From cameras to compliance: OAIC's Kmart determination highlights facial recognition technology privacy risks

Kmart's use of facial recognition technology (FRT) has fallen foul of privacy laws. The Australian Privacy Commissioner's recent determination found that Kmart's use of FRT to detect and prevent fraud in some of its stores interfered with the privacy of individuals in breach of the Privacy Act 1988 (Cth). This builds on the Australian Information Commissioner's 2024 determination on Bunnings' use of FRT. These determinations make clear that the use of FRT must be legally justified, proportionate, and accompanied by strong safeguards.

Kmart’s use of FRT to tackle refund fraud

Between June 2020 and July 2022, Kmart deployed a FRT system in 28 of its stores in Australia which captured the faces of every person who entered those stores and presented at the returns counters. These images were then processed to generate biometric templates or “faceprints,” which were cross-referenced against a database of individuals suspected of engaging in fraudulent returns. We understand that if a match was identified, the FRT system would notify Kmart personnel who would then be expected to undertake a manual review and decide whether to proceed with the refund.

Could Kmart rely on the "permitted general situation" exception?

The resulting images and maps of facial vectors were biometric information, and comprised sensitive information for the purposes of the Privacy Act. Kmart did not contest that it had not obtained consent to the collection of this sensitive information (as would usually be required by Australian Privacy Principle (APP) 3.3), but instead Kmart argued that it was entitled to rely on the “permitted general situation” exception under section 16A of the Privacy Act. The permitted general situation exception allows sensitive information to be collected without consent if the entity has reason to suspect unlawful activity or serious misconduct is occurring, and reasonably believes that collection is necessary to take appropriate action. Kmart contended that refund fraud constituted “unlawful activity” and that its FRT system was the only practical and effective means of preventing it. The company pointed to the scale of losses caused by fraudulent refunds and argued that the FRT was a proportionate response.

The Commissioner accepted that refund fraud could be characterised as unlawful activity and that Kmart had a genuine belief that action was necessary. However, the Commissioner rejected Kmart’s reliance on the permitted general situation exception for several reasons:

• while internal investigations and refusing fraudulent refunds were appropriate actions, reliance on biometric surveillance to underpin those actions was not justified and exceeded the exception contemplation;

• the FRT system was not legally “necessary” because less intrusive measures, such as requiring proof of purchase, redesigning store layouts, or enhancing staff training, were available but had not been adequately considered; and

• capturing the biometric data of tens of thousands of innocent customers to address a relatively small number of fraudulent cases was disproportionate. As such, the risks of mass biometric surveillance, including misuse, discrimination, and erosion of privacy, outweighed the benefits.

What does this mean for Kmart?

The Commissioner found that Kmart interfered with the privacy of individuals by collecting sensitive information in circumstances where the individuals did not consent to the collection of the information contrary to APP 3.3, and failing to take steps as were reasonable in the circumstances to notify or otherwise ensure those individuals were aware about the relevant APP 5.2 matters contrary to APP 5.1. The Commissioner also held that Kmart breached APP 1.3 by failing to include in its privacy policies information about the kinds of personal information that it collected and held, and how it collected and held that personal information, as required by APP 1.4(a) and APP 1.4(b).

Consequently, the Commissioner made a number of declarations. Kmart was directed to cease using the FRT in its existing form, publish a public statement and apology within 30 days of the publication of the Commissioner's determination, provide a clear statement about its practices on its website (noting that we can see that Kmart's privacy policy has since been updated to include some information regarding the use of FRT), and retain existing biometric data for 12 months for accountability purposes and then ensure its deletion.

Is a theme developing regarding the use of FRT in retail settings?

It certainly appears that way – the Kmart and Bunnings determinations provide clear guidance on identifying and considering compliance risks associated with the implementation of FRT. Though the Commissioner has been keen to stress that the determinations should not be read as blanket bans on all FRT, and that the Privacy Act is technology-neutral. Indeed, FRT may have a lawful role in certain contexts, such as in aviation security, law enforcement, or regulated industries. For instance, the use of FRT in a public transport hub may be treated differently to the deployment of FRT in a retail setting, because individuals’ expectations of privacy differ. Organisations will also be judged on whether they considered less intrusive alternatives, whether individuals had genuine choice, and whether the collection is targeted or indiscriminate. The Commissioner also reminded organisations that exceptions to consent requirements are subject to a high bar. Reliance on the “permitted general situation” exception in section 16A will require clear evidence that the technology is strictly necessary and proportionate, not merely helpful or convenient.