Australia’s Privacy Commissioner has ruled against Bunnings Group Limited for violating privacy laws through its use of facial recognition technology, a decision that intensifies scrutiny on the ethics of biometric surveillance.
Bunnings, an Australian retail giant, deployed facial recognition technology in 63 stores across Victoria and New South Wales between November 2018 and November 2021. Through CCTV systems, the retailer captured facial images of potentially hundreds of thousands of customers, a move deemed “disproportionately intrusive” by Privacy Commissioner Carly Kind.
Ethical Dilemma in Surveillance Technology
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” Kind said. While the system’s ability to deter violence and crime is acknowledged, she said the privacy rights must outweigh convenience.
The investigation found that Bunnings lacked transparency and failed to obtain explicit consent from customers. This absence of informed consent violated Australia’s Privacy Act, which classifies biometric data, such as facial images, as “sensitive information” requiring stringent protections.
“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” Kind said.
“We can’t change our face. The Privacy Act recognises this, classing our facial image and other biometric information as sensitive information, which has a high level of privacy protection, including that consent is generally required for it to be collected.”
Governance and Privacy Gaps
The Privacy Commissioner’s report notes systemic governance failures, including insufficient measures to inform customers and a lack of clarity in Bunnings’ privacy policy. The retailer did not adequately notify customers that their biometric data was being recorded or explain how it would be used.
The Office of the Australian Information Commissioner (OAIC) has now ordered Bunnings to cease these practices, delete the collected data within a year, and publish a statement on its website detailing the breach. The OAIC also released a privacy guide for businesses on the responsible use of facial recognition technology.
Also read: Australia Faces Surge in Data Breaches to Highest Level in 3.5 Years
Bunnings Defends Its Actions
Bunnings managing director Mike Schneider expressed disappointment over the ruling, defending the use of the technology as a necessary safety measure.
“Our use of facial recognition was never about convenience or saving money,” Schneider told local Australian media. “It was about safeguarding our team, customers, and suppliers amid increasing exposure to violent and organized crime.”
According to Schneider, 70% of security incidents in Bunnings stores involved repeat offenders, and facial recognition provided an efficient way to enforce store bans. The retailer maintained that customer privacy was not compromised, citing automatic deletion of unmatched facial data within milliseconds.
Bunnings also clarified that the data was never used for marketing or behavioral tracking. However, the Commissioner’s findings stated that any collection of biometric data, even briefly, requires prior consent and robust safeguards.
A Growing Industry Trend
The investigation into Bunnings’ practices followed a 2022 report by consumer advocacy group Choice, which revealed that multiple retailers, including Kmart and The Good Guys, were using facial recognition technology. While all three companies suspended the practice after public backlash, Kmart remains under investigation, and The Good Guys were cleared by regulators .
The growing public concern over the ethics of facial recognition technology is especially sharp in retail settings, where its use may not align with societal values. Critics argue that such technology disproportionately infringes on privacy while offering limited benefits.
CHOICE senior campaigns and policy advisor Rafi Alam said:
“We know the Australian community has been shocked and angered by the use of facial recognition technology in a number of settings, including sporting and concert venues, pubs and clubs, and big retailers like Bunnings. We hope that today’s decision from the Information Commissioner will put businesses on notice when it comes to how they’re using facial recognition.”
“While the decision from the OAIC is a strong step in the right direction, there is still more to be done. Australia’s current privacy laws are confusing, outdated and difficult to enforce. CHOICE first raised the alarm on Bunnings’ use of facial recognition technology over two years ago, and in the time it took to reach today’s determination the technology has only grown in use.”
Balancing Privacy and ‘Justifiable’ Security
“Just because a technology is available doesn’t mean its use is justifiable,” Kind said, urging organizations to prioritize community expectations and regulatory compliance.
The ruling sends a strong message to businesses that the deployment of surveillance technologies must be proportional to their intended purpose and that privacy considerations cannot be sidelined.
Schneider, however, remained steadfast in his stance. “FRT (facial recognition technology) was an important tool for helping to keep our team members and customers safe from repeat offenders. Safety of our team, customers and visitors is not an issue justified by numbers. We believe that in the context of the privacy laws, if we protect even one person from injury or trauma in our stores the use of FRT has been justifiable,” he said.
Regulatory Implications
The ruling not only penalizes Bunnings but also sets a precedent for how businesses must approach privacy in the digital age. Organizations using emerging technologies must ensure transparency, accountability, and alignment with privacy laws.
As part of the penalty, Bunnings is required to educate customers on their rights and explain how the breach occurred. This decision shows the importance of proactive privacy measures in an era of increasing reliance on advanced surveillance tools.
While Bunnings has announced plans to seek a review of the decision, the case shows the tension between technological advancements and ethical considerations. It raises critical questions about where to draw the line between security measures and the fundamental right to privacy.
With the OAIC publishing new guidelines, businesses must rethink their reliance on surveillance technologies and evaluate the broader implications for customer trust and regulatory compliance.
This decision serves as a stark reminder: the path to safeguarding security cannot come at the cost of undermining public confidence in privacy protections.