Bunnings' implementation of facial recognition technology as a preventive measure against crime and violent behaviour was found to have breached Australia’s privacy laws.
The Office of the Australian Information Commissioner (OAIC) found the retailer had analysed the faces of “hundreds of thousands” of customers across 62 stores in NSW and Victoria between November 2018 and November 2021.
Individuals’ facial images were compared against those of individuals Bunnings had enrolled in a database who had been identified as posing a risk, for example, due to past crime or violent behaviour, according to the OAIC.
Facial recognition and biometric information are both classed as sensitive information under the Privacy Act.
The commissioner found that Bunnings breached customers’ privacy by capturing their sensitive information without consent.
Bunnings failed “to take reasonable steps to notify individuals” about their personal information being collected as well as “implement practices, procedures and systems” to comply with Australia’s privacy laws.
Lastly, the retailer did not include its collection, holding and use of personal information in existing privacy policies.
Bunnings has now been ordered to destroy all personal and sensitive information collected via the facial recognition technology system that it still holds after one year.
It must also make a public statement in the next 30 days on the issue, and refrain from using the technology again.
Bunnings has already said it will seek review of the determination.
In a statement, published on its website [pdf], the retailer said it had "hoped that based on our submissions, the commissioner would accept our position that the use of [facial recognition technology] appropriately balanced our privacy obligations and the need to protect our team, customers, and suppliers against the ongoing and increasing exposure to violent and organised crime, perpetrated by a small number of known and repeat offenders."
Bunnings, which is owned by ASX-listed Wesfarmers, added that the technology was trialled in "a limited number" of stores and had "strict controls around its use".
The OAIC opened the case in 2022 following a CHOICE investigation of the country’s 25 largest retailers, which included Kmart and The Good Guys.
The investigation into The Good Guys was later dropped while the one into Kmart remains ongoing.
“We can’t change our face,” the OAIC’s commissioner Carly Kind said.
“The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.
“Facial recognition technology may have been an efficient and cost-effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression.
“However, just because a technology may be helpful or convenient, does not mean its use is justifiable."
