Proceed with caution! Privacy lessons from Bunnings & Privacy Commissioner

Bunnings’ belief that the FRT system was suitable or effective was supported by the factual evidence that it worked well in practice, generating a significant number of matches and alerts.

There was no alternative security control that could identify repeat offenders in the way that FRT could.

The challenges were exacerbated by various factors that the Tribunal said were different to most other retailers, including the sheer size of Bunnings’ stores, the presence of multiple entry and exit points, and the fact that products on sale (such as an axe or a screwdriver) could be readily repurposed as a weapon.

While the Tribunal recognised that the FRT solution had significant potential privacy impacts, as all customers are scanned on entering the store, it accepted that Bunnings was dealing with a serious risk in relation to instore violence and theft by repeat offenders. In this context, Bunnings was justified in its belief that the FRT solution was a proportional response.

Notably, the Tribunal emphasised that Bunnings had selected an FRT solution that had strong privacy-by-design features, including that the matching process took place in temporary RAM storage before being permanently deleted if there was no positive match. This approach limited the risk of cyber-attacks or other misuse of the data, and the parties agreed it was not possible to regenerate facial images from the RAM.

Whether there is a “collection” of personal information is a threshold issue for all APP obligations.

Bunnings contended that the FRT only momentarily processed input facial images and vector sets in local-server RAM and then deleted them, so there was no “collection” for inclusion in a “record”, particularly for unmatched individuals.

The Commissioner argued that storing input facial images and input vector sets in RAM to execute the matching process is a “collection” for inclusion in a “record”, drawing support from Facebook Inc v Australian Information Commissioner.^[2]

The Tribunal held that CCTV cameras and local servers were integral to Bunnings’ FRT, that input images and vector sets were held-albeit momentarily-in RAM, and that this amounted to a collection for inclusion in a record to enable matching, irrespective of subsequent deletion.

The Tribunal expressly rejected that there needs to be a minimum temporal threshold for “collection” and accepted that RAM qualifies as a “record” such that Bunnings “collected” and “held” a record of the information even though it was almost instantaneously deleted if there was no match. The key was the purpose for which the information was collected, rather than the duration for which the information as held.

APP 3.3 imposes stricter limits on collection of “sensitive information,” which includes “biometric information” used for automated identification or verification and “biometric templates,” with Clearview^[3] confirming facial images can be biometric information in context. 

Bunnings submitted that input facial images were only “biometric samples”, not “biometric information”, and that only derived vector sets were “biometric templates”.

The Commissioner maintained that facial images used for automated identification are “biometric information” and therefore “sensitive information”, and that input vector sets are “biometric templates”.

The Tribunal confirmed that facial images collected for biometric matching are “biometric information” (and that derived faceprints/embeddings are “biometric templates”), rejecting the notion that raw images are merely non‑sensitive “samples.”

That conclusion has followed and built upon the decision in the Clearview web scraping case, which recognised that while not every face photo is biometric information in every context, it is when used for automated identification.

If a permitted general situation exists under s 16A, APP 3.4 applies and consent is not required to collect sensitive information.

Item 1 under section 16A applies where an entity reasonably believes that an action is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

Item 2 under section 16A applies where an entity reasonably believes that an action is necessary to take appropriate action in relation to unlawful activity affecting its business.

Bunnings contended that both Items 1 and 2 were satisfied in the circumstances, with the primary focus being on dealing with unlawful activity in the form of violence and theft perpetrated by repeat offenders at Bunnings stores.

The Commissioner argued that no permitted general situation was established: the “matter” should be framed broadly to cover all retail crime at Bunnings stores, including by first-time offenders (who would not be identified by the FRT solution), “necessary” should be read stringently, and Bunnings’ belief in the necessity of the FRT solution was not reasonable in the circumstances.

Bunnings succeeded on this ground.

The Tribunal accepted that the relevant matter being addressed by Bunnings was repeat offending by known offenders. In addition, the Tribunal said that in this context “necessary” means more than helpful but not essential, and that the reasonableness of Bunnings’ belief should be assessed objectively by reference to the suitability of the FRT solution, whether there were less privacy-intrusive alternatives and whether the privacy impact was proportional to the benefits gained by using the FRT solution.

While the Tribunal acknowledged that there were differing views on the issue, it said that it was not required to decide whether one was more or less persuasive than another. Rather, it was a matter of whether the view adopted by Bunnings was reasonably open in the circumstances, and the Tribunal found that it was.

Accordingly, the exception in APP 3.4 applied and consent was not required for Bunnings to collect sensitive information through the FRT solution.

In this instance, the speed with which non-matched individuals data was deleted, was important in the reasonableness of the proportionality assessment.

APP 5.1 requires reasonable steps to notify at or before collection (or as soon as practicable) and to ensure awareness of APP 5.2 matters. In this context this includes that FRT is in use, the purposes for its use, and the main consequences of non-collection.

Bunnings submitted that in-store signage and a privacy poster were reasonable, and that more detailed or prominent notices were impracticable in its store environment.

The Commissioner argued that notices failed to inform customers that FRT was in use, the purposes of collection, and the main consequences of non-collection, so APP 5.1 was breached.

The Tribunal found the privacy poster omitted FRT and the APP 5.2 matters and that the “may include facial recognition” entry notice failed to convey that sensitive information was being collected — in total, the notices were insufficient, so APP 5.1 was breached.

APP 1.2 requires reasonable practices, procedures and systems to ensure APP compliance. For sensitive-information , there is an expectation from the regulator that a formal, structured and documented privacy risk assessment will be undertaken from the outset.

Bunnings argued that training, access controls, legal engagement, and internal “Minimum Standards” aimed at ensuring complaint deployment of FRT together amounted to reasonable steps to ensure APP compliance.

The Commissioner contended there was no formal, structured, documented PIA or equivalent from the outset — governance artefacts and records were incomplete — and mandated reviews were not in evidence.

The Tribunal held that APP 1.2 was breached. While Bunnings had taken some steps, they were piecemeal and did not amount to such steps as were reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APPs. The absence of a PIA made it difficult to demonstrate a formal, structured and documented process considering the privacy impacts. 

APP 1.3 requires an up-to-date privacy policy containing APP 1.4 information on kinds of information collected and how it is collected and held — advance notification can deter and mitigate offending.

Bunnings submitted it would be unreasonable and counterproductive to reveal FRT in policy materials because doing so could signal tactics to offenders.

The Commissioner argued that the policies did not disclose the kinds of personal information collected and how it was collected and held, including FRT, and so lacked required APP 1.4 content.

The Tribunal rejected the deterrence argument, observing that advance notification can in fact deter and mitigate offending, and found APP 1.3 was breached because the policies omitted the information required under APP 1.4 in relation to the kinds of information being collected and the methods of collection.