Facial Recognition in Retail: Australia's Privacy Act Breaches Explained
Discover how Kmart's use of facial recognition technology violated the Australian Privacy Act. Learn why transparency and consent are crucial in retail surve...
Key Takeaways
- Kmart's use of facial recognition technology for fraud detection was found to breach the Australian Privacy Act due to lack of consent and inadequate notification.
- The Australian Information Commissioner's ruling emphasizes the need for transparent and clear communication regarding the use of biometric data.
- Less privacy-intrusive alternatives, such as RFID tags, are available and should be considered by retailers.
Facial Recognition in Retail: Australia's Privacy Act Breaches Explained
The Office of the Australian Information Commissioner (OAIC) recently ruled that Kmart Australia Limited (Kmart) violated the Privacy Act 1988 (Cth) through its use of facial recognition technology (FRT) in 28 retail stores. This decision, following a similar ruling against Bunnings, highlights the critical need for transparency and consent in the deployment of biometric technologies in retail environments.
The Case Against Kmart
Kmart implemented FRT to detect and prevent fraudulent refunds. The system captured images of customers at in-store returns counters and matched them against a database of individuals who had previously engaged in refund fraud or theft. If a match was identified, staff could refuse refunds to those customers.
Kmart's Defense
Kmart's primary defense was that their processing of personal information via the FRT system was justified under the 'permitted general situations' in section 16 of the Privacy Act. They argued that they had reason to suspect unlawful activity and that the collection, use, and disclosure of personal information were necessary to take appropriate action against refund fraud.
OAIC's Key Findings
The Commissioner concluded that Kmart's use of FRT breached the Australian Privacy Principles by unlawfully interfering with the privacy of individuals. The main findings include:
Lack of Consent
Kmart incorrectly applied the 'permitted general situation' exemption, which means they were required to obtain consent for the collection of sensitive biometric information. The Commissioner found that the FRT system's utility in preventing fraud was limited, given the relatively low value of fraudulent returns compared to Kmart's overall operations and profits. Less privacy-intrusive alternatives, such as relocating the Returns Counter or using radio frequency identification (RFID) tags, were deemed more appropriate.
Failure to Notify
Kmart did not adequately notify individuals about the collection and use of their personal information. While they displayed a 'Conditions of Entry Notice' and a 'Privacy Poster' at certain entry points, the Commissioner found these measures insufficient. The required information, such as the facts and circumstances of the collection, the purposes of the collection, and how requests for access and correction could be submitted, was not clearly communicated.
Incomplete Privacy Policy
Three iterations of Kmart's privacy policy were in force during the FRT system's operation, but none of them were transparent about the use of the FRT system to collect personal information, including sensitive biometric data. The policies failed to articulate, even in generic terms, that the collection of facial images via the FRT system involved the generation of additional metadata.
What’s Next for Kmart?
The OAIC has made several declarations to ensure that Kmart does not repeat the acts and practices that led to the privacy breaches. Kmart must:
- Cease and Desist: Not repeat or continue the acts and practices that led to the interference with individuals' privacy.
- Publish an Apology: Within 30 days of the determination, Kmart must publish an apology on their website and in relevant stores.
- Detailed Public Statement: Publish a detailed public statement on their website explaining their use of FRT, the breach, and how individuals can seek further information or lodge complaints. This statement must remain available for at least 12 months.
- Data Retention and Destruction: Retain all personal and sensitive information obtained or generated through the FRT system for 12 months following the publication of the statement. After this period, all such information must be destroyed.
The Bottom Line
The OAIC's rulings against Kmart and Bunnings emphasize the high bar for the use of facial recognition technology in retail settings. Retailers must ensure transparency, obtain proper consent, and consider less privacy-intrusive alternatives to avoid breaching the Privacy Act. These decisions set a precedent for the responsible use of biometric data in the retail industry.
Frequently Asked Questions
What specific privacy principles did Kmart breach according to the OAIC?
Kmart breached the Australian Privacy Principles by failing to obtain proper consent, inadequately notifying customers about the collection and use of their personal information, and having an incomplete privacy policy.
What are the less privacy-intrusive alternatives to facial recognition technology for preventing fraud in retail?
Less privacy-intrusive alternatives include relocating the Returns Counter so customers don't need to enter the store to obtain a refund, using radio frequency identification (RFID) tags, and implementing more manual verification processes.
What is the 'permitted general situation' exemption in the Privacy Act?
The 'permitted general situation' exemption in the Privacy Act allows organizations to collect, use, and disclose personal information without consent if they have reason to suspect unlawful activity and believe the collection is necessary to take appropriate action.
How does the OAIC's ruling impact the use of facial recognition technology in Australian retail?
The ruling sets a precedent for stricter compliance with the Privacy Act, emphasizing the need for transparency, consent, and the use of less privacy-intrusive alternatives in the retail sector.
What steps must Kmart take following the OAIC's determination?
Kmart must publish an apology and a detailed public statement, retain and then destroy personal and sensitive information, and ensure they do not repeat the acts that led to the privacy breaches.
