Today’s Article is brought to you by Empower your podcasting vision with a suite of creative solutions at your fingertips.
This piece is freely available to read. Become a paid subscriber today and help keep Mencari News financially afloat so that we can continue to pay our writers for their insight and expertise.
Privacy Commissioner Carly Kind ruled today that Kmart Australia Limited unlawfully collected biometric data from thousands of customers through facial recognition technology deployed across 28 stores over two years without notification or consent.
The determination found Kmart breached the Privacy Act by indiscriminately capturing faces of every person entering stores and approaching returns counters between June 2020 and July 2022 in an attempt to identify customers committing refund fraud.
"I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals' privacy," Kind stated in the official determination published today.
The ruling marks the second major retail privacy breach involving facial recognition technology, following an October 2024 decision against Bunnings Group Limited for similar violations across 62 stores nationwide.
System Captured All Store Visitors
Kmart's facial recognition technology system automatically captured the faces of every person entering the 28 stores and all individuals presenting at returns counters during the two-year operational period.
The retailer argued it was exempt from obtaining consent under Privacy Act provisions allowing collection of personal information to tackle unlawful activity or serious misconduct. However, Kind rejected this defense after comprehensive analysis.
"The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system," the determination found, noting alternative less privacy-intrusive methods were available to address refund fraud.
The Commissioner concluded the facial recognition deployment was "of limited utility" for preventing fraud while creating "disproportionate interference with privacy" affecting thousands of innocent customers not suspected of wrongdoing.
Truth matters. Quality journalism costs.
Your subscription to Mencari directly funds the investigative reporting our democracy needs. For less than a coffee per week, you enable our journalists to uncover stories that powerful interests would rather keep hidden. There is no corporate influence involved. No compromises. Just honest journalism when we need it most.
Not ready to be paid subscribe, but appreciate the newsletter ? Grab us a beer or snag the exclusive ad spot at the top of next week's newsletter.
Commissioner's Balancing Test
Kind's determination centered on whether Kmart met conditions for relying on the unlawful activity exemption, ultimately finding the retailer failed multiple requirements under the Privacy Act.
"Understanding how FRT accords with the protections contained in Privacy Act requires me to balance the interests of individuals in having their privacy protected, on the one hand, and the interests of entities in carrying out their functions or activities, on the other," Kind explained.
Relevant factors in the Commissioner's analysis included the estimated value of fraudulent returns compared to Kmart's total operations and profits, the limited effectiveness of the facial recognition system, and extensive privacy impacts from collecting sensitive information from every store visitor.
The ruling highlighted that biometric information constitutes sensitive personal information deserving higher protections under Australian privacy law.
Broader Retail Industry Pattern
The Kmart determination follows closely behind the October 2024 ruling against Bunnings, which found similar privacy violations in the hardware retailer's use of facial recognition across 62 stores nationally.
Bunnings has appealed that decision to the Administrative Review Tribunal, with proceedings currently underway.
Kind noted significant differences between the two cases despite reaching similar conclusions about privacy breaches.
"Although the Privacy Commissioner reached a similar conclusion in the Kmart and Bunnings decisions, the cases differ considerably and focus on different uses of FRT," the determination stated.
Technology Not Banned
Despite the adverse findings, Kind emphasized the determinations do not impose blanket bans on facial recognition technology use by retailers.
"These two decisions do not impose a ban on the use of FRT. The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted," she stated.
The Commissioner acknowledged legitimate business reasons for deploying new technologies, including customer and staff safety concerns and fraud prevention efforts.
"Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act," Kind said.
Investigation Timeline
The Office of the Australian Information Commissioner launched its investigation into Kmart in July 2022, coinciding with the retailer's decision to cease operating the facial recognition system.
Kmart cooperated throughout the investigation process, according to the OAIC statement. The company had not responded to requests for comment about the determination.
The Privacy Commissioner's investigation focused specifically on Kmart's implementation and use of facial recognition technology during the two-year operational period.
Guidance for Future Deployment
The Commissioner's ruling provides instructive guidance for entities considering facial recognition and other emerging technologies in retail environments.
Privacy considerations should feature prominently in deployment decisions, according to OAIC guidance published alongside the determination.
The office has released comprehensive guidance titled "Facial recognition technology: a guide to assessing the privacy risks" to assist businesses evaluating such systems.
Key factors businesses should consider include proportionality, transparency, risk of bias and discrimination, and governance frameworks for collecting, using and retaining sensitive personal information.
"The Privacy Act is technology-neutral and does not proscribe the use of any particular technology," the determination noted, emphasizing compliance requirements apply regardless of technological sophistication.
Legal Framework Requirements
The Privacy Act provides specific protections for sensitive personal information, including biometric data collected through facial recognition systems.
Organizations must generally obtain consent before collecting such information unless specific exemptions apply under the legislation.
The unlawful activity exemption Kmart attempted to invoke requires demonstrating reasonable belief that collection is necessary to address fraud or misconduct, among other conditions.
Kind's determination establishes precedent for evaluating proportionality between business benefits and privacy impacts when assessing such exemption claims.
Industry Implications
The retail industry has not yet issued formal responses to the Kmart determination, though the ruling adds pressure on businesses using or considering facial recognition technology.
Legal experts suggest the consistent findings against major retailers demonstrate heightened regulatory scrutiny of biometric data collection practices.
The determinations may influence legislative discussions around strengthening privacy protections for emerging technologies.
Commissioner Kind published a separate blog post elaborating on takeaways for other retailers considering facial recognition technology deployment, providing practical guidance for balancing legitimate business interests with privacy compliance obligations.
The ruling reinforces requirements for businesses to conduct thorough privacy impact assessments before implementing biometric collection systems while ensuring transparency with customers about data collection practices.
Sustaining Mencari Requires Your Support
Independent journalism costs money. Help us continue delivering in-depth investigations and unfiltered commentary on the world's real stories. Your financial contribution enables thorough investigative work and thoughtful analysis, all supported by a dedicated community committed to accuracy and transparency.
Subscribe today to unlock our full archive of investigative reporting and fearless analysis. Subscribing to independent media outlets represents more than just information consumption—it embodies a commitment to factual reporting.
As well as knowing you’re keeping Mencari (Australia) alive, you’ll also get:
Get breaking news AS IT HAPPENS - Gain instant access to our real-time coverage and analysis when major stories break, keeping you ahead of the curve
Unlock our COMPLETE content library - Enjoy unlimited access to every newsletter, podcast episode, and exclusive archive—all seamlessly available in your favorite podcast apps.
Join the conversation that matters - Be part of our vibrant community with full commenting privileges on all content, directly supporting The Evening Post (Australia)
Catch up on some of Mencari’s recent stories:
It only takes a minute to help us investigate fearlessly and expose lies and wrongdoing to hold power accountable. Thanks!