Facial recognition and privacy law in Australia: lessons from the Bunnings decision

This article is co-authored by Gus Dowdle, Law Graduate, Melbourne.

For the first time, an Australian tribunal has ruled on the legality of facial recognition technology and the collection and use of biometric information under the Australian Privacy Act 1988 (Cth) (the Act). The case involved Australian hardware retailer, Bunnings Group Ltd (Bunnings), known for its large warehouse-style stores and car park sausage sizzles.

The decision of the Administrative Review Tribunal (the Tribunal) in Bunnings Group Limited and Privacy Commissioner [2026] partially overturned an earlier determination made against Bunnings by the Office of the Australian Information Commissioner (OAIC). The Tribunal’s decision makes it clear that facial recognition technology can be implemented legally under the Act, provided that it is for an appropriate purpose and accompanied by adequate compliance measures. 

The OAIC determination

Between 2018 and 2021, Bunnings deployed facial recognition technology across 62 retail stores in Victoria and New South Wales. The system captured images of customers entering stores and compared them against a database of individuals known to Bunnings as having committed theft, violence and fraud. When a match was found, security staff would be deployed to address the situation. If a match was not found, the captured images would be deleted after an average of 4.17 milliseconds. 

In 2024, the OAIC investigated Bunnings’ use of the technology and determined that it had breached three Australian Privacy Principles (APPs). 

APP 1 - open and transparent management of personal information

The OAIC determined that Bunnings had:

• Failed to include sufficient detail regarding the facial recognition technology in its publicly available privacy policy, as required by APP 1.3; and
• Not implemented adequate practices, procedures and systems in relation to its use of facial recognition technology, as required by APP 1.2.

Bunnings’ publicly available privacy policy did not mention facial recognition technology. Bunnings argued that it was not reasonable or appropriate to include details of facial recognition in its privacy policy, as this would notify criminals about a security measure in its stores. The OAIC disagreed with this argument.

Bunnings submitted that it had prepared standards for the use of facial recognition technology; however, the OAIC held that these standards were not adequately implemented. The steps Bunnings had taken were limited to obtaining legal advice, the responsible manager delivering a presentation to senior management, and providing training to six staff members.

The OAIC noted that, given the sensitive nature of biometric data, Bunnings was required to have rigorous compliance systems in place, and in particular should have conducted a privacy impact assessment to identify and mitigate the risks associated with the facial recognition technology prior to implementing it. The OAIC also found Bunnings had not provided sufficient privacy training to its employees.

APP 3 - collection and consent

The OAIC determined that Bunnings had not collected customers’ biometric information in accordance with APP 3. APP 3 provides that an organisation must not collect sensitive information (which includes biometric information) unless the individual consents to that collection. Exceptions apply to APP3, including a carve out for the collection of sensitive information to prevent “unlawful activity”.

Firstly, Bunnings argued that it did not “collect” customers’ biometric information, at least for non-matched individuals, because their information was only collected for 4.17 milliseconds before being deleted. The OAIC rejected this argument, confirming that even a brief or automated collection of personal information still constitutes a collection.

Secondly, Bunnings argued that it did not require customers’ consent to collection, because it could rely on an “unlawful activity” exception to APP 3. The exception allows the collection of sensitive information where:

• The organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the organisation’s functions or activities has been, is being or may be engaged in; and
• The organisation reasonably believes that the collection, use or disclosure is necessary in order for the organisation to take appropriate action in relation to the matter.

Bunnings presented evidence that its stores and staff had been subjected to regular and repeated unlawful conduct, including violence, threatening behaviour, theft, and fraud. It also noted the expensive and potentially dangerous nature of the products sold at Bunnings heightened to the seriousness of these risks. It therefore argued that facial recognition technology was necessary in order for Bunnings to take appropriate action to prevent this conduct.

The OAIC held that this exception did not apply to Bunnings, on the basis that the facial recognition technology was not necessary in order for Bunnings to take appropriate action in relation to this conduct. The OAIC considered that the facial recognition technology adopted by Bunnings was highly intrusive, and its use was not proportionate to the risks faced by Bunnings. It pointed out that there were several less privacy-intrusive ways for Bunnings to prevent unlawful activity in its stores.

APP 5 - collection statement

The OAIC determined that Bunnings had failed to adequately notify individuals about the collection of their personal information, as required by APP 5.1.
Although Bunnings had displayed several notices in entry points to the stores, the signage merely informed customers that the premises were subject to “video surveillance, which may include facial recognition”.

The OAIC held that this wording was insufficient and emphasised that organisations collecting sensitive information and conducting serious intrusions on privacy must clearly inform individuals about the collection of sensitive information, its purpose, and how their sensitive information will be used and disclosed.

The Commissioner ordered Bunnings to cease the conduct, delete the collected data, and issue a public statement about the matter. Bunnings appealed to the Tribunal.

The Appeal

The Tribunal upheld the OAIC’s determination that Bunnings had breached APP 1 and APP 5. However, it disagreed that Bunnings had breached APP 3 – specifically, it held that the “unlawful activity” exception relied on by Bunnings did apply in these circumstances.

The Tribunal agreed with OAIC that Bunnings had collected customer’s sensitive information, and that it had not obtained consent from the customers for that collection.

However, the Tribunal adopted a different view of the “unlawful activity” exception. The Tribunal pointed out that the exception does not require that the collection of sensitive information was objectively necessary to take appropriate action to prevent the unlawful conduct. It merely required that the organisation reasonably believed that the collection was necessary. The Tribunal considered that the OAIC had placed undue emphasis on whether the use of facial recognition technology was objectively necessary, without sufficient regard to the reasonableness of Bunnings’ subjective beliefs.

The Tribunal accepted that Bunnings believed that the facial recognition technology was a necessary and appropriate measure to address the risks of unlawful activity in its stores, and importantly, agreed that this belief was reasonable in the circumstances. The Tribunal framed its consideration of reasonableness by considering the following three factors:

• Suitability: whether the facial recognition technology was effective in responding to the risks.
• Alternatives: whether less intrusive options were available. 
• Proportionality: whether the use of technology to mitigate risks was justifiable by the benefits gained.

The Tribunal held that, whilst facial recognition technology had limitations, Bunnings’ “use of facial recognition technology in conjunction with the other security controls was effective and suitable to identify known offenders”. The Tribunal held that traditional security like CCTV and guards were less effective alternatives. On proportionality, the Tribunal emphasised the seriousness of the risk, its impact on staff safety, the effectiveness of the technology, and the near-instant deletion of non-matched faces, to determine that Bunnings’ use of facial recognition was a proportionate response to the risks it faced.

Practical implications 

The Tribunal’s decision provides several key takeaways for businesses considering implementing facial recognition technology in Australia:

1. Facial recognition technology will be considered to “collect” personal information and so be subject to data privacy laws, even if that collection is automated and brief.
2. Unless an exception applies, the use of facial recognition technology requires consent of individuals.
3. If using facial recognition technology to prevent or detect unlawful activity, the business must reasonably believe that the use of facial recognition technology is necessary and appropriate in all the circumstances for that purpose (taking into account the suitability and proportionality of the technology and the effectiveness of less-intrusive alternatives).
4. The business must provide detailed notices to individuals regarding its use of facial recognition technology and collection of biometric information, and must also include information about its handling of that information in its publicly available privacy policy.
5. The business must have rigorous compliance systems in place, must conduct a privacy impact assessment to identify and mitigate the risks associated with facial recognition technology prior to implementing it, and must conduct appropriate privacy training for its employees.