An investigation by the Office of the Australian Information Commissioner (OAIC) found the retailer had invaded the privacy of hundreds of thousands of customers through the use of the cameras at 63 stores across Victoria and NSW.

“In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals,” Privacy Commissioner Carly Kind said.

But Bunnings fired back, with managing director Mike Schneider claiming facial recognition technology (FRT) was only used to protect its team and other customers from “violent, aggressive behaviour”.

He claimed that Bunnings, part of the Wesfarmers group, had processed and deleted the majority of data collected from the facial recognition cameras in “0.00417 seconds”.

“We had hoped that based on our submissions, the commissioner would accept our position that the use of FRT appropriately balanced our privacy obligations and the need to protect our team, customers, and suppliers against the ongoing and increasing exposure to violent and organised crime, perpetrated by a small number of known and repeat offenders,” he said.

“Our use of FRT was never about convenience or saving money but was all about safeguarding our business and protecting our team, customers, and suppliers from violent, aggressive behaviour, criminal conduct and preventing them from being physically or mentally harmed by these individuals.”

Bunnings said abusive and threatening encounters in its stores had increased by 50 per cent last year.

Mr Schneider said the company, which will seek a review of the OAIC determination, had used facial recognition technology alongside a suite of other measures to protect staff and customers.

The technology was able to recognise past offenders and its loss prevention team would then decide whether to contact store security, managers or call the police.

The Australian Retail Association defended Bunnings, calling on the Privacy Commissioner to overturn its decision.

ARA chief industry affairs officer Fleur Brown said facial recognition technology was widely used across the country in airports and sports stadiums.

“Security measures are vital for employers to help protect staff and customers alike and technology is playing an important role in reducing the impact of crime,” she said.

“We believe this decision from the Privacy Commissioner should be reconsidered with broader consultation from Australian retailers and authorities to ensure staff and customer safety is prioritised.”

The Australian Chamber of Commerce and Industry similarly backed Bunnings, with its chief executive Andrew McKellar adding that the it appeared the company had used the facial recognition technology as a part of “genuine risk mitigation efforts” and those efforts “have been undone by a technicality”.

“Businesses looking to protect their staff could rightly be confused by today’s decision. We look forward to a Tribunal review outcome which enables clarity for business,” said Mr McKellar.

However, Commissioner Kind said Bunnings had failed to properly warn consumers facial recognition technology was in use and found that led to sensitive information being taken without consent over a three-year period from November 2018 to November 2021.

“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” she said.

Under the Privacy Act, images of a person’s face are considered “sensitive information” and can only be collected with consent. The act allows CCTV to be used but not additional software layers or applications that read a person’s face and store or process that data.

Bunnings has been warned by the OAIC and will be forced to publicly display the privacy breach determination across its website for the next 30 days.

That public admission of the use of facial recognition technology was live on the retail giant’s website on Tuesday morning under an ‘about’ section.

The OAIC said Bunnings should have updated its privacy policy and noted that facial recognition technology was “one of the most ethically challenging new technologies in recent years”.

“We acknowledge the potential for facial recognition technology to help protect against serious issues, such as crime and violent behaviour,” Commissioner Kind said.

Despite how useful facial recognition technology was in loss and crime prevention, its use did not trump privacy laws, the OAIC said.

“Any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society,” Commissioner Kind said.

“Facial recognition technology may have been an efficient and cost-effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression. However, just because a technology may be helpful or convenient, does not mean its use is justifiable.”

Mr Schneider said that 70 per cent of incidents at Bunnings were caused by the same groups of people.

“While we can physically ban them from our stores, with thousands of daily visitors, it is virtually impossible to enforce these bans. FRT provided the fastest and most accurate way of identifying these individuals and quickly removing them from our stores,” he said.

“The trial demonstrated the use of FRT was effective in creating a safer environment for our team members and customers, with stores participating in the trial having a clear reduction of incidents, compared to stores without FRT. We also saw a significant reduction in theft in the stores where FRT was used.

“We believe that customer privacy was not at risk. The electronic data was never used for marketing purposes or to track customer behaviour. Unless matched against a specific database of people known to, or banned from stores for abusive, violent behaviour or criminal conduct, the electronic data of the vast majority of people was processed and deleted in 0.00417 seconds – less than the blink of an eye.”

More Coverage

Lendlease shareholders back Bunnings boss for turnaround

Ben Wilmot

Lendlease taps ex-Bunnings boss John Gillam as chairman

Ben Wilmot

Originally published as Bunnings facial recognition cameras breached privacy of hundreds of thousands of customers: OAIC