The Privacy Commissioner has found retail giant Bunnings breached privacy laws by using facial recognition technology on its customers. The regulator says Bunnings did not gain proper consent to use the technology. Kmart is also under investigation by the regulator for using facial recognition, but a finding is yet to be made.
Category
📺
TVTranscript
00:00The CHOICE investigation uncovered this in June 2022, but it appears that the technology
00:08had been in use in both Bunnings and Kmart for a number of years prior to that. Both
00:14of them then paused the technology while the Privacy Commissioner investigates, and today
00:19we've seen a determination on what Bunnings did, but we're still waiting to find out what
00:25in fact will be discovered about Kmart. But what we've seen is that there's very similar
00:32issues across both. Both of them were using facial recognition technology widely throughout
00:38stores and completely unknown to customers. What we found in that earlier investigation
00:42is that more than 70% of people had no clue that in fact these retailers were using this
00:47technology.
00:48And so this will have major implications for how Australian businesses use this kind of
00:53technology in the future?
00:54Yeah, that's right. So basically what this means is it doesn't just apply to retail,
00:58it will apply to all entities regulated under the Privacy Act. So that means in other situations,
01:04for example, like stadiums or perhaps gaming venues, they'll need to look very, very closely
01:09at the details of this determination to find out if in fact their use of facial recognition
01:14technology is legal.
01:17As to why it's used, what reasons did the companies give for using this technology?
01:23So Bunnings said that they were using this technology to prevent anti-social behaviour
01:29and for security purposes, but what's really important in this decision from the Privacy
01:33Commissioner, Carly Kind, is that she pointed out the disproportionate nature of using this
01:38very, very invasive and very intrusive technology for that purpose. So one of the features of
01:44the Privacy Act is that you can't, you must use the least invasive type of technology
01:50or method of collection available. And that's what Bunnings has failed to do in this case.
01:55So essentially, they were using a technology that's kind of like collecting almost like
01:59a fingerprint every time you walk into the store across all individuals, including children,
02:04and not just targeting those high risk individuals. So that's what's very pleasing about this
02:09determination today is that really sets a clear guardrail around what's acceptable and
02:14that this kind of biometric collection isn't acceptable in this context.
02:20And the Office of the Australian Information Commissioner has set out a number of requirements
02:24for the company to fulfil, that is Bunnings. Now that includes not repeating this, doing
02:29some deleting and also publishing a statement. What do we know about this?
02:34That's right. So they've been told that they must delete any information that they still
02:38hold, that they have to publish a statement publicly that says that this determination
02:43has been made, and make efforts to correct any of the breaches that they've done.
02:49So that includes the fact that they didn't adequately inform customers and adequately
02:53get their consent. They didn't adequately update their privacy policies to reflect this.
02:58So they'll need to be able to make those corrections and they'll need to stop the practice and
03:02not do it again. I think that sets a really clear message for other retailers who've been
03:06thinking about using this technology, that it's just not on, it doesn't reflect what
03:10customers want and what consumers want. And now as the Privacy Commissioner has determined,
03:16it is also a breach of the law.