Australia: Privacy Ruling on Bunnings’ Use of Facial Recognition Technology

Written By Jerry Sin

A recent decision by Australia’s Administrative Review Tribunal (ART) has reinforced how privacy laws apply when organisations use emerging technologies such as facial recognition.

The case involved Bunnings, Australia’s largest home improvement and hardware retail chain, which had deployed facial recognition technology (FRT) in some of its stores.

The Tribunal reviewed an earlier decision by the Office of the Australian Information Commissioner (OAIC), Australia’s national privacy regulator, and agreed that Bunnings breached key requirements under the Australian Privacy Principles (APPs), the core rules governing how organisations handle personal information.

What the Tribunal found

The Tribunal agreed that Bunnings had breached:

  • APP 1 – Organisations must manage personal information in an open and transparent way.

  • APP 5 – Individuals must be properly notified when their personal information is being collected.

The Tribunal found that customers were not given clear enough notice that facial recognition was operating in stores. It also stated that Bunnings should have completed a formal, structured, and documented privacy risk assessment before rolling out the technology.

The Tribunal also supported the OAIC’s view that when organisations rely on exemptions from obtaining consent, they must carefully assess:

  • Whether the technology is a suitable and effective response to the problem being addressed,

  • Whether less privacy-intrusive alternatives are available, and

  • Whether the use of the technology is proportionate to the risk.

Where the Tribunal differed

The Tribunal did not agree with the OAIC’s conclusion that Bunnings breached APP 3.3 (collection of solicited personal information).

It accepted that Bunnings could rely on a limited exemption from consent requirements because the system was used specifically to address repeat retail crime and to protect staff and customers from violence, abuse, and intimidation.

Why this decision matters

The OAIC welcomed the decision, noting that it confirms that the Privacy Act’s protections apply equally to new and advanced technologies.

Importantly, the decision reaffirmed that even brief or momentary capture of personal information by digital systems still counts as “collection” under the Privacy Act.

The case highlights the importance for organisations to have:

  • Strong privacy governance,

  • Clear customer notification, and

  • Proper privacy risk assessments before deploying new technologies.

Broader context: rising privacy concerns

This decision comes at a time when community concern about privacy is increasing. According to the OAIC’s 2023 Australian Community Attitudes to Privacy Survey:

  • 62% of Australians see protecting their personal information as a major concern,

  • Only 32% feel they are in control of their privacy, and

  • 84% want stronger privacy protections and more choice over how their data is used.

The OAIC is now considering the implications of the decision. A period for appeal to the Tribunal’s decision is currently in place.

For more details, please refer to the official publish document - here

Jerry Sin
Previous

International: AI Can Generate Images, But Not Consent - Global Regulators Issue Joint Privacy Guidance
Next

Asia: Data Privacy Landscape Tightens in 2026