Tribunal Partially Overturns Ruling on Bunnings Privacy Breach

Facial‑recognition technology has become a flashpoint for retailers seeking to curb shoplifting, yet its deployment collides with stringent privacy frameworks. In Australia, the Privacy Act and the Australian Privacy Principles (APPs) impose rigorous standards on the collection of biometric data, demanding prior impact assessments and clear customer consent. Bunnings’ multi‑store trial, which captured images from 2018 to 2021, sparked debate over whether the security benefits outweighed the intrusion into shoppers’ personal information, prompting a high‑profile investigation by the OAIC.

The Administrative Review Tribunal’s nuanced decision reflects a growing judicial willingness to balance legitimate security concerns against individual privacy rights. By affirming Bunnings’ reasonable belief that facial‑recognition was necessary to address violent retail crime, the tribunal exempted the company from a breach of APP 3.3, which governs biometric data collection. However, it reinforced that transparency obligations remain non‑negotiable, finding the retailer failed to adequately notify customers. This split outcome signals to businesses that even a well‑intentioned security program must be paired with robust governance, clear disclosures, and documented privacy impact assessments.

For the broader retail sector, the case serves as a cautionary tale and a roadmap for compliance. Companies eyeing AI‑driven surveillance must embed privacy by design, conduct thorough risk analyses, and communicate data practices in plain language. The OAIC’s ongoing review may further tighten the interpretive lens on what constitutes a “reasonable belief,” potentially narrowing exemptions for biometric technologies. Proactive steps—such as updating privacy policies, training staff, and establishing opt‑out mechanisms—will help retailers mitigate legal exposure while still leveraging advanced tools to protect assets and customers.