Bunnings can keep facial recognition after tribunal ruling on retail crime tech

The Administrative Review Tribunal ruled in early February that Bunnings can continue using facial recognition technology in stores, partially upholding privacy violations found by the Office of the Australian Information Commissioner but allowing the program to proceed with fixes.

The tribunal affirmed the OAIC's finding that Bunnings breached Australian Privacy Principles 1 and 5 by failing to provide adequate notices and risk assessments when it deployed Hitachi facial recognition systems to scan customers entering stores. The hardware matched faces against a database of known shoplifters. However, the tribunal overturned the APP 3 violation, disagreeing with the OAIC's strictest interpretation around collection consent.

The decision matters because it clarifies when retailers can use biometric surveillance without explicit consent. The tribunal ruled that FRT qualifies for crime prevention exemptions if it's proportionate, effective, and no less intrusive alternatives exist. Bunnings argued its system only creates temporary templates that are deleted if there's no match, a technical distinction the tribunal found significant.

What this means for retail tech

The OAIC called the ruling a win for "strong protections" around emerging technology, emphasizing governance over outright bans. They're considering an appeal on the APP 3 finding. For CTOs evaluating loss prevention systems, the precedent is clear: case-by-case privacy assessments are mandatory, and transparency requirements remain high even when consent isn't strictly required.

The ruling comes as Australian retailers face rising theft rates. The tribunal specifically noted FRT was "suitable and effective" against repeat offenders and store violence. Still, most small retailers lack the legal resources to navigate these compliance requirements. Established platforms like Auror, which provides retail crime intelligence sharing without biometric capture, and POS systems like Lightspeed with built-in loss prevention analytics offer less legally complex alternatives.

The broader question: This is Australia's first major test of FRT in retail. The tribunal set a high bar for proportionality and transparency, but didn't close the door. Other major retailers are watching closely.