Administrative Review Tribunal decision on Bunnings use of facial recognition technology

25/02/2026

ART

A recent Administrative Review Tribunal (ART) decision on Bunnings Group Limited’s (Bunnings) use of facial recognition technology (FRT) has overturned some of the Privacy Commissioner’s findings in relation to the contravention of the Australian Privacy Principles (APP).  

Departing from the Commissioner’s findings, the ART found that Bunnings lawfully collected the sensitive information of individuals entering its stores via FRT in accordance with APP 3.3 as the collection was in accordance with the permitted general situation set out in section 16A of the Privacy Act 1988 (the Privacy Act). 

The ART did, however, affirm that Bunnings had contravened APP 1 and APP 5, relating to open and transparent management of personal information and notification of the collection of personal information, respectively.  

Key findings 

The ART found that the totality of steps and considerations taken by Bunnings was enough to satisfy their reasonable belief that the implementation of FRT was necessary.  

This case provides useful guidance to entities about their obligations when collecting personal information under APP 3.3 and organisational steps and consideration entities should take if relying on an exception under APP 3.4.  

Takeaways 

APP 3.4(b) and section 16A of the Privacy Act authorises the collection of sensitive information about an individual where ‘a permitted general situation exists in relation to the collection of the information by the APP entity.’  

The ART took a less restrictive interpretation on section 16A and in particular when a reasonable belief should be formed by reference to suitabilityalternatives and proportionality. Interestingly: 

  • In relation to suitability, the ART stated that there were clear benefits to the FRT system in identifying matched people. The ART also emphasised the benefit to staff regarding their reported feelings of improved safety.  
  • In relation to alternatives, the ART acknowledged the security environment of Bunnings differed from other retailers, noting Bunnings has higher security risks to staff and customers. The ART accepted that other, less privacy-intrusive alternatives, were unable to achieve the same outcome as that of the FRT system.   
  • In relation to proportionality, the ART stated that robust security measures in terms of storage of the personal information and destruction within a matter of milliseconds was significant in mitigating against the privacy impact on individuals. Further, the potential misuse of personal information was significantly restricted as there was no way of retrieving deleted data.  

In considering the above, the ART was ultimately satisfied that Bunnings had a reasonable belief (even if that belief is contested as incorrect by others) that the use of the FRT system was necessary for the protection against actual, threatened or suspected violence or misconduct in store.  

In particular we have learned; 

  • a ‘relatively low bar’ is required to establish that ‘unlawful activity has been, is being or may be engaged in’. This can generally be established by evidence of past conduct  
  • a broad approach should not be given to unlawful activity and that it should be confined to the conduct that the entity had reason to suspect exists, which is ultimately a factual question 
  • reasonable consideration must be given to the suitability, alternatives and proportionality of technologies that deal with personal information 
  • even with an exception to APP 3.3, there is a requirement to display adequate notice of collection of personal information and this needs to be further reflected in the Privacy Policy.  

One factor that both the Privacy Commissioner and the ART noted was the clear absence of a Privacy Impact Assessment. Although this is not a strict requirement for private organisations under the Privacy Act, the ART noted it would have been reasonable in these circumstances to undertake one prior to the implementation of the FRT software. This assessment would also likely have identified the failures under APP 1.3 and APP 5.1.  

Our privacy team at GL is here to assist if you need a PIA for your next project, or any other privacy advice.  

For more detailed information, the ART’s decision is available here: https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/ARTA/2026/130.html 

Contact Us

Related Articles

Parental Leave for Casual Employees

For casual employees the unpredictability of their employment can be a major source of stress as often casual employees miss out on many of the entitlements that full-time and part-time employees enjoy. For many, this concern is further exacerbated when they learn that they are about to become a parent. It should therefore be of …
Read more

Purchasing an Off-the-Plan Property

The interest in “off-the-plan” properties is ever increasing and is becoming more popular for buyers. An off-the-plan purchase is one where the Buyer enters into a contract to purchase a property that has not yet been constructed. Due to the prolonged settlement period for an off-the-plan purchase it is imperative for buyers and sellers to …
Read more