)
A facial-recognition technology trial conducted three years ago by national hardware chain Bunnings has been found by the Office of the Australian Information Commissioner (OAIC) to have breached the privacy of customers in Victoria and NSW by collecting “personal and sensitive” information.
The OAIC estimates that Bunnings likely captured the faces of “hundreds of thousands individuals” who entered 63 Bunnings stores in Victoria and NSW between November 2018 and November 2021 without their consent in breach of the Privacy Act.
However, Bunnings plans to fight the finding by seeking a review before the Administrative Review Tribunal of the determination handed down by the OAIC’s Privacy Commissioner.
Bunnings, which has cooperated with the OAIC investigation since it was launched, says the technology “appropriately balanced our privacy obligations and the need to protect our team, customers, and suppliers against the ongoing and increasing exposure to violent and organised crime, perpetrated by a small number of known and repeat offenders”.
“The Commissioner acknowledged that FRT (facial-recognition technology) had the potential to protect against serious issues, such as crime and violent behaviour,” says Bunnings managing director Mike Schneider.
“This was the very reason Bunnings used the technology. Our use of FRT was never about convenience or saving money but was all about safeguarding our business and protecting our team, customers, and suppliers.
“It was not used in isolation but in combination with various other security measures and tools to deliver a safer store environment.”
When Bunnings trialled its facial-recognition technology in Victorian and NSW stores, Schneider says there were strict controls around its use.
“We know that some 70 per cent of incidents are caused by the same group of people,” he says.
“While we can physically ban them from our stores, with thousands of daily visitors, it is virtually impossible to enforce these bans. FRT provided the fastest and most accurate way of identifying these individuals and quickly removing them from our stores.”
However, Privacy Commissioner Carly Kind says that facial recognition technology is “one of the most ethically challenging new technologies in recent years”.
“We acknowledge the potential for facial recognition technology to help protect against serious issues, such as crime and violent behaviour. However, any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society,” she says.
Kind points out that facial recognition technology was likely the most efficient and cost-effective option for Bunnings to address unlawful activity, including violence and aggression.
“However, just because a technology may be helpful or convenient, does not mean its use is justifiable,” she says.
“In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.”
The Privacy Commissioner says her determination highlights a “lack of transparency” around Bunnings’ use of facial recognition technology.
Bunnings was found to have collected sensitive information of individuals without consent, that it failed to take reasonable steps to notify individuals that their personal information was being collected, and that it did not include required information in its privacy policy.
However, Bunnings points out that the stores participating in the trial saw a “clear reduction of incidents, compared to stores without FRT”.
“We also saw a significant reduction in theft in the stores where FRT was used,” says Schneider.
“We believe that customer privacy was not at risk. The electronic data was never used for marketing purposes or to track customer behaviour.
“Unless matched against a specific database of people known to, or banned from stores for abusive, violent behaviour or criminal conduct, the electronic data of the vast majority of people was processed and deleted in 0.00417 seconds – less than the blink of an eye.”
Schneider says the facial-recognition technology was implemented in response to rising challenges for retailers across the sector where “abuse, threats and assaults in stores continue to rise, with a 50 per cent increase at Bunnings last year alone”.
Theft is considered to be a major driver of abusive or threatening encounters, with one in five instances of recorded theft in Bunnings stores also involving verbal or physical abuse towards team members.
“Statistics don’t convey the real impact it has on the lives of our team and our customers, and we provided the OAIC with numerous examples of violent and abusive situations in our stores,” says Schneider.
“We are deeply disappointed with the Commissioner’s determination, given the significant amount of information shared which illustrated the risks to our team and customers from anti-social behaviour.
“Everyone deserves to feel safe at work. No one should have to come to work and face verbal abuse, threats, physical violence or have weapons pulled on them.”
In reaching its determination, the OAIC notes governance shortcomings by Bunnings in that it failed to take reasonable steps to implement practices, procedures and systems required to comply with the Privacy Act.
The privacy commissioner also points out that Bunnings has been cooperative throughout the investigation and suspended the use of facial recognition technology pending the outcome.
Among the orders made by the Commissioner, Bunnings must not repeat or continue the acts and practices that led to the interference with individuals’ privacy.
“This decision should serve as a reminder to all organisations to proactively consider how the use of technology might impact privacy and to make sure privacy obligations are met,” says Kind.
“Organisations should be aware that ensuring the use of emerging technologies aligns with community expectations and regulatory requirements is high among our priorities.”
)
