Decision deems biometrics sensitive personal information with higher protections
Carly Kind, Australia’s privacy commissioner, has held that Kmart Australia Limited contravened privacy by collecting the personal and sensitive biometric information of individuals entering its stores via a facial recognition technology (FRT) system intending to identify those perpetrating refund fraud.
According to a media release from the Office of the Australian Information Commissioner (OAIC), the retailer used FRT from June 2020 to July 2022 to capture the faces of everyone who went to 28 of its stores and presented at a returns counter.
The privacy commissioner determined that Kmart failed to notify shoppers or obtain their consent to use FRT to get their biometrics, sensitive personal information subject to higher protections under the Privacy Act 1988.
The retailer alleged a Privacy Act exemption from the requirement to seek consent because it reasonably believed it needed to collect personal information to address unlawful activity or serious misconduct.
“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Kind said in the media release.
According to the privacy commissioner, though Kmart had other ways to tackle refund fraud that intruded less into privacy, it used an FRT system that:
The privacy commissioner weighed pertinent factors, including the estimated value of fraudulent returns, the retailer’s total operations and profits, the FRT system’s limited effectiveness, and the extent of the privacy impacts in collecting the sensitive information of everyone going to the stores.
“Understanding how FRT accords with the protections contained in Privacy Act requires me to balance the interests of individuals in having their privacy protected, on the one hand, and the interests of entities in carrying out their functions or activities, on the other,” Kind said. “Relevant to a technology like facial recognition, is also the public interest in protecting privacy.”
In its media release, the OAIC noted that this is its second determination regarding FRT use in retail.
The OAIC started investigating Kmart in July 2022. The OAIC acknowledged that the retailer stopped deploying its FRT system at that time and has cooperated throughout the investigation.
In October 2024, the privacy commissioner determined that Bunnings Group Limited had breached privacy by using FRT in 62 retail stores across Australia. The Administrative Review Tribunal is reviewing this determination.
“These two decisions do not impose a ban on the use of FRT,” Kind said in the OAIC’s media release. “The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted.”
While the privacy commissioner arrived at similar outcomes for Kmart and Bunnings, the OAIC drew a distinction between the two retail cases and noted that they focused on different FRT uses.
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies,” Kind said. “However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
