Changeflow GovPing Data Protection Privacy Commissioner Statement on Bunnings Faci...
Priority review Guidance Amended Final

Privacy Commissioner Statement on Bunnings Facial Recognition Decision

Favicon for www.oaic.gov.au OAIC Media Centre
Published March 5th, 2026
Detected March 13th, 2026
Email

Summary

The Australian Privacy Commissioner has issued a statement regarding the Administrative Review Tribunal's decision on Bunnings' use of facial recognition technology. The statement clarifies that while the Tribunal allowed Bunnings to use the technology for specific crime prevention purposes, significant privacy safeguards and notification requirements remain crucial.

View original document View source feed page

What changed

The Australian Privacy Commissioner has issued a statement clarifying the application of privacy law to facial recognition technology (FRT), following a decision by the Administrative Review Tribunal concerning Bunnings' use of FRT in its stores. While the Tribunal permitted Bunnings to use FRT for combating serious retail crime and protecting staff and customers, it did not overturn original findings that Bunnings failed to provide adequate notification to customers, lacked appropriate policies, and that FRT safeguards apply even for short data collection periods. The Commissioner emphasized that this decision confirms a high bar for FRT deployment in Australia and requires detailed risk assessments.

Regulated entities, particularly retailers, should view this decision as a case study rather than a blanket approval for biometric technologies. The Privacy Commissioner will update existing guidance to reflect the Tribunal's decision, reinforcing the need for balancing privacy interests with public safety and lawful activity. Entities considering FRT must conduct thorough risk assessments and ensure compliance with notification and policy requirements under the Privacy Act.

What to do next

  1. Review the Administrative Review Tribunal's decision on Bunnings' facial recognition technology use.
  2. Update internal policies and procedures governing the collection and use of biometric data, including facial recognition.
  3. Conduct detailed risk assessments specific to the circumstances before deploying any facial recognition technology.

Source document (simplified)

Privacy Commissioner statement on Administrative Review Tribunal’s Bunnings decision

Listen Published:

05 March 2026

3 min read In 2024, I issued a decision that sought to clarify the safeguards applicable to facial recognition technology. Bunnings had been using facial recognition technology for a number of years, across more than 60 stores, in an attempt to tackle serious crime and theft by repeat offenders. I concluded that they had not done so in accordance with the requirements of the Privacy Act. Facial recognition technology is a highly privacy-invasive tool, allowing for the unique identification of individuals in public and semi-public spaces, potentially without their knowledge, and must meet a high bar to be considered lawful under the Privacy Act.

Recently, the Administrative Review Tribunal’s Guidance and Appeals Panel provided further guidance in this important matter. I have not filed an appeal of this decision.

In relation to Bunnings’ deployment of FRT, the Tribunal pointed to the fact that Bunnings faces a serious problem with violence and theft being committed by repeat offenders, that Bunnings encounters unique threats because of the size and layout of its stores, and that “many of the products on sale at a Bunnings store can be used as a weapon, such as an axe, a screwdriver or a drill.” The Tribunal highlighted the data security and minimisation protections in place and concluded that although the use of facial recognition “involves a significant intrusion into the privacy of individuals… Bunnings was entitled to use FRT for the limited purpose of combatting very significant retail crime and protecting their staff and customers from violence, abuse and intimidation within its stores.”

Beyond the question of necessity and proportionality, the Tribunal did not disturb the original findings that Bunnings’ use of the technology was not properly notified to Bunnings customers, that there weren’t appropriate policies and procedures in place to govern its use, and that the Privacy Act’s safeguards apply in the context of biometric technologies, even those that only collect and keep personal data for mere milliseconds.

For some time, Australian retailers have expressed a desire and need to deploy facial recognition technology in their respective entities, and have demanded greater certainty about how the Privacy Act applies to this emerging technology. The Tribunal’s decision shows that Australian privacy law allows for the balancing of competing interests – the individual and public interests in privacy, on the one hand, and the need to protect public safety and address unlawful activity on the other.

Specific updates to existing guidance will be made to reflect the Tribunal’s decision and ensure that retailers have up-to-date information about our regulatory application of the law. Those updates will also emphasise that the decision in Bunnings confirms a high bar for the use of facial recognition technology in Australia, and that entities will need to conduct a detailed risk assessment specific to their circumstances before deploying the technology. Retailers should view the decision as a useful case study, rather than a green light for deployment of biometric technologies.

Did you find this helpful?

Yes

No Share Facebook Twitter Linkedin

Related changes

Favicon for www.gov.uk Humanitarian Assistance Exception Notification for Petroleum Products
Priority review Mar 13, 2026 OFSI All Publications Trade & Export
Favicon for www.apra.gov.au APRA Releases Quarterly ADI Statistics for December 2025
Routine Mar 13, 2026 news-and-publications Government
Favicon for www.apra.gov.au APRA Statement on Gender Pay Gap
Routine Mar 13, 2026 news-and-publications Government
Favicon for www.priv.gc.ca Privacy Commissioner concludes Loblaw loyalty program investigation
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Global Data Protection Authorities Statement on AI Imagery Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Privacy Commissioner Recommends Bill C-4 Amendments for Political Party Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government

Source

Favicon for www.oaic.gov.au
OAIC Media Centre oaic.gov.au/newsroom
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various
Published
March 5th, 2026
Instrument
Guidance
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Retailers Manufacturers
Geographic scope
National (Australia)

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Consumer Protection Retail

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when OAIC Media Centre publishes new changes.

Free. Unsubscribe anytime.