Australia’s largest hardware retailer Bunnings has been granted permission to use facial recognition technology (FRT) on people entering its stores.
Following a nearly four-year long spat between the retailer and Australia’s privacy commissioner, the Administrative Review Tribunal overturned a 2024 ruling that Bunnings invaded the privacy of customers by scanning their faces on-premises.
After a brief single-store trial of the tech, Bunnings deployed FRT in 62 stores across New South Wales and Victoria between early 2019 and late 2021.
An Office of the Australian Information Commissioner (OAIC) investigation later determined the CCTV-linked system captured the faces of “likely hundreds of thousands of individuals”, which were then checked against a database of people who had been banned from entering Bunnings stores.
Though Bunnings managing director Mike Schneider said any data which didn’t match a banned person was typically deleted in “0.00417 seconds – less than the blink of an eye”, the privacy commissioner insisted Bunnings had breached privacy laws through its collection of personal information.
Last week, however, the tribunal found there was a “permitted general situation” in relation to Bunnings’ collection of personal information via FRT – effectively overturning the commissioner's prior ruling.
In a statement provided to Information Age, Schneider welcomed the decision and emphasised the retailer’s intent in trialling this technology was “to help protect people from violence, abuse, serious criminal conduct and organised retail crime”.
After pulling FRT from its stores in mid-2022, Information Age understands Bunnings aims to reintroduce the technology within the next 18 months.
One bad egg, 100 surveilled customers
The commissioner initially ruled against Bunnings in late 2024, alleging the retailer collected sensitive information without consent and failed to take reasonable steps to notify its customers.
Bunnings famously retaliated by releasing a shocking CCTV montage of violent or intimidating incidents against its staff.
The company soon after sought a review before the tribunal, which on Wednesday determined Bunnings was entitled to use facial recognition for the “limited purpose of combatting very significant retail crime” and “protecting their staff and customers from violence, abuse and intimidation within its stores”.
During its review, the tribunal heard statements from store managers in Box Hill and Broadmeadows as evidence.
“[He] frequently dealt with theft and/or threatening behaviour towards him or his team members,” the tribunal said of a Box Hill manager.
“This kind of threatening or abusive behaviour occurred every two to three days on average and caused team members to be visibly shaken and upset.”
The Broadmeadows manager meanwhile estimated an average of approximately one violent, threatening and/or aggressive incident in store each day.
The tribunal found the specific technology used by Bunnings “limited” the impact on customer privacy “so as not to be disproportionate when considered against the benefits of providing a safer environment” for people in its stores.
Notably, Bunnings national security manager Alexander MacDonald conceded the “vast majority” of security incidents were perpetrated by persons not in its existing database.
“He accepted that even amongst those on the database, FRT was ineffective when someone wore a facemask or covered their face,” the tribunal said.
“Whilst accepting these limitations, Mr MacDonald steadfastly maintained that FRT was necessary to combat repeat offenders who represented a significant proportion of theft and other unlawful activity.”
The tribunal also heard that Bunnings calculated, on average across each financial year, at least 66 per cent of theft loss was attributable to the top 10 per cent of offenders.
Tribunal dissatisfied with notification practices
Notably, the tribunal agreed Bunnings had failed to appropriately notify visitors they were being subjected to face scans.
Specifically, a privacy poster displayed at various places in stores “made no reference to Bunnings’ use of the FRT system” and was deemed “insufficient” to meet the company’s privacy obligations.
A separate entry notice which stated ‘video surveillance, which may include facial recognition, is utilised’ at relevant stores likewise failed to appropriately notify customers about the collection of personal information.
“The Tribunal recognised the need for practical, common-sense steps to keep people safe,” said Schneider.
“It also identified areas where we didn’t get everything right, including around signage, customer information, processes and our privacy policy, and we accept that feedback.”
Lyn Nicholson, general counsel at national law firm Holding Redlich, said the tribunal’s decision provided “important clarification” on how the Privacy Act applied to FRT in retail settings.
“This week’s decision establishes that the Privacy Act does not impose a blanket prohibition on the use of facial recognition technology,” said Nicholson.
“Its lawful use depends on a reasonable suspicion of unlawful activity and a proportionate response to that risk.
“In this case, the Tribunal accepted that the scale and nature of violence and theft in Bunnings’ stores, including repeat offending, as well as features of the store environment such as multiple entry and exit points and the availability of items capable of being used as weapons, justified a targeted security response.”
OAIC announced it is carefully considering the tribunal’s decision and its implications.
“An appeal period applies to the Administrative Review Tribunal’s decision,” wrote OAIC.
