Kmart's use of facial recognition tech was unlawful: OAIC
Make us a preferred source
Make us a preferred source on Google
The news: Wesfarmers-owned Kmart breached the privacy of Australians through its collection of personal and sensitive information using a facial recognition technology system aimed at tackling fraud, according to Australia’s privacy watchdog.
The context: The determination follows an investigation launched by the Office of the Australian Information Commissioner in July 2022.
Between June 2020 and July 2022, Kmart deployed facial recognition technology at 28 of its retail stores to “capture the faces of every person who entered” and at returns counters to help tackle returns fraud, but did not notify shoppers or seek consent to collect the information.
Kmart had argued that an exemption from obtaining consent applied under the Privacy Act that they reasonably believed the collection of the biometric data – classified as sensitive personal information under the act – was needed to tackle unlawful activity or serious misconduct.
However, privacy commissioner Carly Kind determined that the facial recognition technology system was applied indiscriminately, there were less privacy intrusive means of addressing refund fraud, the system deployed was of “limited utility” and the impact on the “many thousands of individuals not suspected of refund fraud” was a disproportionate interference with privacy.
This is the second determination made by Kind on the use of facial recognition technology following a similar determination in October 2024 against Bunnings, which is also owned by Wesfarmers. The decision is under review by the Administrative Review Tribunal.
What they said: “I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Kind said.
Kind also flagged that the Kmart and Bunnings decisions do not impose a ban on the use of facial recognition technology, but flagged that “human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted”.
"Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act."
The source: OAIC media release
