Kmart Australia breaches the Privacy Act 1988 with its unlawful use of facial recognition technology

Background

The FRT was deployed to detect and prevent refund fraud and, in particular, to identify shoppers suspected of seeking refunds for products they had not purchased. FRT was used in two locations in the 28 stores to capture the biometric information of:

• all customers at store entries; and
• the subset of customers who visited the returns service desk located inside the stores.

Key Legal Issues – why was this unlawful?

Sensitive Information under APP 3

Kmart used FRT to collect biometric information (facial images and metadata) that constituted sensitive information within the meaning of the Privacy Act. This collection occurred for every individual entering relevant stores, regardless of suspicion of wrongdoing.

Sensitive information (such as biometric information) can only be collected with an individual’s consent unless an exception applies under APP 3.

Permitted General Situations (APP 3.4 and s 16A)

Rather than obtain consent from shoppers, Kmart relied on an exception in APP 3.4(b) (and s16A of the Privacy Act) which would permit Kmart to collect the biometric data without consent where Kmart:

• reasonably suspects unlawful activities are being engaged in ie refund fraud; and
• reasonably believes the biometric information collection is necessary to take appropriate action in respect of the refund fraud.

The OAIC rejected this argument, finding that the scope of collection was disproportionate and indiscriminate – the value of fraud prevented by the  use of FRT was minimal compared to Kmart’s $9.2 billion annual revenue in the 2020 financial year.

The FRT practice extended beyond suspected wrongdoers, capturing the biometric data of all customers who entered the stores, which impacted the privacy of thousands who were not fraud suspects. Kmart could not have reasonably believed that the benefits of the FRT system outweighed the impacts on customer privacy.

There were practical and effective alternatives to the use of FRT eg increasing the size of the Loss Prevention Team, the use of radio frequency identification tags on products, not permitting refunds for change of mind purchases without proof of purchase and relocating the returns service desk to the front of stores.

Further, Kmart did not undertake a privacy impact assessment prior to introducing the FRT system, which may have indicated to Kmart that there were less invasive options to detect and reduce fraud.

Kmart also could not rely on implied consent through signage or policies, as valid consent must be voluntary, informed, current, and specific.

Notice and Transparency under APP 5

APP 5 requires entities to notify individuals of the collection of personal information at the time of, or before, the information is collected. Kmart’s signage (“This store has 24-hour CCTV coverage, which includes facial recognition technology”) and privacy policy were deemed inadequate. Notices were implemented late, inconsistently, and in some stores, not at all during significant periods.

Privacy Policy Deficiencies (APPs 1.3 and 1.4)

Kmart’s privacy policies omitted material information, including details of FRT use, the purposes of collection, and the entities to whom biometric data might be disclosed. This was a breach of  APPs 1.3 and 1.4, which require clear and up-to-date statements about handling of personal information.

Determination and Remedies

The Commissioner declared Kmart had interfered with the privacy of individuals by contravening APPs 3.3, 5.1, 5.2, 1.3 and 1.4 and  that Kmart must not repeat or continue the interference with privacy. The declarations also included that:

• Apology and Statement: Kmart must publish an apology and a detailed statement on its website (kmart.com.au) and in relevant stores, describing the nature and operation of the FRT system, the breaches, and avenues for complaints.
• Transparency Obligation: The statement must remain accessible online for 12 months.
• Retention and Deletion: Kmart must retain FRT-related personal information for 12 months (to allow for potential review) before destroying it, and confirm destruction to the OAIC.

No compensation was awarded to affected individuals.

Key Takeaways

• Biometric data is sensitive information: Use of FRT in public retail environments to collect biometric data will always involve the handling of sensitive information.
• Consent must be genuine: Implied or blanket consent through signage is inadequate. Entities must obtain explicit, informed consent or identify a narrow, lawful basis for collection.
• Limited scope for “permitted general situations”: Indiscriminate biometric surveillance of all customers in a retail setting will likely not be a “permitted general situation” (where consent is not required). Collection must be targeted, necessary, and proportionate.
• Transparency obligations are important: APP 5 requires clear, timely and accessible notices of collection. Delayed or generic notifications will breach APP5. Privacy Policies must adequately describe the circumstances in which FRT is deployed, the purposes of collection and any uses/disclosures.
• Corporate accountability: The Privacy Commissioner will order public apologies, disclosures, and deletion of unlawfully collected data, reinforcing the regulatory risks of deploying emerging surveillance technologies without rigorous privacy compliance.

Since the Privacy Act was amended in November 2024 (after Kmart’s conduct ceased), there are now a greater range of penalties for breaches of the Privacy Act and the new statutory tort for serious invasions of privacy which businesses must be cognisant of when assessing and implementing new technology in their businesses, including FRT.