You are here: Home / News / Surveillance Crackdown: Retailers Falling Foul of Privacy Concerns

Recent decisions show retailers should be cautious with how they use video surveillance of their customers.

In September this year, Australia’s Privacy Commissioner made a determination that Kmart Australia Limited had breached the privacy of Australians with its undisclosed use of Facial Recognition Technology (FRT). From June 2020 to July 2022, Kmart utilised FRT across nearly 30 locations in an effort to combat fraudulent returns. Following the Commissioner’s finding against Bunnings Group Limited for similar FRT usage in November last year, this decision may indicate a crackdown on privacy breaches in the retail sector.

Breach

Kmart was found to contravene the Australian Privacy Principles (APP) in three main ways:

  1. using its FRT system to collect sensitive information from individuals without consent;
  2. failing to take reasonable steps to notify the individuals of its use of FRT; and
  3. failing to properly disclose the information collection practices in its privacy policies.

Factors

The Commissioner not only had to consider the conduct of Kmart in coming to its decision but also had to balance the interests of the individual customers, the company, and the public as a whole.

As Kmart’s FRT gathered and stored biometric data, the information being collected was not only personal but sensitive. Under the Privacy Act, sensitive personal information is protected more strictly than other personal information. So, the individual customers’ interests in this case had a lot of weight.

On the other hand, since Kmart was employing the FRT system to prevent return fraud, the Commissioner had to consider if its use of the technology was justified to protect its own interests as a business.

To compare these interests, the Commissioner considered the estimated value of fraudulent returns in proportion to Kmart’s profits as well as the breaches of privacy against fraudsters and innocent customers alike. It concluded that the means did not justify the ends and found Kmart to be in breach of APP 1.3, 3.3 and5.1.

It is important to note that this determination does not have the effect of outlawing FRT. The Commissioner stated in her determination that “customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies”. However, these considerations cannot excuse legitimate breaches of privacy.

Consequences

As a result of the Commissioner’s determination, Kmart will be required to release a public apology both digitally on its website and in physical form in its stores, which will be kept up for at least 30 days. Additionally, they will need to publish a statement on their website setting out, among other things:

  1. the fact that the determination was made against them;
  2. a detailed description of the FRT system and its use; and
  3. advice as to how to find out more information or complain.

This statement is required to be in a prominent place on the Kmart website for at least 30 days, and otherwise accessible for 12 months.

Takeaways

While high-profile cases like this aren’t likely to be repeated against the average business owner, this decision sets out some important principles.

As a business owner, your treatment of customer’s personal and sensitive information is extremely important and can have drastic consequences for your business. To uphold privacy principles, you must consider the kind of information you are permitted or required to collect, your treatment of this information, and the way this is reflected in your privacy policies. Additionally, when weighing up the protection of your customer’s information and your business’ interests, make sure you give privacy its proper weight.

This area of law can be difficult to navigate independently, even with the best intentions towards your customers’ interests. Our Intellectual Property +Technology Team is well equipped to advise you on your obligations under the APP and the Privacy Act 1988 and to help you develop strong and compliant processes for privacy protection. Please contact us to discuss if you have any concerns in this area.

For further information, contact Ben Gouldson, Director.

The assistance of Eve Gellatly, Legal Assistant, in researching this article is gratefully acknowledged.