The Office of the Australian Information Commissioner (OAIC) has determined that Bunnings Group Limited violated Australian privacy laws by implementing facial recognition technology across 63 of its hardware stores in Victoria and New South Wales between November 2018 and November 2021.
The investigation revealed that the retail chain collected biometric information from hundreds of thousands of customers through CCTV systems without proper consent or notification. This case highlights the growing global concern over retail biometric surveillance, which has become a significant focus of privacy regulators worldwide. Commissioner Carly Kind of the OAIC stated, “Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly.”
The OAIC’s investigation highlighted several compliance failures, including the absence of transparency in privacy policies regarding the collection and use of personal information. The commissioner determined that the deployment of facial recognition technology was disproportionate to the company’s stated security objectives.
“We can’t change our face,” Commissioner Kind explained. “The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.” This aligns with growing global standards for biometric data protection, particularly in retail and financial sectors.
In response to the findings, Bunnings has suspended its use of facial recognition technology. The company maintained that it had attempted to balance privacy obligations with security measures against violent and organized crime.
The Biometrics Institute, a global industry association, responded to the news with an emphasis on the need for a balanced approach to the use of sophisticated security technologies.
“The Bunnings case underscores the critical importance of data privacy,” commented Biometrics Institute CEO Isabelle Moeller. “However, retailers also have a responsibility to ensure the safety of their employees and customers. Biometrics can play an important role in helping achieve this, but only if implemented responsibly and in accordance with data protection regulations.”
The OAIC has ordered Bunnings to destroy all personal and sensitive information collected through the facial recognition system that it still holds after one year. The retailer must also issue a public statement within 30 days and cease using facial recognition technology in its operations. This enforcement action reflects increasing regulatory scrutiny of AI and biometric technologies across various sectors.
Source: Office of the Australian Information Commissioner
–
November 19, 2024 – by Cass Kennedy and Alex Perala
Related News
IQE to Conduct Strategic Review Amid Challenging Market Conditions
ID Tech Digest – November 7, 2024
Wegmans Supermarket Chain Joins Retail Facial Recognition Trend
Three in Four Europeans Approve of Police Use of AI: Report- Facial Recognition IDs North Korean Soldiers in Russia-Ukraine War
Kroger’s Use of Facial Recognition Spurs Price Gouging Concerns
Follow Us