7-Eleven’s Photo Faux Pas: 3 key privacy compliance take-aways

The recent decision of the Office of the Australian Information Commission (OAIC) about privacy interferences by 7-Eleven Stores[1] has some important take-aways for Australian businesses.

The decision relates to the collection of facial images and faceprints by 7-Eleven stores through its customer feedback mechanism.  The OAIC found that 7-Eleven had:

  • Breached APP 3 by collecting sensitive information without consent, and where that information was not reasonably necessary for the respondent’s functions; and
  • Breached APP 5 by failing to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collection of that information.

In this blog post, we review the OAIC’s decision and discuss 3 key take-aways from that decision for Australian businesses.

What happened?

Between June 2020 and August 2021, 7-Eleven installed tablets with built-in cameras in 700 stores. These tablets were intended to capture survey responses from customers of 7-Eleven about their in-store experience.

1.6 million survey responses were recorded within the first 10 months.

It was later revealed that the in-built cameras were collecting facial images of customers engaging with the tablet. The camera would collect one image when a customer first engaged with the tablet and another after they completed the survey. These images were stored on the tablet for about twenty seconds following their capture, before being uploaded to a secure server hosted in Australia. Once uploaded to the server, these images were converted into a ‘faceprint’ to allow a matching software to flag responses likely to have come from the same customer. Inferred information about the responding customer’s age and gender were also recorded at this point.

Facial images were collected to detect customers who might be leaving multiple responses on the same tablet within a 20-hour period. If this occurred, these responses were excluded from the survey responses. Since inferences were being made about the gender and age of the responding customers too, 7-Eleven also received broad details about the demographic profile of customers who took the survey.

The original images of the customer were stored for 7 days, while the faceprints did not have a defined retention period.

The OAIC’s Findings

The OAIC found that 7-Eleven:

  • Collected sensitive information when it captured the facial images on the tablets.
  • Did not have either express or implied consent to collect the sensitive information.
  • Failed to establish that collecting its customers’ sensitive biometric information was ‘reasonably necessary’ for its business purposes. Notably, 7-Eleven failed to undertake a privacy impact assessment to analyse the impact of individual privacy and to consider that impact against the business purposes.

While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy.” – Commissioner Falk.

The OAIC’s Orders

No damages or compensation was awarded but orders were made which 7-Eleven must comply with.  Those orders included 7-Eleven had 90 days to:

  • destroy, or cause to be destroyed, all faceprints that it has collected through the customer feedback mechanism, and.
  • provide written confirmation to the OAIC when this had been done.

7-Eleven didn’t lose all the information collected, just the faceprints collected. So, not a complete bust.  But what can we learn from this determination?

Key Takeaways for Businesses Covered by the APPs

The following are 3 key takeaways from the OAIC’s decision:

 

Key Privacy Compliance Takeaway 1: Most uses of facial recognition will need consent

If your organisation implements facial recognition technologies, you will almost certainly require an individual’s consent.

Privacy Laws and Facial Recognition

The Privacy Act applies to biometrics that are used for identification. Specifically, the Privacy Act considers “biometric information that is to be used for the purpose of automated biometric verification or biometric identification” or “biometric templates” to be sensitive information.

Neither biometric information nor biometric templates are defined in the Privacy Act. But, Biometric information scanning refers to when an organisation or agency takes an electronic copy of your biometric information, including your:

  • Face
  • Fingerprints
  • Iris
  • Palm

It can also include your behavioural attributes, like gait, signature, or keystroke pattern.

While biometric templates were defined in the OAIC’s 7-Eleven decision to be:

“A ‘biometric template’ is a digital or mathematical representation of an individual’s biometric information that is created and stored when that information is ‘enrolled’ into a biometric system.”

The OAIC’s decision went on to state that “A facial image alone will generally be sufficient to establish a link back to a particular individual, as these types of images display identifying features unique to that individual…” and that they are therefore personal information that falls under the scope of the APPs.

As a result, organisations looking to introduce facial recognition technologies will (usually) require consent.

Woman resting her head on her palm looking away from her computer screen and at the camera having read a data breach notification

Photo by Andrea Piacquadio from Pexels

Defining Consent

Under the Privacy Act, consent can be express or implied. In any event, there are four key elements that must be present for consent to be established:

  • The individual must be adequately informed before giving consent.
  • The individual must give consent voluntarily.
  • The consent must be current and specific.
  • The individual must have the capacity to understand and communicate their consent.

The OAIC suggests in the 7-Eleven decision that APP entities ‘should generally seek express consent from an individual before handling the individual’s sensitive information, given the greater privacy impact this could have’.

Key Privacy Compliance Take-away 2: Don’t blame the service provider!

7-Eleven argued that the facial images were collected by tablets supplied by a third-party provider as an end-to-end solution and that it therefore didn’t collect facial images. It was suggested that because 7-Eleven didn’t have independent access to the facial images and since the images were stored on a server controlled by the third-party provider, 7-Eleven wasn’t ‘collecting’ facial images.

The OAIC disagreed.

Instead, the OAIC found that because the tablets were set up in the 7-Eleven stores at the request of 7-Eleven and used for 7-Eleven’s purposes, the blame was not and could not be shifted to third-party service provider exclusively.

It is clear that it will be hard to shift responsibility for data collection to a service provider. You and your third-party providers must comply with the Privacy Act.

 Key Privacy Compliance Take-away 3: The OAIC is making timely decisions

The interferences complained of occurred from 15 June 2020 to 24 August 2021. The OAIC’s original determination was issued on 29 September 2021 with an update issued on 12 October 2021. In other words, the determination was issued 1ess than 2 months from the time that of the activity complained of.

This is lightning speed compared to other determinations.  For example, the data breach the subject to the Uber determination occurred in 2016, with the OAIC’s determination being issued in 2021 (some 5 years later).

In other recent determinations:

  • A complaint made on 25 May 2018 against Amazon Australia Services Inc was decided on 30 August 2021.
  • A complaint made on 12 September 2018 against Comcare was decided on 29 June 2021.
  • A complaint made on 22 September 2019 was decided on 13 April 2021. The OAIC didn’t open an investigation into this complaint until 28 February 2019.

The speed with which this decision was handed down together with the increase in determinations made by the OAIC indicate perhaps a greater focus on making determinations as part of the OAIC’s exercise of its powers.  It might also suggest an increase in resources, supporting the ability to deliver a greater number of determinations in a more timely way.

For businesses, this is good news.  It looks like there might be a greater chance of a quick resolution of any OAIC investigations, as opposed to long drawn-out processes.  Not only does a lengthy investigation involve significant management time and potentially legal costs, they also serve to remind the community of incidents that businesses might have hoped were lost in the past.

Conclusion

So, three important take-aways for all Australian businesses:

  • Be careful whenever you are collecting anything which might be considered biometric information, including a photo;
  • You are responsible for your service provider so make sure your privacy assessments extend to third party solutions;
  • Prepare for faster investigations.

[1] Commissioner initiated investigation into 7- Eleven Stores Pty Ltd (Privacy) [2021] AICmr 50

November 2021