Notes from the Asia-Pacific region: Lessons from Tribunal's review of retailer's facial recognition trial

This past week, Australia's privacy ecosystem saw a fascinating example of the regulatory regime in action and operating as intended for the benefit of all key stakeholders — one could argue at least. It's reasonable to suggest that both parties to the Administrative Review Tribunal's consideration of Bunnings Group's use of facial recognition technology and a previous finding by the Office of the Privacy Commissioner would feel vindicated and somewhat victorious. However, it also seems there are lessons for both the business community and regulator to take away and consider.

Following an investigation into the use of facial recognition technology in a small trial group of Bunnings retail stores over a three to four year period, the privacy commissioner had contended that Bunnings contravened several sections of the Australia Privacy Act — namely Australian Privacy Principles 1.2, 1.3, 3.3 and 5.1.

Following a thorough examination of the case and arguments from both parties, the Tribunal agreed with the commissioner's determination regarding APPs 1.2, 1.3 and 5.1. However, it disagreed and set aside the determination with respect to APP 3.3, finding that Bunnings did not contravene this principle as there was a permitted general situation that allowed for the collection of information.

A key takeaway from the Tribunal's decision is the importance for organizations to take reasonable steps to implement practices, procedures and systems and to have an appropriate privacy policy in place that reflects current business practices. Also, part of the agreed facts of the review state that prior to and during the period of the facial recognition trial, Bunnings failed to undertake a formal written privacy impact assessment or a formal written privacy threshold assessment.

While it's not my place to take a position on this case specifically, or policy positions in general, I do find it instructive and educational to consider and debate these types of rulings with my IAPP community and colleagues. Privacy practitioners are doing the hard work organizations require to uplift the privacy maturity of their programs and to educate the business on the importance of a robust and fully resourced data protection and management regime.

I hope the rest of us are able to use this case study as a way to elevate the privacy discussion within our own organizations, to highlight the lessons and risks that are apparent when circumstances arise, and to ultimately position businesses for success by honoring the trust of customers when sharing their sensitive information.

Adam Ford is the managing director, Australia, New Zealand, for the IAPP.