Published on the 11/02/2026 | Written by Heather Wright
AU win highlights governance and proportionality requirements…
Bunning’s partial win in its appeal on the use of facial recognition technology in Australian stores has highlighted expectations on how organisations prepare for deploying facial recognition and other high-risk technologies.
While the Administrative Review Tribunal of Australia accepted the retailer’s justification for biometric monitoring and accepted it met the threshold of necessity and proportionality in response to violence and repeat offending, it upheld findings that Bunnings failed to meet risk assessment, transparency, disclosure and governance standards.
“These circumstances may not apply as easily to other retailers.”
Bunnings has said it will roll the technology out across its Australian stores over the next 18 months following the Tribunal’s decision, but legal experts are warning that the decision isn’t a green light for broad deployment of the technology by other organisations.
Bunnings found itself in strife over its use of FRT from late 2018 to late 2021 in up to 62 of its stores.
The Hitachi system used analysed real-time CCTV footage of customers entering stores, comparing their faces against a databased comprising ‘hundreds’ of individuals deemed to ‘pose a risk to operations because of their violent or criminal conduct’. Matches triggered an alert to Bunnings’ staff. The images were deleted from the system once the matching process was complete. Deletion on average occurred 4.17 milliseconds after footage entered the FRT system. The Tribunal decision shows the database was held on a hard drive in a central server at a Sydney Bunnings site, with changes copied to hard drives on local servers in each Bunnings store each night. .
A public outcry ensued in 2022 when consumer advocacy group Choice revealed that Bunnings, along with companies including The Good Guys and Kmart, were using the technology in their stores in Victoria and New South Wales.
In 2024, Australia’s Privacy Commissioner, Carly Kind, determined that Bunnings had breached the Privacy Act through its scanning of hundreds of thousands of customers’ faces without proper consent.
The Tribunal, however, has partially overturned that decision, finding that FRT use fell within a ‘permitted general situation’ allowing collection without consent where it is necessary to prevent or lessen serious threats to life, health or safety and where obtaining consent is impractical.
Cautious path forward
Cameron Abbott, partner, PGC – Technology Sourcing and Privacy at K&L Gates, told iStart that while the decision ‘illustrates FRT will be permitted in the appropriate circumstances’ but warned those circumstances may be tightly confined to setting like Bunnings, where the easy accessibility of dangerous weapons such as axes on the store’s shelves, and repeat offending elevated the threat profile.
“These circumstances may not apply as easily to other retailers,” Abbott says.
Kmart’s appeal against a similar Privacy Commissioner determination is still outstanding.
Lyn Nicholson, Holding Redlich general counsel, says the ruling does not impose a blanket prohibition on the use of the technology, but that lawful deployment ‘depends on a reasonable suspicion of unlawful activity and a proportionate response to that risk’.
The ruling provides further guidance on how proportionality is assessed under the Privacy Act with the Tribunal assessing it by reference to the seriousness of harm being addressed, the limited purpose for which the technology was deployed and the extent to which privacy impacts were mitigated through system design.
“The Tribunal placed weight on safeguards such as the immediate deletion of non-matching images and the absence of broader tracking or identification of customers,” Nicholson says.
The Tribunal noted the advanced technology in the FRT system limited the impact on privacy, so as not to be disproportionate when considered against the benefits of providing a safer environment for staff and customers.
But the Tribunal also found that Bunnings didn’t comply with obligations around notification and management of personal information, saying if personal information is to be collected by FRT, organisations must take reasonable steps to provide notification of the collection and to implement appropriate practices, procedures and systems – highlighting that governance failures carry significant compliance risk.
“The decision reinforces that a lawful basis to collect information does not remove other obligations under the Australian Privacy Principles,” Nicholson says.
The Tribunal noted the failure to conduct a formal, structured and documented risk assessment which considered privacy implications, saying that instead, the steps taking by Bunnings amounted to random enquiries and actions which did not amount to an implementation of practices, procedures and systems that would have ensured compliance with Australian Privacy Principles.
The Office of the Australian Information Commissioner says the decision underscores the importance of APP entities maintaining good privacy governance and complying with the Australian Privacy Principles in adopting new tech and that limited exemptions are subject to robust criteria that must be assessed on a case-by-case basis.
“We particularly welcome that the decision reaffirmed a range of key interpretive positions taken by the OAIC, including that even momentary collection of personal information by advanced digital tools constitutes a collection under the Privacy Act,” an OAIC spokesperson says.
Abbott echoes the point, saying the Tribunal’s findings don’t reflect new understandings of the law.
“Before implementing high-risk privacy activities, all businesses must ensure their collection notices and privacy policies adequately disclose the collection and use taking place.”
He adds that a shortfall was the failure to have at minimum, a formal, structured and documented risk assessment of the FRT system from the outset, which included consideration of privacy implications and would have highlighted steps to mitigate privacy risks.
Adds Nicholson: “The ruling illustrates that organisations seeking to rely on exceptions under the Privacy Act must be able to substantiate the risk, demonstrate why biometric collection is warranted and ensure that privacy policies and customer notifications accurately reflect how the technology operates.”
The Kiwi FRT path
Across the Tasman, regulators have taken a similarly cautious stance.
A New Zealand Privacy Commissioner determination last May found that when used responsibility FRT can be managed in a responsible way with privacy safeguards reducing intrusion to an acceptable level and complying with the Privacy Act.
That finding followed a seven-month trial by Foodstuffs North Island which found the technology could reduce harmful incidents and improve safety for team members and customers while still respecting customer privacy.
Bunnings, along with a number of other New Zealand companies, quickly signed up to support FRT in their stores following the Privacy Commissioner’s determination. The company, which has previously said it hasn’t used the technology in New Zealand, has been ‘undertaking an assessment’ of the technology in New Zealand following the New Zealand determination.
The Privacy Commissioner has developed a fact sheet with the nine areas it says businesses need to consider before deploying FRT to ensure it is done safely and effectively. Those areas include being specific on the problem you’re trying to solve with FRT and making sure it is serious enough to justify use of the technology and that the technology will actually solve the issue. Setting up and maintaining a watchlist, installing and maintaining the FRT operating system – including doing due diligence on the provider – providing information to customers and access to correct information, handling alerts – including ensuring a human remains in the loop – and decisions about whether and how to intervene are also covered along with security, managing compliance and reviewing and monitoring the system.
