"Big brother" is watching or so it seems. Increasingly entities are adopting facial recognition technologies, including to bolster their security processes and to prevent theft. As we've already seen, there are legal risks and considerations associated with the use of facial recognition technologies and surveillance systems.
The collection of visual images and data about an individual through facial recognition technologies may comprise "personal information" and certain "sensitive information", as defined under section 6 of the Privacy Act 1988 (Cth), including biometric templates, biometric information and, in some situations, health information. Due to its nature, sensitive information is afforded a higher degree of protection under the Privacy Act.
While Australian law, including the existing regime under the Privacy Act, already regulates Commonwealth agencies' and some private sector organisations' uses of biometrics and facial recognition technologies, the Commonwealth Government's September 2023 response to the Privacy Act Review Report supports bolstered legislation and legal redress in this area. In summary, the Government Response reflects the Commonwealth's:
- In-principle agreement that the collection of biometric information for use in facial recognition technology should be an exception to the small business exemption under the Privacy Act so that all businesses, regardless of their annual turnover, would be required to comply with the Privacy Act in respect of the use of biometric information.
- In-principle agreement with the proposal to introduce a new statutory tort for serious invasions of privacy.
A serious invasion of privacy may occur in the context of the application and use of facial recognition technologies (for example, where personal information collected through facial recognition technology is misused or used in a discriminatory, oppressive or unauthorised manner). Subject to meeting certain prescribed thresholds, a statutory tort for serious invasions of privacy would enable individuals to seek legal redress through the courts for serious invasions of privacy without being limited by the existing provisions of the Privacy Act.
- Agreement that "further consideration should be given to enhanced risk assessment requirements in the context of facial recognition technology and other uses of biometric information and that this work should be coordinated with the Government’s ongoing work on Digital ID and the National Strategy for Identity Resilience".
This indicates that organisations using facial recognition technology and biometrics may eventually be required to complete privacy impact assessments and other risk based assessments prior to the application and deployment of those technologies and other uses of biometric information on the basis that these are "high risk privacy activities".
Relevantly, the Privacy (Australian Government Agencies – Governance) APP Code 2017 already requires agencies subject to the Privacy Act to conduct privacy impact assessments for all "high privacy risk projects". Further, under section 33D of the Privacy Act, the Commissioner under the Privacy Act may direct that an agency give the Commissioner a privacy impact assessment where the Commissioner considers that an activity or function might have a significant impact on the privacy of individuals. The Government Response would, however, ensure more consistent requirements across the public and private sectors.
The Government Response appears to reflect a desire to address community concerns following the backlash in 2022 relating to the use of facial recognition technologies by some retailers.
While at present these reforms are still only on the table, the Government Response hints at how Australian privacy law could potentially develop in the future to regulate facial recognition technologies. It will be interesting to see where the reforms land and if they are supplemented with additional standalone laws to regulate the development and deployment of facial recognition technologies similar to the model laws proposed in the Human Technology Institute's report, Facial recognition technology: Towards a model law.
Regardless of whether the proposed reforms are implemented, we consider it prudent practice for all entities to assess the privacy impacts relating to the collection, handling and use of personal information via facial recognition technologies. Privacy impact assessments are an important tool and can help entities to identify and address potential privacy impacts and failures to comply with legislative obligations.