Bunnings’ facial recognition technology breached Australians’ privacy, according to a ruling handed down today.
Privacy Commissioner Carly Kind said, following an investigation, it was found Bunnings’ collection of personal and sensitive information through the system “disproportionately interfered with the privacy of everyone who entered its stores”.
Commissioner Kind said the technology, the use of which was paused during the investigation, captured the faces of every person who entered 63 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” she said.
“We acknowledge the potential for facial recognition technology to help protect against serious issues, such as crime and violent behaviour. However, any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society.”
Commissioner Kind said facial recognition technology may have been an efficient and cost effective option available to Bunnings at the time in its “well-intentioned” efforts to address unlawful activit.
“However, just because a technology may be helpful or convenient, does not mean its use is justifiable.
“In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals,” she said.
Commissioner Kind said as well as addressing issues of proportionality and necessity, the determination highlighted the lack of transparency around Bunnings’ use of facial recognition technology.
She said Bunnings collected individuals’ sensitive information without consent, failed to take reasonable steps to notify individuals that their personal information was being collected, and did not include required information in its privacy policy.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly.
“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
