Kmart Breached Privacy with Facial Recognition Technology.
Kmart Breached Privacy with Facial Recognition – Kmart Australia has been found in breach of the Privacy Act following an investigation by Privacy Commissioner Carly Kind into its use of facial recognition technology (FRT) between June 2020 and July 2022.
The commissioner determined that the company collected personal and sensitive biometric information from every individual entering 28 of its stores, as well as those attending returns counters, without notifying customers or obtaining their consent. The data was collected using FRT deployed as part of an initiative to address refund fraud.
Kmart had argued that consent was not required due to an exemption in the Privacy Act that permits collection of personal information where there is a reasonable belief that it is necessary to prevent unlawful activity or serious misconduct. However, the commissioner found the exemption was not applicable in this instance.
In her findings, the commissioner said the collection of sensitive data was indiscriminate, alternatives were available that would have intruded less on individual privacy, and the FRT system was of limited effectiveness in addressing the stated objective.
“Understanding how FRT accords with the protections contained in Privacy Act requires me to balance the interests of individuals in having their privacy protected, on the one hand, and the interests of entities in carrying out their functions or activities, on the other. Relevant to a technology like facial recognition, is also the public interest in protecting privacy,” said Kind.
The determination considered the scale of potential refund fraud in relation to Kmart’s overall operations and profitability, as well as the extent of the privacy impact caused by collecting the biometric information of every person entering the stores.
“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Kind said.
This is the second published determination from the Office of the Australian Information Commissioner concerning the use of facial recognition in a retail setting. In October 2024, the OAIC found Bunnings Group Limited had similarly contravened the Privacy Act by using facial recognition across 62 stores. That decision is currently under review by the Administrative Review Tribunal.
“These 2 decisions do not impose a ban on the use of FRT,” Kind said. “The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted. Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
The OAIC encourages organisations deploying facial recognition or similar emerging technologies to consider proportionality, transparency, discrimination risks, and governance of sensitive data. The Privacy Act remains technology-neutral and requires compliance regardless of the systems in use. Further guidance is available from the OAIC’s published materials on assessing privacy risks with FRT.
Although the outcomes of the Kmart and Bunnings investigations were similar, the cases involved different applications of the technology and were assessed on individual merits. The ruling against Bunnings is currently under review in the Administrative Review Tribunal, and it’s understood that Kmart may appeal the Office of the Australian Information Commissioner’s decision.
Kmart ceased use of the FRT system at the beginning of the OAIC investigation in July 2022 and cooperated with the inquiry throughout. You can read more the OAIC guidelines on surveillance and security monitoring here or read more SEN news here.
“Kmart Breached Privacy with Facial Recognition Technology.”
