Privacy in the Spotlight: Lessons from the Bunnings Facial Recognition Ruling

The recent ruling by the Australian Privacy Commissioner against Bunnings has thrust privacy concerns into the national spotlight. This case, which scrutinised the hardware giant’s use of facial recognition technology (FRT) in its stores, sheds light on the intersection of cutting-edge technology, privacy rights, and organisational risk management. Beyond the headlines, it provides critical insights into where we are today, where we might be heading, and how organisations can adopt emerging technologies responsibly.

The Commissioner’s findings highlighted the ethical challenges of FRT, ruling that its use was disproportionate and invasive, even if aimed at combating theft and aggression. Bunnings defended its position, citing the technology’s role in staff protection, but the decision underscores the need for businesses to carefully balance innovation with privacy and societal expectations.

A new era of risk management

Organisations are navigating uncharted territory when it comes to adopting emerging technologies. The Bunnings case exemplifies how businesses, regulators, and legislators are all learning in real-time. The time lag between the introduction of new technology and the development of legislation and its actual application to regulate its use creates the risk of inadvertently falling afoul of regulations regardless of the business’ intentions. To navigate situations without clear regulatory guidance, organisations need a proactive approach that grounds decisions in core principles, integrates forward-looking assessments, and incorporates scenario planning to balance innovation with compliance.

Importantly, technological capabilities cannot overshadow foundational principles around data privacy. Businesses must ensure their decisions around data usage are grounded in proportionality, societal norms, and ethics. Questions of “Can we do this?” must always be tempered with “Should we?” For example, while FRT can enhance security, its deployment must align with societal expectations of fairness and respect for individual privacy.

As the Privacy Commissioner noted, potential benefits like reducing crime must be weighed against the broader impacts on privacy rights and social values. Establishing and adhering to these core principles provides a compass for decision-making in uncertain regulatory and technological environments.

“Facial recognition technology may have been an efficient and cost-effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression. However, just because a technology may be helpful or convenient, does not mean its use is justifiable.”
Carly Kind, Australian Privacy Commissioner

Learning from the past — while looking ahead

The Bunnings ruling isn’t an isolated decision. Similar cases, including earlier investigations into retailers, demonstrate that FRT and other data-intensive technologies are under increasing scrutiny. Organisations can use these precedents as guideposts. Understanding past regulatory decisions and developments in other jurisdictions can help businesses anticipate trends and inform their strategies. For example, changes in privacy legislation across Europe and North America have driven more robust data governance frameworks. Australian organisations should prepare for comparable regulatory shifts, particularly as global expectations around privacy evolve.

Looking ahead, the case also signals an Australian regulatory environment that is becoming more assertive. High-profile regulatory action, such as the civil penalty proceedings awaiting Medibank, indicate a stronger stance from regulators.

Risk and value: a balancing act

At the heart of decisions around technology adoption is an essential trade-off: the value of data versus the risks of holding and using it. Organisations must objectively assess not just the potential benefits of collecting data but also the costs and risks of managing and protecting it.

Biometric data, such as facial recognition profiles, represents a particularly sensitive category of information. Unlike other types of data, it is immutable—permanent and highly vulnerable to misuse. As the Commissioner emphasised, this “forever vulnerability” demands heightened caution – “we can’t change our face”, Commissioner Kind said. Once created, this data is incredibly difficult, expensive, and problematic to destroy. Prudent risk management strategies need to account for the long-term implications of collecting such data, understanding that even if its use ceases, the responsibility for its secure management or destruction does not simply disappear. Every decision to collect sensitive data must therefore be accompanied by rigorous consideration of its lifecycle, storage, and eventual destruction.

Beyond reputational and legal risks, the financial cost of data breaches are likely to increase with the use of penalties such as revenue-based fines or fines expressed as a multiple of the financial benefits gained. Against this backdrop, there is a need to carefully evaluate whether the value of the data collected outweighs the potential risks and costs of storing it securely. This requires a mindset shift: from “more data equals more value” to “smart data equals manageable risk.”

In an era of rapid technological advancement and evolving regulations, staying ahead requires more than compliance. It demands foresight, adaptability, and a commitment to principles that extend beyond the immediate benefits of new technology. By embedding these practices, organisations can navigate the complexities of innovation while maintaining trust and integrity.