The Administrative Review Tribunal has partially overturned the privacy commissioner's ruling against Bunnings' use of facial recognition technology in 63 Victorian and NSW stores, finding the retailer's security justification valid but its disclosure practices inadequate.
The February 4 decision upheld breaches of Australian Privacy Principles 1 (transparent management) and 5 (notification requirements), but cleared Bunnings on APP 3.3 regarding collection conditions. The tribunal accepted Bunnings' argument that the technology was necessary for staff safety and theft prevention under "permitted general situations" in section 16A of the Privacy Act.
Bunnings had been using Hitachi facial recognition technology since 2018 to identify individuals involved in violence against staff, theft, or fraud. The system captured faces, generated biometric templates, and immediately deleted photos while retaining mathematical vector sets for matching. The company maintained an enrolment database with images of hundreds of flagged individuals.
The tribunal ruled the system met a proportionality test: retail crime was "very serious," less intrusive alternatives were unavailable, and the immediate deletion of photos minimized privacy intrusion. However, it mandated that Bunnings must "take reasonable steps to provide notification that personal information is being collected."
The Office of the Australian Information Commissioner, which launched its investigation in July 2022, welcomes the affirmation that transient data counts as collection but disagrees with the APP 3.3 exemption. Commissioner Angelene Falk emphasized that proportionality should be assessed case-by-case, considering suitability, alternatives, and intrusiveness. The OAIC is considering an appeal.
The decision sets an important precedent for retail deployment of biometric systems. While it acknowledges legitimate security needs, it requires clear customer notification, proper governance frameworks, and privacy policy disclosure. Bunnings ceased using facial recognition in 2022 following the OAIC investigation.
What this means in practice: Retailers wanting to deploy facial recognition must demonstrate genuine security needs, implement proper notification systems, and maintain governance frameworks. The consent-free collection pathway exists, but only with transparent disclosure.