By David Swan and Jessica Yun
Bunnings says it will seek a review of the privacy commissioner’s determination that it breached the privacy of hundreds of thousands of customers using facial recognition technology (FRT).
The company said it would go to the Administrative Review Tribunal, arguing the technology’s use appropriately balanced privacy with the need to protect staff against violent and organised crime.
Between 2018 and 2021, Bunnings took the data of customers’ faces and compared them against a database of individuals the company had deemed a potential risk due to past crime or violent behaviour.
“We know that some 70 per cent of incidents are caused by the same group of people,” Bunnings managing director Mike Schneider said.
“While we can physically ban them from our stores, with thousands of daily visitors, it is virtually impossible to enforce these bans. FRT provided the fastest and most accurate way of identifying these individuals and quickly removing them from our stores.”
Schneider said stores that participated in the trial had seen a clear reduction in violent incidents. He said abuse, threats and assaults had increased by 50 per cent in Bunnings stores in the last year alone.
“We believe that customer privacy was not at risk. The electronic data of the vast majority of people was processed and deleted in 0.00417 seconds – less than the blink of an eye,” he said.
An investigation by Australia’s privacy commissioner found Bunnings used CCTV cameras to capture the face of every person who entered 63 stores in Victoria and NSW between November 2018 and November 2021, collecting sensitive information without customer consent and without properly notifying customers their personal information was being collected.
Bunnings acknowledged that when it started using FRT it did not inform customers on its conditions of entry poster, but said that during the trial it started referring to its use of FRT on both its entry sign and in its privacy policy.
Privacy commissioner Carly Kind said Bunnings had failed to comply with the Privacy Act, and ordered the company to not repeat or continue the practices, and destroy all the information collected via the facial recognition system. The company was not fined.
Kind said Bunnings had been co-operative throughout the investigation and paused its use of facial recognition technology pending the outcome.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” she said.
The Privacy Act classes facial images and other biometric information as sensitive information, Kind says, giving it a high level of privacy protection, including that consent is generally required for it to be collected.
“We acknowledge the potential for facial recognition technology to help protect against serious issues, such as crime and violent behaviour. However, any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society.
“In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.”
The Office of the Australian Information Commissioner (OAIC) opened an investigation into Kmart for its use of FRT at the same time as the Bunnings investigation. The Kmart investigation is ongoing. Wesfarmers, which operates Kmart, Bunnings and Officeworks, confirmed Officeworks does not use the technology.
Australian Retailers Association chief industry affairs officer Fleur Brown said technology played an important role in security measures vital to the safety of customers and employees, who are facing higher rates of aggravated abuse and assault. She urged Kind to review her decision, saying FRT was already used in Australia and overseas in places such as airports and stadiums to identify repeat offenders and allow safety measures to be taken.
“We believe this decision from the privacy commissioner should be reconsidered with broader consultation from Australian retailers and authorities to ensure staff and customer safety is prioritised,” Brown said.
Lisa Asher, a retail expert from the University of Sydney Business School, has recently completed a large research report on Bunnings’ business practices and use of technology.
She said that facial recognition technology had been widely implemented in many large-format stores including supermarkets and Bunnings, which the retailers said was in response to high levels of theft and for staff safety.
“We are seeing technology outpace privacy laws, and we have an opportunity to re-examine the laws in the context of data privacy. A review of data privacy laws considering these technologies should take place to ensure that consumers are protected, and that data adheres to strict standards.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.