The decision in Bunnings Group Ltd (Privacy) [2024] provides a timely reminder that privacy compliance does not turn solely on intention. Organisations may believe they are acting responsibly and still fall short of statutory requirements.
Bunnings trialled facial recognition technology in a number of stores as part of its loss-prevention and safety measures. The system captured and compared facial images of customers entering stores with the aim of identifying individuals previously involved in theft or violent incidents. The stated purpose of the trial was security rather than marketing or profiling of customers.
The issue that arose was not the intention behind Bunning’s actions but the way in which sensitive information was collected and handled.
The Privacy Commissioner’s finding
Under the Privacy Act 1988 (Cth), biometric data such as facial images used for identification is subject to stricter rules than ordinary customer information. That distinction became central in the Bunnings matter.
The Privacy Commissioner formed the view that the way the facial recognition system operated did not meet those requirements. Customers entering the stores were not considered to have provided valid consent to the collection of their biometric data and the level of notice given about how that data would be captured and used was found to be insufficient.
Importantly, the Commissioner did not question that Bunnings was seeking to address safety concerns; the difficulty lay in the process rather than the objective. The Act sets a higher bar where sensitive data is involved and the Commissioner concluded that the trial did not clear it.
The Administrative Review Tribunal decision
In a subsequent development, the Administrative Review Tribunal partially overturned aspects of the Commissioner’s determination. The Tribunal accepted that, in the particular circumstances of this case, Bunnings could rely on an exception under the Privacy Act that permits the collection of sensitive information where it is reasonably necessary to lessen or prevent a serious threat to the life, health or safety of individuals.
The Tribunal’s reasoning acknowledged the safety context in which the technology was deployed and accepted that the risk environment was relevant to the application of the statutory exception.
However, the Tribunal did not suggest that privacy obligations fall away where security concerns exist. Transparency, proportionality and proper privacy processes remain essential components of lawful data collection. The availability of an exception will always depend on the facts and the evidentiary basis for relying upon it.
Case study 2: 7-Eleven Stores Pty Ltd (Privacy) [2021]
The earlier determination in 7-Eleven Stores Pty Ltd (Privacy) [2021] involved facial recognition technology in a different setting. In that case, 7-Eleven used the technology as part of a customer satisfaction survey program where customers completing surveys on in-store tablets had their facial images captured and converted into biometric data.
The regulator examined whether that level of data collection was permitted under the Privacy Act. The Office of the Australian Information Commissioner concluded that it was not reasonably necessary to run a feedback program and that customers had not been clearly informed about the collection of their biometric information. As a result, the OAIC determined that 7-Eleven had breached the Act.
When viewed together, the two matters concerning Bunnings and 7-Eleven demonstrate that context is critical. A system introduced in response to security concerns will be assessed differently from one used for customer engagement purposes. In both cases, however, the method of collection and the clarity of communication remained central to the analysis.
What this means for businesses
The Bunnings matter illustrates how quickly privacy issues can arise when organisations adopt data-driven systems, particularly those involving biometric information or surveillance technologies.
Three key lessons emerge.
What these decisions make clear is that biometric data cannot be treated in the same way as routine customer information. Where sensitive information is involved, additional obligations arise and those obligations need to be identified early, before a system is rolled out.
They also demonstrate that a legitimate objective does not resolve the compliance question. Introducing technology for safety, loss-prevention or customer engagement purposes does not remove the need to ensure that the method of collection aligns with the requirements of the Privacy Act 1988 (Cth).
Finally, reliance on statutory exceptions requires careful judgement. Whether an exception applies will depend on the specific circumstances, the level of risk involved and the evidence available to justify the collection. It is important to remember that this is not something that can be assumed in advance.
A practical compliance approach
If a business is thinking about introducing facial recognition or other surveillance tools, the legal questions usually arise earlier than expected. It is far easier to work through privacy issues before a system goes live than to respond once concerns have been raised.
That means looking closely at what information is actually being collected, how it will be stored, who will have access to it and what customers are told at the point of collection. Consent is not just a box to tick; it has to be meaningful, particularly when biometric data is involved.
The Bunnings decision does not say that this kind of technology cannot be used but it does show that the process around it matters. Even where there are genuine safety concerns, the way information is gathered and explained to customers will be scrutinised.
As expectations around data handling continue to shift, businesses need to ensure their internal practices are keeping up. Taking the time to assess risk at the outset can avoid much more serious problems later on.
Aubrey Brown Lawyers advises businesses on privacy and risk management. If you are considering new surveillance or data-driven systems, seeking advice early can help you understand where the pressure points may lie.
To arrange an appointment with our team, call (02) 4350 3333 or visit aubreybrown.com.au.
