Bunnings breached the privacy of potentially hundreds of thousands of Australians through the use of facial recognition technologies in stores to scan every customer on entry that were aimed at addressing theft or store safety, the Australian privacy commissioner has ruled.
In 2022, it was revealed the hardware chain was one of a number of retailers using facial recognition tech in stores to check the face of every customer entering the store against a database of banned customers.
Facial recognition technology captures images of people’s faces from video cameras – such as CCTV footage – as a unique faceprint that is then stored and can be compared with other faceprints. Bunnings’ system would check every customer entering, and delete the faceprint of those customers not in the database about four milliseconds after checking.
The company placed small signs at the entrance to its stores and advised customers it was for loss prevention or store safety purposes.
The Office of the Australian Information Commissioner in an investigation found the tech had been deployed at 63 stores between November 2018 and November 2021 – likely capturing hundreds of thousands of people.
The privacy commissioner, Carly Kind, found Bunnings collected sensitive information without consent and failed to take reasonable steps to notify people their information was being collected.
“Facial recognition technology may have been an efficient and cost-effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression,” she said.
“However, just because a technology may be helpful or convenient does not mean its use is justifiable. In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.”
Bunnings has been ordered to not repeat or continue the acts and practices that led to the interference with individuals’ privacy.
In response, the Bunnings managing director, Mike Schneider, said Bunnings would seek a review of the decision.
“We had hoped that, based on our submissions, the commissioner would accept our position that the use of FRT [facial recognition technology] appropriately balanced our privacy obligations and the need to protect our team, customers and suppliers against the ongoing and increasing exposure to violent and organised crime, perpetrated by a small number of known and repeat offenders,” he said.
Schneider claimed that 70% of incidents are caused by the same group of people and it was impossible to enforce bans on people given the high number of visitors. He said facial recognition tech provided the fastest and most accurate way to identify individuals and remove them from the store.
He said the trial created a safer environment for staff and a reduction in incidents, compared with stores not taking part in the trial. He said customer privacy was not at risk.
“The electronic data was never used for marketing purposes or to track customer behaviour. Unless matched against a specific database of people known to, or banned from stores for abusive, violent behaviour or criminal conduct, the electronic data of the vast majority of people was processed and deleted in 0.00417 seconds–less than the blink of an eye.”
The company has also issued CCTV footage of some of the alleged incidents to the media on Tuesday. The ruling includes detail of one individual on the database who was detected on nine separate occasions between March 2019 and February 2020, and on five of those occasions the person left without incident. In another incident a person was detected, who was allegedly later found with $3,814 in stolen stock after being arrested by police.
Kind said facial recognition technology and the surveillance it enables has emerged as one of the most ethically challenging new technologies in recent years, and the potential for the technology to help protect against crime and violent behaviour must be weighed against the impact on privacy rights and society’s collective values.
