Media release – Office of the Australian Information Commissioner, 19 November 2024

Privacy Commissioner Carly Kind has found Bunnings Group Limited breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.

The system, via CCTV, captured the faces of every person – likely hundreds of thousands of individuals – who entered 63 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021.

“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” Commissioner Kind said.

“We acknowledge the potential for facial recognition technology to help protect against serious issues, such as crime and violent behaviour. However, any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society.

“Facial recognition technology may have been an efficient and cost effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression. However, just because a technology may be helpful or convenient, does not mean its use is justifiable.

“In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals,” said Commissioner Kind.

As well as addressing issues of proportionality and necessity, the determination highlights the lack of transparency around Bunnings’ use of facial recognition technology.

Commissioner Kind found Bunnings collected individuals’ sensitive information without consent, failed to take reasonable steps to notify individuals that their personal information was being collected, and did not include required information in its privacy policy.

“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” said Commissioner Kind.

“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”

The determination also points to governance shortcomings, with Commissioner Kind finding Bunnings failed to take reasonable steps to implement practices, procedures and systems required to comply with the Privacy Act.

Bunnings has been cooperative throughout the investigation and paused its use of facial recognition technology pending the outcome. The Commissioner has made various orders, including that Bunnings must not repeat or continue the acts and practices that led to the interference with individuals’ privacy.

“This decision should serve as a reminder to all organisations to proactively consider how the use of technology might impact privacy and to make sure privacy obligations are met,” said Commissioner Kind.

“Organisations should be aware that ensuring the use of emerging technologies aligns with community expectations and regulatory requirements is high among our priorities.”

Bunnings has the right to seek review of the determination.

To assist businesses to meet privacy obligations, the Office of the Australian Information Commissioner has published a new privacy guide for businesses considering using facial recognition technology in a commercial or retail setting.

Commissioner Kind has published a blog post with further takeaways for other retailers considering using facial recognition technology.

Media release – Choice, 19 November 2024

Choice responds to results of OAIC investigation

Following Choice’s 2022 investigation into Bunnings’ use of facial recognition technology, the Office of the Information Commissioner (OAIC) has today announced that Bunnings has breached the Privacy Act.

The OAIC has declared Bunnings must not repeat or continue any practices which interfere with individuals’ privacy, including the collection of facial images without consent. The retailer must also destroy all sensitive data collected via its facial recognition system.

“We are very pleased to hear the Information Commissioner has determined that Bunnings has breached the Privacy Act, following its controversial use of facial recognition technology in stores across the country. This is a landmark decision that will prompt all businesses to think carefully about the use of facial recognition in Australia going forwards,” says Choice Senior Campaigns and Policy Advisor, Rafi Alam.

“We know the Australian community has been shocked and angered by the use of facial recognition technology in a number of settings, including sporting and concert venues, pubs and clubs, and big retailers like Bunnings,” says Alam.

“While the decision from the OAIC is a strong step in the right direction, there is still more to be done. Australia’s current privacy laws are confusing, outdated and difficult to enforce. Choice first raised the alarm on Bunnings’ use of facial recognition technology over two years ago, and in the time it took to reach today’s determination the technology has only grown in use,” says Alam.

“Choice is continuing to call for a specific, fit-for-purpose law to hold businesses accountable as soon as they breach customer privacy, and protect consumers from the harms that can occur without proper and clear regulation of facial recognition technology,” says Alam.

Read Choice’s 2022 investigation into facial recognition here: https://www.choice.com.au/facialrecognition

Sign the petition to rein in facial recognition here: www.choice.com.au/facialrecognitionpetition

Media release – Bunnings, 19 November 2024

Bunnings to seek review of the Privacy Commissioner’s Determination

Bunnings will seek review of the Privacy Commissioner’s Determination, before the Administrative Review Tribunal following its investigation into our trial of facial recognition technology (FRT).

We had hoped that based on our submissions, the Commissioner would accept our position that the use of FRT appropriately balanced our privacy obligations and the need to protect our team, customers, and suppliers against the ongoing and increasing exposure to violent and organised crime, perpetrated by a small number of known and repeat offenders.

The Commissioner acknowledged that FRT had the potential to protect against serious issues, such as crime and violent behaviour. This was the very reason Bunnings used the technology.

Our use of FRT was never about convenience or saving money but was all about safeguarding our business and protecting our team, customers, and suppliers from violent, aggressive behaviour, criminal conduct and preventing them from being physically or mentally harmed by these individuals. It was not used in isolation but in combination with various other security measures and tools to deliver a safer store environment.

FRT was trialled at a limited number of Bunnings stores in Victoria and New South Wales between 2018-2021, with strict controls around its use, with the sole and clear intent of keeping team members and customers safe and preventing unlawful activity. We know that some 70 per cent of incidents are caused by the same group of people. While we can physically ban them from our stores, with thousands of daily visitors, it is virtually impossible to enforce these bans. FRT provided the fastest and most accurate way of identifying these individuals and quickly removing them from our stores.

The trial demonstrated the use of FRT was effective in creating a safer environment for our team members and customers, with stores participating in the trial having a clear reduction of incidents, compared to stores without FRT. We also saw a significant reduction in theft in the stores where FRT was used.

We believe that customer privacy was not at risk. The electronic data was never used for marketing purposes or to track customer behaviour. Unless matched against a specific database of people known to, or banned from stores for abusive, violent behaviour or criminal conduct, the electronic data of the vast majority of people was processed and deleted in 0.00417 seconds – less than the blink of an eye.

Every day we work hard to earn the trust of our team, suppliers, and customers and this includes keeping people safe in and around our stores. It’s our highest priority and a responsibility we take very seriously.

Across the retail sector, abuse, threats and assaults in stores continue to rise, with a 50 per cent increase at Bunnings last year alone.

Statistics don’t convey the real impact it has on the lives of our team and our customers, and we provided the OAIC with numerous examples of violent and abusive situations in our stores. We are deeply disappointed with the Commissioner’s determination, given the significant amount of information shared which illustrated the risks to our team and customers from anti-social behaviour.

Everyone deserves to feel safe at work. No one should have to come to work and face verbal abuse, threats, physical violence or have weapons pulled on them.