Retailers on notice after Bunnings’ privacy trouble – as experts warn more must be done
Source: Bunnings
Consumer and privacy experts say retailers mulling in-store facial recognition technology should reconsider after Bunnings was caught breaching customer privacy.
They also warned that more must be done to protect Australian shoppers.
This week Carly Kind, the Privacy Commissioner at the Office of the Australian Information Commissioner (OAIC), found Bunnings had breached the Privacy Act by capturing the faces of every person who entered 63 stores in Victoria and NSW between November 2018 and 2021.
Dr Suelette Dreyfus, a researcher of privacy issues at University of Melbourne, said the decisions can be seen as a warning for businesses that plan to introduce facial recognition in stores.
“With this ruling the Privacy Commissioner has courageously stood up for privacy, effectively saying companies shouldn’t use a technology against consumers just because it happens to exist,” she said.
“Sometimes that technology crosses a line, in this case the right to privacy, and it’s up to the government to rein in how the technology is used in order to protect us all.”
Bunnings, which is owned by Wesfarmers, has flagged that it plans to challenge the decision and said that it used facial recognition to reduce theft and crime in its stores.
Bunnings, Kmart and The Good Guys were reported to the Privacy Commissioner by consumer group Choice, after an investigation found the widespread “capturing the biometric data of their customers” throughout retail stores.
‘More to be done’
Rafi Alam, senior campaigns and policy adviser at Choice, said although the decision by the privacy commissioner is a step in the right direction, there is still “more to be done”.
“This is a landmark decision that will prompt all businesses to think carefully about the use of facial recognition in Australia going forward,” he said.
“We know the Australian community has been shocked and angered by the use of facial recognition technology in a number of settings, including sporting and concert venues, pubs and clubs, and big retailers like Bunnings.”
He said his organisation is calling for specific, fit-for-purpose laws that hold businesses accountable when they breach customers and protect consumers from the harms of unregulated facial recognition technology.
Facial recognition technology is also widespread in Australian stadiums and venues, while Amazon is making a push for it to be used in transactions.
Broad ramifications
Dreyfus said that widespread and unchecked use of facial recognition in retail settings “could be another Robodebt in the making”.
“There are so many risks here of overreach, of injustice, of abuse of power,” she said.
“We’re going to move from live CCTV to stop shoplifting of candy bars to imposing government-run, anti-terrorism regimes that are supposed to stop people who blow up aeroplanes.”
Dreyfus said that the decision to introduce facial recognition technology in retail settings is ‘a massive overreach impacting all our privacy’. Photo: Getty
Australians have experienced several large-scale data breaches in recent years, including from Optus and Medibank, that have resulted in the leaking of millions of identifying and private information.
Although reforms have been in the pipeline for years, following a 2019 review, the Australian government only introduced the first changes in September.
The changes created increased penalties for serious or repeated privacy breaches, greater powers for the Australian Information Commissioner and additional funding for the OAIC.
Dreyfus said that the broader ramifications will “depend on any review of the ruling showing backbone to defend this important gain for consumers”.
“The Privacy Act needs to do more to protect consumers when it comes to emerging technologies such as facial recognition software,” Dreyfus said.
“For facial recognition to work, there has to be a ‘master list’ of faces that your face is matched to when you enter a store. What if that master list is wrong and you’re denied entry because of that error?”