Publications

The decision of the Australian Review Tribunal (‘the Tribunal’) in Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130 (4 February 2026) marks a significant development in Australia’s evolving approach to the use of biometric surveillance in commercial settings.

This case considers when the collection of biometric information through the use of facial recognition technology (‘FRT’) may be justified under the Privacy Act 1988 (Cth) (‘the Act’), providing timely guidance for businesses grappling with how to address legitimate security concerns while remaining privacy compliant.

A brief case summary

In 2024, the Australian Privacy Commissioner conducted an investigation into Bunnings’s use of in-store FRT.

This FRT system worked by converting facial images of every customer captured via CCTV into biometric templates which were then compared against an internal database of individuals known to Bunnings as (in their view) posing a security risk due to previous violent or criminal conduct. When a potential match was produced, the system would alert staff, allowing them to take appropriate preventative action.

From its investigation, the Privacy Commissioner determined that Bunnings’ use of FRT involved the non-consensual collection of ‘sensitive information’ in breach of APP 3.3.[1]

On appeal to the Tribunal, it was instead found that this collection came within a ‘permitted general situation’ under s 16A of the Act, meaning Bunnings’ use of the FRT system was deemed compliant.

Key findings on biometric surveillance

• Facial recognition involves the collection of sensitive information.

The Tribunal found that the capture of facial images and their conversion into biometric templates through the FRT system constituted the collection of ‘sensitive information’ as defined by the Act.

On this issue, the Tribunal referred to the decision of Clearview AI Inc v Australian Information Commissioner [2023] AATA 1069 which found that an image of a person’s face will clearly constitute biometric information in specific contexts, providing the example that any smart phone user opening their phone would be conscious that it is possible to verify one’s identity by simply showing their face to a camera.

• There is no minimum threshold for collection.

When considering whether Bunnings’ FRT system involved the ‘collection’ of information, the Tribunal emphasised that there is no minimum threshold for collection. The Tribunal noted here that even the briefest retention of facial images by the Bunnings’ FRT system (which was accepted to be around 4 milliseconds) was sufficient to constitute ‘collection’ for the purposes of APP 3.3.

Accordingly, it is suggested that regardless of whether data is stored permanently within a system or not, the focus is on the acquisition and processing of that information in the first place.

• Statutory exceptions may apply in commercial settings where security and safety are legitimate interests – but this requires a case-by-case analysis.

The Tribunal’s decision clarified that even in circumstances where an entity is collecting sensitive information, they may be justified in doing so if it falls within a ‘permitted general situation’ under s 16A of the Act. For example, where an entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities is being engaged in, and that it reasonably believes the collection, use or disclosure of sensitive information is necessary in order to take appropriate action in relation to that matter.[2]

In this case, Bunnings provided evidence as to the existence of retail crime and abuse by repeat offenders in its stores, to the extent that the Tribunal was satisfied that Bunnings not only had reason to suspect, but knew for a fact that the unlawful activity was occurring, and that they evidently had reason to believe that FRT was the most appropriate action to take in response.

Importantly, however, the Tribunal confirmed that any such belief must be objectively reasonable in the circumstances. This requires an assessment of three key factors:

— suitability and effectiveness – In the Bunnings case, the Tribunal considered that the FRT system met the specific purpose of identifying known offenders and that this, in conjunction with other security controls, was effective in allowing Bunnings to monitor identified offenders so as to reduce the risk of those persons engaging in unlawful activity;

—  availability of less privacy-intrusive alternatives – The Tribunal had regard to Bunnings’ unique security environment, noting theirs is significantly different from that of most other retailers’ given the size of its stores and the multiple entry/exit points, and concluding that no other security control could achieve the same function and outcome as offered by FRT for the purposes of preventing serious incidents from occurring; and

— proportionality – Significant emphasis was placed on the technical safeguards embedded in Bunnings’ FRT system which were taken to sufficiently limit the impact on individuals’ privacy, with the Tribunal concluding that any such impact would not be disproportionate when weighed against the benefits of the FRT system.

• In-store privacy notices must explicitly notify individuals when, how, and why sensitive information will be collected through the use of FRT.

When opting to implement FRT, individuals must be properly notified in accordance with the requirements of APPs 5.1 and 5.2.

The Tribunal raised several issues in relation to the in-store entry notices used by Bunnings in this matter, stating it was necessary to expressly notify customers that their sensitive information would be collected through an FRT system, and that this must be positively conveyed. Additionally, it was noted that the notices should clearly state the purpose for which the information is to be collected and the main consequences of not collecting that information.

• FRT implementation requires careful consideration to ensure its use is privacy-compliant.

Given the highly intrusive nature of FRT, the Tribunal indicated that the standard required to discharge one’s obligations under APP 1.2 (being the taking of reasonable steps to implement practices, procedures, and systems to ensure compliance) is far higher than usual.

It is critical that businesses considering the use of FRT carefully assess privacy implications and risks associated with the technology, and ensure these assessments are rigorously documented. This should also continue to be supported with highly transparent internal data management practices and notification measures, including detailed privacy policies specifically addressing the nature of the data collected through FRT, to ensure the use remains fully APP-compliant.

What does this decision mean for businesses?

The Tribunal’s decision in this case provides both clarity and caution.

On one hand, it raises the bar for compliance by businesses who wish to implement FRT, having confirmed that such technology will almost always involve the collection of sensitive biometric information, even if that data is only held for a split second.

On the other hand, the Tribunal has accepted that the ‘permitted general situation’ provisions in s 16A can, in the right circumstances, apply in a retail security context which may embolden businesses to consider similar biometric surveillance strategies, particularly where theft prevention and staff safety are considered legitimate interests.

We observe that legal permissibility does not necessarily translate to public acceptance. The implementation of FRT also engages reputational and ethical considerations, and businesses that move ahead without carefully assessing broader community expectations may risk damaging consumer confidence, even if their practices are technically lawful.

Chelsea O’Grady and Selwyn Black advise in contracting, employment, not for profit and business matters.

[1] Commissioner Initiated Investigation into Bunnings Group Limited (Privacy) [2024] AICmr 230.

[2] Privacy Act s 16A, item 2.

This article was published on 23 March, 2026 by Carroll & O’Dea Lawyers and is based on the relevant state of the law (legislation, regulations and case law) at that date for the jurisdiction in which it is published. Please note this article does not constitute legal advice. If you ever need legal advice or want to discuss a legal problem, please contact us to see if we can help. You can reach us on 1800 901 874 or via the Contact us page on our website. (www.codea.com.au).