On 18 November 2024 the Australian Information Commissioner (AIC) published its decision in respect of Bunnings Group Limited. The AIC found that Bunnings had breached multiple sections of the Australian Privacy Principles as a result of the use of facial recognition technology (FRT) used at 63 stores in Victoria and New South Wales between November 2018 and November 2021.
The purpose for which Bunnings was using FRT was to identify patrons against a compiled internal database of individuals who were believed to pose a risk – due to previous crime or violent behaviour.
The AIC has published the following relevant material pertaining to the decision:
- Fact sheet of the Bunnings decision containing a summary of the key findings.
- Fact sheet titled ‘Facial recognition technology and privacy‘.
- Updated website guidance titled ‘Facial recognition technology: a guide to assessing the privacy risks’.
- A personal statement from Commissioner Kind, who authored the Bunnings Decision.
The facts of the decision draw some parallels to the current and potential use of FRT in the gaming industry in Victoria – which can and is being used by some operators to identify patrons who have been self-excluded from a venue as a means of assisting staff in enforcing that exclusion.
FRT and Privacy Law
FRT collects biometric information such as physiological features which is often used to create a ‘biometric template’ that is capable of identifying a person.
Biometric information is classified as ‘sensitive information’ – which is a subcategory of personal information that is afforded greater protection under the Privacy Act 1988 (PA) and the associated Australian Privacy Principles (APPs). The legal requirements to be met before an organisation can collect and use this sensitive information is higher than ordinary personal information.
Relevant to the current circumstances, under the PA such information can only be collected with the provision of informed consent where it is reasonably necessary for the functions or activities of the organisation, or where an organisation reasonably believes the collection is necessary to take action in relation to unlawful activity that relates to the organisation’s functions.
Information can also be collected if it is required or authorised by or under an Australian law or a court/tribunal order.
FRT in Gaming Venues
Businesses that deal in the supply of liquor and gaming services are subject to compliance with State-based legislation, including the Liquor Control Reform Act 1998 (LCRA) and the Gambling Regulation Act 2003 (GRA).
Currently, the LCRA and the GRA and associated regulations neither mandate nor prohibit the use of FRT in licensed premises. As such, to comply with the PA the starting principle for gaming businesses to collect sensitive information via FRT is that they must establish the requisite ‘necessity’. Of course, central to the question of necessity is the purpose for which FRT is proposed to be used. While there is not a prescribed list of such uses, currently the main use that has been explored by industry is the enforcement of self-exclusion.
There are no published decisions of investigations by the AIC into gaming venues which provide industry-specific guidance as to what exact practices are acceptable or not acceptable.
The Bunnings Decision
The Bunnings decision provided some key finds pertaining to the collection of sensitive information that will impact the application of FRT in gaming venues:
- Concept of ‘collection’
Bunnings argued that the FRT system did not ‘collect’ the biometric information of patrons, including on the basis that the biometric scans of patrons was automatically deleted and did not form part of creating a ‘record’. The FRT system in place would scan an individual, conduct a multi-step process of comparing that biometric template against the internal database of offenders, and then if the scan did not yield a match it would be disregarded. This process took on average 4.17 milliseconds.
The AIC ultimately found that information was ‘collected’, as based on evidence of the FRT supplier, the process of comparing the templates resulted in the data being momentarily stored on a local server held by Bunnings, and also on a local drive. However momentary, the AIC considered this step was the inclusion of the data in a ‘record’ and therefore met the definition of collection.
This finding means that even FRT systems that automatically delete information as a means of data security are not exempt from the application of the PA and the requirements of the APPs. Automated deletion was regarded as a positive feature of data security, but it does not avoid the need for compliance with APP principles of data collection.
Given that gaming venues are likely to use FRT for a similar purpose – scanning ordinary patrons to see if they match a database of self-excluded individuals – this finding is pertinent.
- Consent
Bunnings did not argue that they had the consent of patrons to the collection of information. As such, the decision does not make any particular finding that assists regarding what venues must do to obtain the requisite level of ‘consent’ of patrons.
The decision reiterates the ordinary principles of consent to be informed, voluntary, current and specific and given by individuals with requisite capacity. However, there was not a discussion as to what may have been suitable consent in the circumstances.
Clear and comprehensive signage on entry may be regarded as suitable consent for information collection in some circumstances, but should also be combined with an appropriately layered notification of the use of FRT in supplementary material that is also available to patrons – such as a privacy policy. As was explored in the previous AIC’s decision in 7-Eleven Stores Pty Ltd [201] AICmr 50, signage must also be appropriately sized, simple to identify and read, describe the purpose of collection of information, and be proximate to the place of collection. In that previous decision, the signage displayed by 7-Eleven was found to be deficient on all of those counts.
That said, consent is only one threshold to be met – in conjunction with the collection being reasonably necessary.
- Necessity
In determining whether or not FRT was necessary, the AIC had regard to the suitability of the system with respect to its purpose, the alternative mechanisms available to achieve that purpose, and whether on balance the system was ultimately proportionate to achieving that purpose.
The AIC found that, in short, the FRT was of questionable suitability for the objectives of preventing recidivist criminal activity, there were alternative processes available (FRT was an additional and complementary tool, and arguably even the most efficient and cost effective), and the extent of data collection (i.e. such as the number of ordinary patrons whose privacy was interfered with) was disproportionate to the purposes being achieved.
While the AIC was cautious not to underplay the significance of the harm that was being occasioned by patrons, the FRT system had logistical challenges (including the lack of drawing attention to patrons of its use to prevent recidivist criminal activity) that compromised its efficacy for its stated purpose.
In applying these findings to gaming venues:
a. Self-exclusion is, arguably, more suitable for FRT than the purposes in the Bunnings decision. This is because upon entry into a gaming room, a self-excluded person has by virtue of entry alone contravened their commitment. In contrast, FRT in the Bunnings decision presumed that a prior criminal would commit recidivist behaviour.
b. In both instances, alternative processes are available. It is clear from the Bunnings decision that FRT cannot be employed simply because it is most cost effective, more efficient, and even if it will produce better results.
c. Whether FRT is proportionate will have regard to the ordinary patronage of the venue against the number of self-excluded patrons in place – among other factors. As such, the suitability of FRT may also vary from venue-to-venue.
- Reasonable steps to manage information
The AIC were also critical of the steps taken by Bunnings prior to the implementation of the FRT system, including the lack of a ‘Privacy Impact Assessment’ – which is a project assessment step that considers the privacy impacts of individuals affected by a particular business practice (here, the implementation of FRT).
Taking appropriate preparatory steps before implementing an FRT system is essential to ensure that organisations consider the privacy implications of the system, and to assist in the development of clear policies and procedures governing the use of sensitive information.
It has been publicised that Bunnings will be seeking a review of the decision by the AIC.
What this means for Gaming Venues
FRT may remain an appealing tool for venues to enforce self-exclusion, but operators should not implement such a system without thoroughly assessing its suitability for the venue in question. The risks of a haphazard implementation of the system can result in serious financial penalties where the AIC finds serious or repeated interferences with privacy.
The results of the Bunnings decision highlight that there is not a ‘one size fits all’ application to FRT, and that prior consideration of the privacy impacts of such a system are essential – also taking into account the specific needs of the venue in question. The decision highlights that FRT is regarded by the AIC as a serious interference with privacy, and that it cannot be used simply because it is convenient, cost effective or desirable.
The decision does not contain definitive findings that would render any gaming venue unsuitable for FRT – either on the basis that consent cannot be properly obtained (in any circumstances), or that it is not reasonably necessary to enforce self-exclusion. Venues should treat the decision as providing important guidance about whether or not FRT will be appropriate for a particular venue, and if so how to approach implementation.
Currently, there is no confirmation that the Victorian Government or the gambling regulator will make FRT mandated in gaming venues but we note it is mandatory in other Australian jurisdictions – such as South Australia.
Relevant also is the impending introduction of mandatory carded play in Victoria – which may be regarded by the AIC as an alternative process to manage self-exclusion, since it is a means of identifying individuals, and indeed without reliance on biometric information. Where a new alternative process is in the pipeline, then venues should also exercise caution in an investment in new technology that may be affected by these processes.
If you have questions regarding the implementation of FRT at your business, or otherwise managing your information and privacy obligations, please contact our office to discuss your matter further.
This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.