A recent decision by the Administrative Review Tribunal may pave the way for the widespread use of facial recognition technology in retail and other privately owned spaces across Australia. The tribunal ruled that Bunnings, a major hardware retailer, is exempt from certain rules requiring customer consent for the use of facial recognition technology.
The tribunal’s decision, which could still be appealed to the Federal Court, has ignited concerns over privacy, biometric data, surveillance, and consent in the country. If upheld, the ruling could significantly alter the landscape of privacy rights in Australia.
The Bunnings Case: A Closer Look
Between January 2019 and November 2021, Bunnings conducted a trial of facial recognition technology in at least 62 stores in Victoria and New South Wales, following an initial pilot in November 2018. The technology was integrated into in-store security cameras, capturing facial images of all individuals entering the premises to create a searchable database of facial identifiers.
In November 2024, the Privacy Commissioner found that Bunnings breached the privacy of potentially hundreds of thousands of Australians through its use of facial recognition technology. The findings highlighted several key issues:
- Customers did not consent to the collection of their facial information.
- Signage informing customers of biometric data collection was unclear or missing.
- Bunnings lacked staff training on the use of facial recognition technology.
- The company did not have a clear policy on managing collected personal information.
- The use of the technology exceeded what was deemed necessary to mitigate organized retail crime and threatening situations.
The Privacy Commissioner declared the use of facial recognition technology on thousands of people to prevent retail crime as disproportionate, although acknowledging its potential to reduce violence and theft.
Tribunal’s Ruling on Consent
In reviewing the Privacy Commissioner’s determination, the Administrative Review Tribunal supported all findings except the one related to consent. The tribunal argued that Bunnings’ actions fell under an exception to the consent requirement, as outlined in Australia’s privacy act.
The privacy act protects personal sensitive information, including facial data, and states that such information can only be collected with individual consent. However, section 16 (A) of the act lists exceptions, one of which the tribunal applied to Bunnings:
The entity reasonably believes that the collection, use, or disclosure is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.
The tribunal gathered personal testimonies from Bunnings workers, who believed the technology was necessary to combat retail crime and protect staff and customers from violence, abuse, and intimidation, sometimes involving weapons or threats.
Implications for Biometric Data and Consent
This decision has far-reaching implications beyond Bunnings, potentially affecting the control of individuals’ biometric information across Australia. If not appealed, retailers and other organizations might use biometric technologies on the public without consent, justifying their actions with risk-management narratives based on personal statements.
Such a shift would make consent an optional constraint, easily bypassed whenever biometric surveillance is framed as efficient, preventative, or protective. The Bunnings case could erode the foundational structure of privacy law, treating biometric data collection as contingent on the needs and beliefs of the collecting entity, rather than the choice of the individuals affected.
Privacy Law and the Future of Surveillance
The circumstances surrounding the Bunnings case differ significantly from the original intent of privacy laws drafted in 1988. The OAIC Guidelines of the Privacy Act 1988 emphasized consent as a cornerstone of biometric data collection, intended for severe cases like a threatened outbreak of infectious disease, allowing preventative action before a serious threat materializes.
However, if facial recognition becomes normalized, protecting privacy becomes increasingly challenging. Data management protocols may need tightening, and laws might require amendments. The ruling lowers the threshold for surveillance, potentially extending non-consensual biometric processing to workplaces, schools, and other public but privately owned spaces, all justified by safety, deterrence, or necessity.
Most importantly, the decision reshapes the meaning of consent, risking its transformation from an operative to a symbolic concept. While consent may remain formally recognized in law, its practical relevance could diminish significantly.
