Learnings from the Bunnings FRT appeal: Using a sledgehammer to crack a nut

This month’s decision of the Administrative Review Tribunal (Tribunal) on Bunnings’ use of Facial Recognition Technology (FRT) provides important guidance for businesses using or considering FRT in Australia.

The Tribunal set aside the Privacy Commissioner's finding that Bunnings breached Australian Privacy Principle (APP) 3.3, regarding consent but otherwise confirmed that Bunnings acted in breach of APP 1.2, 1.3 and 5.1 which relate to privacy processes and notification of individuals.

While the Tribunal’s decision has been widely portrayed in the media as a victory for Bunnings (in terms of allowing it to use FRT), much of the original determination which found Bunnings breached its basic privacy obligations in terms of its privacy notices and policies and procedures was upheld.

The net result is that the application of the findings for use of FRT are limited to the unique circumstances of Bunnings’ operations, and others who can meet the relevant test for relying on an exemption not to obtain consent from customer.

Bunnings could have alerted customers to the existence of FRT before they entered stores and obtained their consent, but they relied on an exemption from this.

The Tribunal’s decision: Sledgehammer vs nutcracker

The Tribunal used an analogy to explain its finding, which in our view inferred that the Privacy Commissioner had wrongly determined that Bunnings was using a ‘sledgehammer’ (being its chosen FRT system) to crack a ‘nut’ (being retail crime, theft and violence).

The Tribunal found that the technological features of the FRT system minimised the intrusion on privacy by permanently deleting collected sensitive information and limiting its susceptibility to cyberattacks. The FRT system was therefore not so much a ‘sledgehammer’ or an overreach and that the extent of retail crime being faced by Bunnings’ staff and customers was more serious than the Commissioner had considered. Therefore, using this FRT system to combat retail crime was more akin to using a nutcracker to crack a big complex nut situation versus the overreach that the original decision concluded.

However, the Tribunal did also determine that Bunnings should have done more to notify individuals and comply with other obligations under the Privacy Act when using the technology.

Guidance for businesses considering facial recognition technology

The Tribunal’s decision provides helpful guidance for businesses using or considering FRT in their own operations, noting that some businesses will be able to support the same right to the exemption as Bunnings, but most others will need to obtain consent in circumstances where the use of FRT is reasonable. We outline some of the key lessons and practical takeaways we derive from the case below.

1. Meeting the threshold for collecting personal information without consent

To rely on the exception to needing consent for collecting sensitive information, a business must first establish that it has reason to suspect that unlawful activity, or misconduct of a serious nature, related to its functions or activities has been, is being or may be engaged in.

A relatively low bar is needed to establish the existence of unlawful activity. Both the original decision and the Tribunal agreed that the actual or threatened violence, abusive or harassing behaviour, and trespass by a prohibited person evidenced by Bunnings constituted conduct that could pose a risk to the health and safety of individuals in its stores and met the bar to establish that such activity was engaged in.

2. Ensure the response is necessary and proportionate

A business must then establish that it reasonably believed that the use of the information collected through, in this case FRT, is necessary to take appropriate action.

The use of FRT must not be a disproportionate and excessive response that goes beyond what is needed to solve the problem. Both decisions referred to extensive expert evidence. Businesses thinking of using FRT could obtain those expert opinions as part of a privacy impact assessment and build them into their policies from the start.

3. Consider whether FRT is the only option and the privacy impact

The Tribunal found that there was a serious problem with retail crime in Bunnings’ stores, with a significant proportion being committed by repeat offenders. Businesses wanting to implement FRT should consider:

• whether the technology is an effective response to the identified risk
• whether less privacy-intrusive alternatives are available
• whether the implementation of FRT is proportionate. This involves balancing the privacy impacts resulting from the collection of sensitive information against the benefits gained from using FRT. This can be assessed by undertaking a detailed privacy impact assessment, for example.

4. Consider the unique circumstances of your operating environment

The Tribunal emphasised that Bunnings’ circumstances were significantly different from most other retailers. Its unique challenges in preventing theft and threatening situations included:

• the size of its stores
• multiple entry and exit points and that customers can drive their vehicles into the store
• many of the products on sale could be used as a weapon, such as an axe, a screwdriver or a drill, and are readily accessible by anyone in the store.

5. Ensure compliance with governance and notification requirements

The Tribunal also provided important guidance on compliance with APP 1.2, 1.3 and 5.1, which it confirmed Bunnings breached. These principles cover governance and notification requirements. Practical steps include:

• use appropriate signage at or immediately before entry points to notify individuals that FRT is in use, this includes displaying materials that would readily be seen by individuals entering the store. In Bunnings’ case, the Tribunal did not accept that it was impracticable for the retailer to provide such notice
• refer specifically to the use of the FRT system in notifications and in privacy policies and avoid vague wordings such as “we may [use FRT to collect your data]” if FRT is in fact being used to collect individuals’ sensitive information
• a generalised notification of the video surveillance would not lead to an inference that an FRT system was being utilised especially where the technology is relatively novel
• inform individuals about the purpose of collecting their information and the consequences of not collecting this information, as required by APP 5.2.

Where collection of sensitive information represents a serious intrusion of privacy, businesses should conduct a formal, structured and documented risk assessment of the FRT system from the outset.

For Bunnings, the Tribunal said the steps taken amounted to random enquiries and actions which did not amount to an implementation of practices, procedures and systems relating to Bunnings’ functions or activities that would have ensured that it complied with the APPs.

If you are considering implementing FRT or similar technologies, have questions about the decision or need assistance with conducting a privacy impact assessment, please contact us here.

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Emily Booth

Share this