The Administrative Review Tribunal this week reversed a 2024 ruling by Australian privacy commissioner Carly Kind that found the hardware giant had breached the privacy of store visitors by scanning and checking their faces.

“A permitted general situation existed in relation to the collection of information by Bunnings,” the tribunal’s guidance and appeals panel found.

That came after Bunnings captured images of the faces of every person who entered 63 of its stores in Victoria and NSW between November 2018 and 2021.

Hundreds of thousands of customers had their faces scanned and checked against images of people who had been banned from Bunnings outlets. If there was no match, the image was deleted.

The chain vowed to fight the ruling – and push for a change to Australia’s privacy laws – citing an explosion in shoplifting and violence against its staff. It also released a video compilation of staff being attacked in its stores to illustrate the threats faced by retail workers.

In a submission to a Productivity Commission review, managing director Mike Schneider said facial recognition technology could be used safely, responsibly and ethically.

You might like

News

New funding keeps Toowoomba flower festival in bloom

News

Big fall in spending eases Reserve Bank inflation fears

On Wednesday, Schneider welcomed the ART decision.

You might like

News

New funding keeps Toowoomba flower festival in bloom

News

Big fall in spending eases Reserve Bank inflation fears

“The safety of our team, customers and suppliers has always been our highest priority. Our intent in trialling this technology was to help protect people from violence, abuse, serious criminal conduct and organised retail crime,” he said.

“The tribunal recognised the need for practical, common-sense steps to keep people safe. It also identified areas where we didn’t get everything right, including around signage, customer information, processes and our privacy policy, and we accept that feedback.”

The ART found Bunnings had failed to properly notify customers of the facial scanning. It put up posters and entry notices advising of the technology, but the tribunal found that did not meet the retailer’s obligations to notify visitors about the collection of personal information.

It also found that the technology sometimes generated false positives, although those were manually reviewed by staff and discarded.

The tribunal also heard from two Bunnings managers about violence in their stores.

“This kind of threatening or abusive behaviour occurred every two to three days on average, and caused team members to be visibly shaken and upset,” the ART said of evidence from Shawn Adams, who manages the Box Hill store in Melbourne.

“He was, on a daily basis, extremely concerned for his team members and customers.”

Bunnings told the tribunal that at least 66 per cent of theft loss across its stores each financial year was committed by just 10 per cent of offenders.

“Every day we work hard to earn the trust of our team, customers and suppliers,” Schneider said.

“Keeping people safe in and around our stores is a responsibility we take very seriously, and we remain committed to engaging constructively on how safety and privacy are balanced in the future.”

The OAIC said it would carefully consider the decision.

“Today’s decision confirms the Privacy Act contains strong protections for individual privacy that are applicable in the context of emerging technologies,” a spokesperson for the Office of the Australian Information Commissioner said.

“Limited exemptions are subject to robust criteria that must be assessed on a case-by-case basis.

“The Australian community continues to care deeply about their privacy, and is increasingly worried about the challenges in protecting their personal information.”

The office has not ruled out appealing the decision.