Photo: Bunnings

Meanwhile, social media has been abuzz with Australians second-guessing how far they’re willing to compromise on privacy for the sake of safety.

“I am typically a paid up and proud privacy nut but frankly [the OAIC] decision is bone-headed,” said Euan Prentic, director of cyber security company Cythera.

“I am happy for Bunnings to hold my biometrics for half a second while they determine I’m not a known threat to their staff.”

What’s the alternative?

Speaking with Information Age, vice-chair of the Australian Privacy Foundation, Juanita Fernando, said she didn’t see facial recognition technology as “relevant in protecting staff” given Bunnings stores are in “very public locations” with existing security measures such as CCTV.

“I understand the business objectives behind these technologies, though I don't necessarily appreciate or agree with them,” said Fernando.

“I think it's time businesses realise, we – as in the everyday Australian – are not their objects.”

Thieves knock over a staff member in an effort to escape with stolen goods. Photo: Bunnings

Meanwhile, RMIT associate professor in cyber security, Nalin Arachchilage, posited non-invasive alternatives such as training programs, improved lighting, surveillance cameras and alarm systems to enhance safety.

“Furthermore, privacy-preserving technologies such as restricted data use or anonymous threat detection systems – which detect suspicious behaviours or unusual activities – can be implemented and deployed,” said Arachchilage.

“The recent ruling against Bunnings highlights that while the intention to protect staff is valid, the methods used must comply with privacy laws and respect customer rights.

“It's essential for businesses to balance security measures with ethical considerations and legal requirements.”

A sleeping watchdog

Speaking on the OAIC’s findings, Australian Privacy Foundation chair David Vaile told Information Age the absence of a penalty effectively served as “de facto permission” for Bunnings to have adopted the privacy-breaching surveillance tech.

“What you actually need is a massive fine, not just to wake Bunnings up, but the other giants in breach of privacy too,” said Vaile.

He added the commissioner was acting as a “sleeping watchdog” by neglecting to appropriately exercise its powers.

“When was the last time you heard of a billion-dollar penalty from the OAIC?

“They can do it, they have some of the strongest powers of a judicially created office in the country,” said Vaile.

“Bunnings didn’t even get a wrist-slap.

“If you have an aggressive culture pioneered by a "move fast, break things" mentality, you wind up with little more than reputational risk for the giant companies breaking their privacy obligations.

“It's absurd not to have a penalty for such a massive, deliberate, long-term breach of privacy against the Australian people,” he added.