The face off over facial recognition: The Bunnings determination

The face off over facial recognition: Bunnings

Note: The Helios team is working on a deeper dive to explore the implications for all organisations, but first we have produced a summary of this significant case.

In brief

In a Determination published on 18 November, the Australian Privacy Commissioner, Carly Kind (the Commissioner) has found Bunnings Group Limited (‘Bunnings’) breached Australian customers’ privacy by collecting their personal and sensitive information through a facial recognition technology system (‘FRTS’).

The FRTS employed CCTV to capture the faces of every person – likely hundreds of thousands – who entered 63 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021. These images formed a repository enabling comparisons with images of individuals Bunnings had pre-enrolled in a database who had been identified as posing a risk, for example, due to past crime or violent behaviour.

Background

Between January 2019 and 30 November 2021, Bunnings operated the FRTS in 62 stores in Victoria and New South Wales. Prior to that, Bunnings operated FRT in one store for a 2-month trial period from 6 November 2018. The FRT, known as ‘Live Face Match System’ was provided by a third-party supplier (third-party supplier).

The FRTS via CCTV at entry points, captured the facial image of every person who entered (customers, staff and others), regardless of their age or other characteristics.

The OAIC’s Investigation

The Commissioner’s investigation focused on whether Bunnings had complied with Australian Privacy Principles (‘APPs’) 3.3, 5.1, 1.2 and 1.3 in the Privacy Act 1988 (Cth) (‘the Act).

APP 3.3 states that entities (including large retail businesses regulated under the Act) must not ‘collect sensitive’ information unless the individual consents or an exception applies.

APP 5.1 requires entities to take reasonable steps to notify an individual of certain matters listed in the APP concerning the handling of their personal information.

APP 1.2 requires entities to take reasonable steps to implement practices, procedures and systems to ensure they comply with the APPs.

APP 1.3 requires entities to have a clearly expressed and up-to-date privacy policy.
The Commissioner noted that facial images as a form of ‘biometric’ are characterised as ‘sensitive information’ under the Act.

Sensitive information has a higher level of privacy protection than other types of personal information. It can typically only be collected with consent, or in other specific situations permitted by the Act (e.g., to respond to a serious threat, or to take action to manage suspected unlawful activity or misconduct).

Given these APPs, the five main questions for the Commissioner’s consideration were whether Bunnings:

  1. ‘collected’ sensitive information through the use of the FRTS, and if so,
  2. could reply on a ‘permitted general situation’ in relation to the collection (an exception to the consent requirement)
  3. took reasonable steps to give notice of the matters required by APP 5
  4. took reasonable steps to implement practices, procedures and systems that ensured compliance with APPs, and
  5. maintained a Privacy Policy that sufficiently described the kinds of personal information collected and held, how it is collected, and how it is managed.

Bunnings Arguments in support of its compliance with respect to use of the FRTS

Bunnings made detailed legal submissions for the Commissioner’s investigation and provided range of information including studies about crime and violence in the retail sector, incident records, and video of a recent in-store incident. These contentions included that:

  • Bunnings did not ‘collect’ the personal information of what was a vast majority of non-matched individuals using the FRTS, because the activity lacked the necessary purposive character of ‘collection’ under the Act. It was a deliberate aspect of the design that the information of non-matched individuals (namely the facial image and associated vector set) was processed only transiently by the FRTS before being automatically deleted. Therefore, it could not have breached APPs 3.3 and 5.1 because it did not purposefully collect it for inclusion in a record;
  • alternatively, in the event that Bunnings did collect the information of non-matched individuals:
    • the circumstances were covered by permitted general situations in items 1 and 2 of section 16A of the Act (Item 1 being the ‘serious threat’ situation and item 2 being the unlawful activity or misconduct situation)
    • Bunnings did give adequate notice, including by way of entry notices and in-store privacy posters.
  • Bunnings had implemented adequate practices, procedures and systems to comply with the APPs, including considering the privacy implications of the FRTS from the outset, seeking prior legal advice and during the trial, employing a ‘privacy-by-design’ approach (immediate deletion of non-matched data), and giving limited system access to a limited number of trained personnel.

Commissioner’s considerations

The Commissioner considered Bunnings’ compliance with the APPs in light of the:

  • nature and size of operations – including that Bunnings’ revenue had steadily increased in recent financial years, from approximately $14,999 million in the 2019-2020 year to $17,754 million in the 2021-2022 year
  • number of individuals affected and time period over which the FRTS operated, which would have enabled multiple images of a proportion to be collected on multiple visits
  • length of time the information was held – images of non-matched individuals were held for 4.17 milliseconds
  • format of the information – Bunnings submitted that data was collected in numerical form and thus in the event of a security breach, was not capable of identifying individuals without sophisticated technology
  • potential consequences of collection for ‘matched individuals’ (whether correctly or incorrectly matched) being subjected to adverse or different treatment, regardless of their behaviour
  • novel nature of the technology for a retail setting at the time it was implemented, including that it was covert, would likely have been unexpected, and raised widespread community concerns regarding increased surveillance, bias and discrimination.

Commissioner’s findings

Bunnings was found to have interfered with the privacy of the individuals whose personal and sensitive information was collected through the FRTS. Specifically:

  • Bunnings collected the sensitive information of individuals without their consent in a context in which none of the Act’s exemptions applied, and
  • Bunnings had failed to:
    • take reasonable steps to notify individuals about the facts, circumstances and purposes for the collection, and the consequences for them if it was not collected (which might typically be non-entry, but was not a matter explored)
    • take reasonable steps to implement practices, procedures and systems to ensure it complied with the APPs (which are typically focussed on a broad array of operations, but can also be specific to a type of system or technology and focus on a system’s technical, policy, training and complaint /incident management controls)
    • include in its privacy policies information about the kinds of personal information it collects and holds, and how it collects and holds it.

The Commissioner disagreed with Bunnings’ submissions, finding that it did collect sensitive information, and for inclusion in a record. The process, albeit momentary, necessitated the inclusion of the CCTV footage data, still images and vector sets in Bunnings’ servers, which constituted ‘electronic devices’ and were therefore a record for the purposes of the Act. Bunnings could not operate the FRT system without including personal information in an electronic device. The fact that the information of non-matched individuals was deleted also supported the fact that it was held in an electronic device during the processing period. It did not matter that the information of non-matched individuals was held only momentarily before being deleted, or that the matching process was conducted automatically and without human intervention.

As to Bunnings’ two alternative justifications for the collection, the Commissioner noted that in order to satisfy the requirements of Item 1 and 2, the entity must have a reasonable basis for the belief that a permitted general situation exits, and not merely a genuine or subjective belief. The Commissioner stated that what was ‘necessary’ in the context of Bunnings’ operations should be determined by:

  1. the suitability of the FRTS, including its efficacy in addressing the activity or conduct
  2. the alternatives available to Bunnings to address the activity or conduct, and
  3. whether the use of the FRTS was proportionate, which involves balancing the privacy impacts resulting from the collection of sensitive information against the benefits gained by FRTS use.

Based on these factors, the Commissioner was not satisfied that either one of two permitted general situations (the ‘unlawful activity situation’ and the ‘serious threat’ situation) existed.

In relation to the ‘serious threat’ claim, the Commissioner noted that Bunnings needed a reasonable belief that the collection and use of personal information via the FRTS was necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

The Commissioner observed that a threat that may have dire consequences but is highly unlikely to occur would not normally constitute a serious threat. However, a potentially harmful threat that is likely to occur, but at an uncertain time, may be a serious threat, such as a threatened outbreak of an infectious disease.

There must also be a causal link between the necessity of the collection and the action taken to lessen or prevent the threat. Determining this causal link requires consideration of:

  1. the degree to which there is a threat to life, health or safety
  2. the extent by which that threat is lessened or prevented if the action is taken
  3. the nature and impact of the collection, use or disclosure on affected individuals if the action is not taken, and
  4. whether the matter could be responded to without handling the information or by handling a lesser amount of personal information.

The Commissioner evaluated these factors in light of Bunnings’ evidence of its experience of past and current incidents concerning violence and aggressive behaviour, and the lesser incidents relating to stock loss.

The Commissioner observed that Bunnings could not have adequately considered and satisfied itself the factors relevant to the necessity of the collection for either ‘permitted general situation’, in circumstances where it also maintained that no collection had occurred.

Notification of collection of personal information

APP 5.1 requires entities to take reasonable steps to notify individuals of particular matters regarding the management of personal information when it is collected.

Bunnings had submitted that because the information of non-matched individuals was not ‘collected’ in a Privacy Act-sense, it did not need to comply with this principle. Alternatively, if the information was collected, then Bunnings had given reasonable notice, via entry notices which advised that “Video surveillance is utilised”, and a privacy poster at various places within its stores. From May to November 2021, a revised notice advised “Video surveillance, which may include facial recognition, is utilised…”.

Bunnings espoused the view that it was unreasonable to expressly state that it was using FRT in the notice, let alone to say that it was for the purpose of matching a vector set against a database of individuals to deal with threatening situations, retail crime and other inappropriate conduct. Bunnings submitted that such a form of disclosure would undermine the efficacy of the system.

Bunnings also relied on five iterations of its Privacy Policy issued at various points across the period the FRTS was in operation. None of the five privacy policies expressly or implicitly referred to the fact that Bunnings collected sensitive information via the use of the FRTS.

The Commissioner disagreed that these steps were reasonable in the circumstances, thus denying the requisite level of transparency and personal choice over the collection of facial images. As to the first notice, it was not enough to state ‘video surveillance is being utilised’ to satisfy APP 5.1 obligations as a FRTS is fundamentally different to traditional CCTV. Further, the Commissioner was not persuaded that notifying individuals that a FRTS is operating in its stores would “undermine the efficacy of the system”.

Requirement for open and transparent management of personal information

The Commissioner then considered the final aspects of Bunnings’ compliance under APP 1 – to take reasonable steps to implement practices, procedures and systems that (a) ensure compliance with the APPs, and (b) enable dealing with privacy inquiries or complaints.

The Commissioner had recourse to the APP Guidelines, which amongst things included use of Privacy Impact Assessments, policies and procedures, staff training, and monitoring and review mechanisms, which in the circumstances should have been specific to the use of the FRTS. The Commissioner was not satisfied that Bunnings had discharged the obligations in APP 1, and found that the Bunnings Privacy Policy content was inadequate, in light of the nature of the technology and its impacts on individuals.

The outcome

The Commissioner made several declarations, including that Bunnings must:

  • not repeat or continue the acts and practices that led to the interference with individuals’ privacy (being the unlawful collection of images and the notice, accountability and transparency failures outlined above)
  • publish a statement about the conduct as a prominent feature on its website for 30 days, and elsewhere on the website for a further 12 months, containing specific details of how it had used the FRTS, the Determination findings and a process for individuals to seek further information and/or make a complaint; and
  • destroy all personal and sensitive information collected via the FRTS that it still holds (after one year’s retention), subject to any contrary legal requirements concerning retention.

Bunnings has a right to seek review of the determination, and media reports suggest that it is planning to do so.

Subscribe

Subscribe

This field is for validation purposes and should be left unchanged.