In a significant legal reversal, the Australian hardware retail giant Bunnings has been granted permission to utilise facial recognition technology on customers within its stores. This decision overturns a previous 2024 ruling by the Australian privacy commissioner, which had found the company in breach of visitor privacy through its scanning practices.
Tribunal Reverses Privacy Breach Finding
The Administrative Review Tribunal this week set aside the earlier determination, concluding that Bunnings is entitled to employ facial recognition systems for a specific, limited purpose. The tribunal emphasised that the technology's use is justified to address substantial retail crime and to safeguard staff and customers from violence, abuse, and intimidation on the premises.
Between January 2019 and November 2021, Bunnings implemented facial recognition across 62 stores in New South Wales and Victoria, following a two-month pilot in a single store during 2018. During this period, hundreds of thousands of individuals had their facial images scanned and checked against a database of hundreds of banned persons. Images that did not produce a match were promptly deleted.
Evidence of Persistent Threats in Stores
The tribunal heard compelling testimony from store managers detailing the frequency and severity of incidents. Shawn Adam, manager of the Box Hill store, reported that threatening or abusive behaviour occurred every two to three days on average, leaving team members visibly shaken and distressed. He expressed daily concern for the safety of both staff and customers.
Alexander MacDonald, Bunnings' national security manager, provided further context, noting that a high proportion of theft and violent incident investigations identified repeat offenders, organised retail criminals, and individuals posing serious safety risks. The company's analysis indicated that, on average, at least 66% of annual theft losses were attributable to the top 10% of offenders.
Addressing Privacy and Bias Concerns
While the tribunal acknowledged that the facial recognition technology had occasionally generated false positives, these instances were manually reviewed by staff and discarded. MacDonald addressed concerns about potential racial bias, referencing studies that show risks skewed towards non-white and non-male subjects. He asserted that Bunnings' system had not demonstrated any such bias in practice.
However, the tribunal did find that Bunnings had failed to adequately notify customers about the collection of their personal information. The posters and entry notices used did not meet the company's obligations under privacy regulations.
Company and Regulatory Responses
Mike Schneider, Bunnings' managing director, welcomed the tribunal's decision, stating that the safety of team members, customers, and suppliers remains the company's highest priority. He affirmed that the technology trial was intended to protect people from violence, abuse, serious criminal conduct, and organised retail crime. Schneider also acknowledged the tribunal's feedback regarding signage and customer communication, indicating Bunnings' acceptance of this aspect.
A spokesperson for the Office of the Australian Information Commissioner commented that the decision reinforces the strong privacy protections within the Privacy Act, noting that limited exemptions must be evaluated on a case-by-case basis. The OAIC has not ruled out appealing the tribunal's ruling and is currently considering its implications.
This development marks a pivotal moment in the balance between retail security measures and individual privacy rights in Australia, setting a precedent for how facial recognition technology may be deployed in commercial environments to address crime.
