A two-year investigation has led Australia’s privacy commissioner to issue a landmark finding against the country’s largest hardware retailer, Bunnings, for using facial recognition technology in 387 stores without informing customers.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” Australian Privacy Commissioner Carly Kind said.
The commissioner found Bunnings interfered with the privacy of hundreds of thousands of customers across 63 of its New South Wales and Victoria stores between Nov. 6, 2018 and Nov. 30, 2021.
Bunnings Responds
Bunnings published a statement (pdf) in response to the allegations, but it’s not the mea culpa the commissioner demanded.The conglomerate says it will seek a review of OAIC’s ruling before the Administrative Review Tribunal and justifies deploying the technology because “keeping our team, customers, and suppliers safe in and around our stores is our number one priority.”
“Our use of [facial recognition technology] was never about convenience or saving money but was all about safeguarding our business and protecting our team, customers, and suppliers from violent, aggressive behaviour, criminal conduct and preventing them from being physically or mentally harmed by these individuals.
“It was not used in isolation but in combination with various other security measures and tools to deliver a safer store environment.”
In July, after consumer watchdog group Choice alerted the Office of the Australian Information Commissioner (OAIC) to the practice, the OAIC opened investigations into the personal information handling practices of Bunnings, Kmart Australia, and Good Guys Discount Warehouses. Bunnings and Kmart are both owned by Wesfarmers.
Privacy Policy Not Enough: Commissioner
Wesfarmers’ privacy policy warns customers that some of the ways it collects data include “images from video surveillance, body cameras and other cameras used in and around our stores (including in car parks, pick up areas, store entrances and publicly accessible spaces).”As well as “images from facial recognition software,” and that it may go so far as to use “inferred information and characteristics as a result of undertaking data analysis” on such images.
However, the privacy commissioner held this policy was insufficient, given that most people will not go to a store’s website and read that information.
Instead, Bunnings was obliged by the law to gain proper consent to use the technology on them.
Data Deleted in Less Than a Second: Bunnings
Bunnings used software that scanned customers’ faces in the store and then compared the biometric data against a list of “enrolled individuals” who it knew, or suspected, had been a security risk in the past, either by behaving violently or stealing.
In cases where the system found a match, an alert was generated, but if it didn’t, the data was automatically deleted in “0.00417 seconds,” Bunnings told investigators.
When Choice first made the allegation, Bunnings Managing Director Mike Schneider also defended using the technology.“When we have customers berate our team, pull weapons, spit, or throw punches, we ban them from our stores—but a ban isn’t effective if it’s hard to enforce,” he said at the time.
The commissioner said she had considered the security benefits but ultimately decided it didn’t justify the invasion of privacy.
“Just because a technology may be helpful or convenient, does not mean its use is justifiable,” Kind said.
A 2020 survey by the OAIC which looked at community attitudes to surveillance (including biometrics, artificial intelligence, and location data) confirmed that privacy is a major concern for 70 percent of Australians.Sixty-six percent said they would be reluctant to provide biometric information to a business, organisation, or government.
