Letter to OAIC: EFA Wants Answers on Facial Recognition Investigation

Electronic Frontiers Australia has submitted a letter to the Office of the Australian Information Commissioner (OAIC) demanding answers on their facial recognition investigation. A Reddit user has revealed that Bunnings has quietly restarted scanning patrons and even introduced number plate scanning

RE: Australian Retailers Using Facial Recognition

Dear Commissioner,

We write to inquire about the progress of the OAIC’s investigation into the use of facial recognition technology by Bunnings Group Limited and Kmart Australia Limited, which commenced over a year ago. You will recall that we provided the OAIC with a complaint at the time, on 22 June 2022, co-signed by Digital Rights Watch and the Australian Privacy Foundation.

Our members have alerted us to the below signage that they observed at a new Bunnings store in Preston, Victoria.

We are concerned that this indicates that Bunnings intends to proceed with the use of facial surveillance at its stores despite the OAIC’s findings in the 7-Eleven stores case, its investigation into Clearview and its investigation into the use of Clearview by the AFP.

In the absence of a concluded investigation by OAIC, it is unclear if Bunnings has proceeded with the tacit or explicit approval of your office. Our members seek clarity of the OAIC’s position on Bunnings’ proposed use of facial surveillance and how it is compatible with the Privacy Act, particularly given the precedent set by the 7-Eleven stores case.

Figure 1: Signage at a Bunnings store in Preston, Victoria noting that facial recognition technology may be used.

We are further concerned by the length of time taken thus far for the OAIC to investigate this matter. Justice delayed is justice denied.

We note that the Royal Commission into Robodebt commenced, held numerous public hearings, processed many thousands of documents of evidence, and produced a three volume report in less time than the OAIC’s investigation into Bunnings use of facial recognition thus far. We further note the Commissioner’s comments in their report on Robodebt regarding the time taken for the OAIC to decide to act, and the time taken to investigate and report after it eventually decided to act. For example, on page 620, “In December 2017 the OAIC commenced an assessment of DHS’s management of the Scheme (the DHS Assessment). It should be noted that the assessment commenced more than five months after field work was originally scheduled to begin, and more than two and a half years after the Scheme commenced.

We also seek to understand the OAIC’s position on the precedent-setting value of its determinations. Earlier this month, Choice reported that major Australian stadiums are using facial recognition. We reiterate our position that the use of facial surveillance in circumstances such as these is neither necessary nor proportionate to the claimed risk.

It appears that many organisations feel emboldened to proceed with what are, to us, clearly unlawful interferences with Australians’ privacy that go against even the most recent of the OAIC’s determinations. The harm to our collective privacy is growing faster than it appears the OAIC is able, or willing, to act.

We ask OAIC to confirm the status of its investigation into Bunnings and Kmart. We further ask what steps OAIC is taking to address what appears to be a wider and systemic abuse of privacy by organisations deploying facial surveillance technologies.

Yours sincerely,

Justin Warren
Chair
Electronic Frontiers Australia

(Image credit: Bunnings)