Privacy Commissioner Carly Kind has found that Kmart Australia Limited (Kmart) breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology (FRT) system designed to tackle refund fraud.
Between June 2020 and July 2022, Kmart deployed FRT to capture the faces of every person who entered 28 of its retail stores, and all individuals who presented at a returns counter, in an attempt to identify people committing refund fraud.
In a determination published today, the Privacy Commissioner found that Kmart did not notify shoppers or seek their consent to use FRT to collect their biometric information, which is sensitive personal information and enjoys higher protections under the Privacy Act.
The retailer argued that it was not required to obtain consent because of an exemption in the Privacy Act that applies when organisations reasonably believe that they need to collect personal information to tackle unlawful activity or serious misconduct. The Privacy Commissioner’s determination focused on assessing whether Kmart met the conditions for relying on the exemption, and concluded:
The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system.
There were other less privacy intrusive methods available to Kmart to address refund fraud.
Deploying the FRT system to prevent fraud was of limited utility.
Considering that the FRT system impacted on the privacy of many thousands of individuals not suspected of refund fraud, the collection of biometric information on Kmart customers was a disproportionate interference with privacy.
“Understanding how FRT accords with the protections contained in Privacy Act requires me to balance the interests of individuals in having their privacy protected, on the one hand, and the interests of entities in carrying out their functions or activities, on the other. Relevant to a technology like facial recognition, is also the public interest in protecting privacy,” the Privacy Commissioner said.
Relevant factors considered by the Commissioner included the estimated value of fraudulent returns against the respondent’s total operations and profits, the limited effectiveness of the FRT system, and the extent of the privacy impacts in collecting the sensitive information of every individual who entered the relevant stores.
... continue reading