Sausage watch: What are the implications of this week’s Bunnings facial recognition ruling?

The Administrative Appeals Tribunal ruled this week that Bunnings could use FRT for “the limited purpose of combating very significant retail crime and protecting their staff and customers from violence, abuse and intimidation within its stores”.

But what are the implications of this new ruling for the Privacy Act, and what does it mean for businesses and consumers?

A targeted security response…

Lyn Nicholson, general counsel at law firm Holding Redlich, told Cyber Daily the decision “provides important clarification on how the Privacy Act applies to the use of facial recognition technology in retail settings”.

“This week’s decision establishes that the Privacy Act does not impose a blanket prohibition on the use of facial recognition technology. Its lawful use depends on a reasonable suspicion of unlawful activity and a proportionate response to that risk,” Nicholson said.

“In this case, the Tribunal accepted that the scale and nature of violence and theft in Bunnings’ stores, including repeat offending, as well as features of the store environment such as multiple entry and exit points and the availability of items capable of being used as weapons, justified a targeted security response.”

VIEW ALL

Nicholson added that the ruling also provided guidance in terms of proportionality and the Privacy Act.

“The Tribunal assessed proportionality by reference to the seriousness of the harm being addressed, the limited purpose for which the technology was deployed, and the extent to which privacy impacts were mitigated through system design,” Nicholson said.

“The Tribunal placed weight on safeguards such as the immediate deletion of non-matching images and the absence of broader tracking or identification of customers.”

The decision, according to Nicholson, also reinforced the fact that just because collecting such information may be lawful, it still does remove any obligations under Australian Privacy Principles.

“The Tribunal agreed with the Privacy Commissioner that Bunnings failed to meet transparency and notification requirements, including by not adequately disclosing the kinds of personal information collected and how that information was handled,” Nicholson said.

“Taken together, the ruling illustrates that organisations seeking to rely on exceptions under the Privacy Act must be able to substantiate the risk, demonstrate why biometric collection is warranted, and ensure that privacy policies and customer notifications accurately reflect how the technology operates.”

… Or a wider threat?

On the other hand, Eddie Major, AI Learning and Teaching Coordinator at Adelaide University, was less sanguine concerning the decision.

“This is the wedge – mass biometric surveillance without consent is now lawful in Australia for preventing crime,” Major said in a post to LinkedIn.

“While it does not open the door to broad surveillance for other purposes, such as behavioural profiling, it sets an important precedent. Australia doesn’t have AI-specific legislation, so cases like these are likely to have significant watershed impacts.”

Major added that while this may be a win for Bunnings, several other Australian businesses were continuing to employ facial recognition unlawfully. In particular, he highlighted the use of FRT in gambling venues to recognise high-value customers, alongside the use of Chinese AI camera technologies that – while banned in countries such as the United States – are still being used locally.

“I expect the scope to grow,” Major said, “with deployment of systems designed to predict behaviour and intent, based on inference of visual attributes, and extract maximal commercial value accordingly.”