Bunnings Facial Recognition Ban Overturned: Tribunal Approves Crime-Fighting Tech

In a significant legal reversal, the Australian Administrative Review Tribunal has overturned a 2024 ruling by the privacy commissioner, granting hardware giant Bunnings permission to utilise facial recognition technology on customers. The decision comes after a contentious appeal process that highlighted the balance between privacy concerns and public safety in retail environments.

From Privacy Breach to Public Safety Priority

The original 2024 ruling had found Bunnings in breach of privacy regulations for scanning and checking the faces of store visitors without adequate justification. However, this week's tribunal decision has shifted the focus towards the technology's role in preventing serious criminal activity and protecting individuals from harm.

The tribunal determined that Bunnings was entitled to deploy facial recognition "for the limited purpose of combatting very significant retail crime and protecting their staff and customers from violence, abuse and intimidation within its stores."

Extent of Implementation and Technical Details

Between January 2019 and November 2021, Bunnings implemented facial recognition systems across 62 stores in New South Wales and Victoria, following an initial two-month trial in 2018. During this period, hundreds of thousands of customers had their facial images scanned and compared against a database of individuals banned from Bunnings premises.

The system operated on a strict protocol: if no match was found with banned individuals, the captured image was immediately deleted. This process was designed to minimise privacy intrusion while maintaining security effectiveness.

Evidence of Retail Violence and Criminal Patterns

The tribunal heard compelling testimony from store managers about the regular occurrence of threatening and abusive behaviour in their locations. Shawn Adam, manager of the Box Hill store, reported that such incidents occurred "every two to three days on average" and left team members visibly shaken and distressed.

Alexander MacDonald, Bunnings' national security manager, provided further context, stating that investigations into thefts and violent incidents frequently identified repeat offenders and organised retail criminals. The company's analysis revealed that approximately 66% of annual theft losses could be attributed to just 10% of offenders.

Addressing Technical Limitations and Bias Concerns

While acknowledging that the facial recognition system occasionally generated false positives, the tribunal noted that these instances were manually reviewed by staff and subsequently discarded. Regarding concerns about racial bias in facial recognition technology, MacDonald testified that Bunnings' specific system had not demonstrated any discriminatory patterns, despite awareness of broader industry studies highlighting such risks.

Notification Shortcomings and Future Compliance

The tribunal did identify one area where Bunnings fell short of its obligations: customer notification. Posters and entry notices displayed in stores were deemed insufficient for properly informing visitors about the collection of their personal information through facial scanning.

Mike Schneider, Bunnings' managing director, welcomed the overall ruling while acknowledging the need for improved signage. "The safety of our team, customers and suppliers has always been our highest priority," he stated, emphasising that the technology's purpose was to protect people from violence and organised retail crime.

Regulatory Implications and Potential Appeals

A spokesperson for the Office of the Australian Information Commissioner noted that the decision reinforces the Privacy Act's strong protections for individual privacy, while recognising that limited exemptions must be assessed on a case-by-case basis. The OAIC has not ruled out appealing the tribunal's decision and is currently considering its implications for future privacy enforcement.

This ruling establishes an important precedent for how Australian businesses can balance technological security measures with privacy obligations, particularly in environments where staff and customer safety are at significant risk.