Facial ecognition tool
Representational image. FRT captured images of people's faces from video sources like CCTV, creating a unique "faceprint" stored for the purpose of comparison with other faceprints. Pixabay

Hardware chain Bunnings Group's use of facial recognition technology, intended to scan customers upon entry and prevent theft, has breached the privacy of thousands, the Office of the Australian Information Commissioner (OAIC) has revealed.

It was found in 2022 that Bunnings, along with several other retailers, had been using facial recognition technology (FRT) in stores to scan the faces of every customer, comparing them against a database of banned individuals, The Guardian reported.

FRT captured images of people's faces from video sources like CCTV, creating a unique "faceprint" that was stored for the purpose of comparison with other faceprints. If the faceprint was not in the database, Bunnings' system would reportedly delete it just four milliseconds after the scan.

A sign stating that the facial recognition system was intended for loss prevention and store safety purposes was placed at the entrance of Bunnings' stores.

However, the OAIC found that the technology, deployed at 63 stores in Victoria and New South Wales between November 2018 and November 2021, collected sensitive information without consent and failed to notify customers that their data was being collected.

"Facial recognition technology may have been an efficient and cost-effective option available to Bunnings at the time in its well-intentioned efforts to address unlawful activity, which included incidents of violence and aggression," privacy commissioner Carly Kind said.

"However, just because a technology may be helpful or convenient does not mean its use is justifiable. In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals," she added.

According to Managing Director Mike Schneider, the company had hoped the commissioner would agree that its use of FRT balanced privacy concerns with the need to protect staff, customers, and suppliers from the growing threat of violent and organized crime by repeat offenders.

"The electronic data was never used for marketing purposes or to track customer behavior. Unless matched against a specific database of people known to, or banned from stores for abusive, violent behavior or criminal conduct, the electronic data of the vast majority of people was processed and deleted in 0.00417 seconds–less than the blink of an eye," Schneider pointed out.

Following the OAIC's report, Bunnings released a video compilation showing incidents where customers threatened staff with weapons and physically assaulted them. The company said the footage were from the stores across Australia and New Zealand, 9News reported.

The OAIC report publicly reprimanded the hardware giant and ordered not to repeat any practice that interfered with an individual's privacy.

"This decision should serve as a reminder to all organizations to proactively consider how the use of technology might impact privacy and to make sure privacy obligations are met," Kind said.

Schneider stated that Bunnings would seek a review of the OAIC's decision.