OAIC Finds Kmart’s use of Facial Recognition Unlawful

In mid-September, the Office of the Australian Information Commissioner (OAIC) published a decision that found Kmart’s use of facial recognition for fraud detection unlawful. This finding may not seem surprising, given last year’s decision about facial recognition in Bunnings. 

As it stands under the law, it’s not always unlawful to use facial recognition technologies (FRT). Though, these decisions make it clear that using them to fight crime in a retail setting comes with a very high barrier to entry. Here’s what you should know about what this decision means for FRT in Australian organisations. 

Background

The OAIC commenced an investigation into Kmart in July 2022, regarding its use of facial recognition technologies. The FRT was deployed as a pilot program in 28 of Kmart’s retail stores between June 2020 and July 2022 (in response to the investigation). 

The pilot program was intended to address refund fraud, which has been increasing across the globe in recent years and has emerged as a major business challenge. Refund fraud is when a customer exploits the returns process to gain money or products they aren’t entitled to – often returning stolen goods or using an item for a short time before returning it. 

If you’re familiar with the Bunnings FRT decision, you may remember that the purpose behind the collection is slightly different here – since Bunnings used the FRT to try to address safety concerns and escalating violence against staff. 

Kmart’s FRT system relied on images of individuals entering the store and when they presented at the Returns counter to detect fraud. The collected images are considered sensitive information, since they collected biometric vectors from the facial images. 

The purpose of the collection and use was to detect fraud and to identify individuals who had previously engaged in refund fraud or theft. Though, Kmart noted that some of these individuals had become violent with staff members or customers (so, there’s some cross over with the purposes outlined in the Bunnings decision). The information was not otherwise sold or used for marketing purposes. 

The Relevant Law

The Privacy Commissioner found that Kmart interfered with the privacy of individuals by violating three of the Australian Privacy Principles:

APP 3 (Collection of Sensitive Information) 

Kmart collected the sensitive information (biometric information) of individuals without their consent. The Commissioner noted: 

“I am not satisfied that individuals who entered a relevant store during the relevant period consented to the collection of their sensitive information through the respondent’s use of the FRT system. There is no evidence before me that would indicate that consent was sought and obtained, and I am not satisfied that individuals could have been taken to impliedly consent by virtue of the respondent’s signage…”. 

The decision also notes that the exception (APP 3.4/Permitted General Situation) did not apply. 

This exception applies where ‘an entity has reason to (a) suspect that unlawful activity has been, is being or may be engaged in, and (b) it reasonably believes that the collection, use or disclosure of sensitive information is necessary in order for them to take appropriate action in relation to it.’ The Commissioner found that condition (b) was not met. 

APP 5 (Notice of Collection) 

The Commissioner found that Kmart failed to take reasonable steps to notify or otherwise ensure individuals were aware of the collection of their personal information via FRT and the relevant required matters (APP 5.2). The ‘notice’ was a sign at the entry point of the pilot program stores that said “This store has 24-hour CCTV coverage, which includes facial recognition technology.” 

The Commissioner noted that this signage does not ensure customers are aware their personal information is being collected, stored, and used. The signage also didn’t outline the purpose for the collection, point to the privacy policy, nor did it ensure customers knew the consequences of not consenting to the collection. 

APP 1 (Privacy Policy)

The Commissioner found that Kmart “failed to include in its privacy policies information about the kinds of personal information that it collected and held, and how it collected and held that personal information”, which is a breach of APP 1. 

Key Takeaway from the OAIC’s Findings Against Kmart

The Commissioner notes that the Bunnings and Kmart decisions do not mean that FRT generally is prohibited. However, it is now clear that there is a very high bar retailers need to meet for FRT to be considered proportionate and necessary.

The Commissioner’s findings outline that Kmart had options that were less intrusive, such as training its team members to detect refund fraud. It stated that the FRT systems used indiscriminately collected biometric information from (an estimated) tens of thousands of customers, most of whom were not engaging in retail fraud. Interestingly, the findings also questioned the effectiveness of the FRT system for Kmart’s purpose, highlighting the actual (low) value of refund fraud detected in the analysis. 

Our Notes on the Key Takeaway

Our take on this is that any organisations considering using FRT must carefully consider whether there are other less intrusive options available to solve the issue – even if those alternatives are less convenient or more expensive. At a minimum, organisations must create a very detailed privacy impact assessment before deploying any FRT system. This must outline a compelling rationale showing why the benefits of deploying the technology outweigh the significant privacy risks posed. 

If you land on using FRT in your organisation, your privacy policy and notices must be crystal clear on how, why, and where the technology is deployed. The information must be clearly visible, easy to understand, and additional information should be easily accessible. 

• You can download our privacy policy readability checklist here.

You must also carefully document your decision making and the processes and policies implemented during the rollout of the technology and its lifespan. Kmart was criticised by the Commissioner for not being able to clearly demonstrate when the updated signage noting the FRT use was installed at each of the locations it was deployed at. Your documentation must be this granular if you elect to use FRT. The costs of maintaining and storing these records should form part of your cost/benefit analysis when you’re deciding whether to deploy any FRT. 

Also worth noting is that neither Bunnings nor Kmart contested that consent was obtained. They both tried to rely on exemptions. This is likely because gathering meaningful consent for collection via FRT is logistically challenging. You can read more about the consent requirements for FRT in the OAIC’s guide to assessing the privacy risks of FRT. 

Other key privacy considerations from the findings

The OAIC noted these as other key privacy considerations about FRT: 

• Businesses need to manage personal information in an open and transparent way. They also need to proactively provide individuals with sufficient information to allow them to provide meaningful consent to the collection of their biometric information. 
• Businesses need to ensure biometric information used in facial recognition technology is accurate and take steps to address any risk of bias. 
• Businesses need to have clear governance arrangements in place, including documented practices and procedures, to minimise privacy risks. These should be implemented in practice, clearly communicated and reviewed regularly.

If your organisation is considering deploying any FRT and needs help with the privacy impact assessment or privacy notices, reach out. Our privacy consultants regularly prepare these documents and are available to help. 

For insights like this in your inbox, join our newsletter community via the form below.