Bunnings, the hardware giant, has been given the green light to use facial recognition technology on customers to combat crime, sparking debate over privacy and security. The Administrative Review Tribunal reversed a 2024 ruling by the Australian Privacy Commissioner, finding that Bunnings had not properly notified customers about the scanning of their faces.
The tribunal agreed that the technology was justified for a limited purpose: preventing very significant retail crime and protecting staff and customers from violence, abuse, and intimidation. Bunnings deployed facial recognition in 62 stores in New South Wales and Victoria between 2019 and 2021, after a successful two-month trial in one store. Hundreds of thousands of people had their faces scanned against a database of banned individuals, with no matches resulting in image deletion.
Bunnings' national security manager, Alexander MacDonald, testified that the technology had identified repeat offenders, organized retail criminals, and serious risks to staff and customers. The company calculated that at least 66% of theft losses were attributed to the top 10% of offenders. The tribunal acknowledged some false positives but noted that staff manually reviewed and discarded them.
MacDonald addressed concerns about racial bias, citing studies showing a risk of false positives skewed towards non-white and non-male subjects. However, he assured that Bunnings' system showed no racial bias. The tribunal also found that Bunnings' signage and notices failed to meet obligations to notify visitors about personal information collection.
Bunnings' managing director, Mike Schneider, welcomed the ruling, emphasizing the company's commitment to safety. He stated that the technology was intended to protect people from violence, abuse, and organized retail crime. Bunnings accepted the tribunal's feedback on signage and customer notification.
A spokesperson for the Office of the Australian Information Commissioner acknowledged the decision's confirmation of strong privacy protections under the Privacy Act. The OAIC has not ruled out an appeal, considering the implications of the ruling.
