Over the past few years, a pattern has quietly emerged in Australia.
Different organisations. Different uses of facial recognition. Different operational justifications.
But the same core tension appearing again and again: the intersection between legitimate security objectives and the protection of individual privacy.
The recent Administrative Review Tribunal decision in the Bunnings matter has brought that tension back into the spotlight. But it is only one part of a broader series of cases that, taken together, reveal where the real fault lines sit.
The retail cases: Bunnings and Kmart
Both Bunnings and Kmart deployed facial recognition technology in selected stores as part of efforts to reduce theft, fraud, and violence against staff. In both matters, the Privacy Commissioner found that:
- Highly sensitive biometric information had been collected
- Customers were not properly informed
- The use of the technology was disproportionate to the risks being addressed
The Commissioner concluded that these practices breached the Australian Privacy Principles.
However, in the Bunnings matter, the Administrative Review Tribunal later took a different view on a key issue. It found that Bunnings could rely on an exemption within the Privacy Act 1988 that allows personal information to be collected and used without consent in certain serious circumstances. However, the Tribunal still found issues with transparency and notice.
The contrast between the Commissioner’s findings and the Tribunal’s reasoning highlights how finely balanced these questions can be.
Earlier signals: the 7-Eleven case
This tension between operational benefits and privacy intrusion was visible even earlier.
In 2021, the Privacy Commissioner found that 7-Eleven had breached the Privacy Act by using in-store tablets that captured customers’ facial images and generated biometric “faceprints.” The system was designed to:
- Detect duplicate survey responses
- Gather demographic insights
From an operational perspective, the objective was relatively benign: improving customer feedback quality. But the Commissioner found that:
- Customers were not adequately informed
- Sensitive biometric information was collected unnecessarily
- The collection was not reasonably required for the stated purpose
Here, the security or operational benefit was comparatively minor, while the privacy intrusion was significant. The balance fell clearly in favour of privacy.
The other end of the spectrum: Clearview AI
At the opposite extreme sits the Clearview AI determination.
Clearview built a massive facial recognition database by scraping images from across the internet, including social media platforms. The system was marketed primarily to law enforcement.
The Privacy Commissioner found that the company had:
- Collected Australians’ biometric data without consent
- Failed to take reasonable steps to notify individuals
- Breached multiple provisions of the Privacy Act
Clearview was ordered to cease collecting the data and destroy what it held.
This case represents the outer boundary of the privacy problem: a system with immense identification capability, applied at scale, with no direct relationship between the individual and the organisation holding their biometric data.
In that context, the privacy intrusion was overwhelming, regardless of the security benefits claimed.
The legal hinge: section 16A of the Privacy Act
At the centre of the Bunnings decision is section 16A of the Privacy Act 1988 (Cth).
This provision sets out “permitted general situations” where organisations may collect, use, or disclose personal information without consent. These include circumstances such as:
- Preventing or lessening a serious threat to life, health, or safety
- Investigating suspected unlawful activity
- Taking appropriate action in relation to serious misconduct
The intent is clear: in certain situations, privacy must give way to safety or law-enforcement concerns.
But the language of section 16A is deliberately flexible. It relies on concepts such as:
- “reasonably believes”
- “necessary”
- “serious threat”
- “appropriate action”
These are not fixed thresholds. They are judgement calls.
The divergence between the Commissioner and the Tribunal in the Bunnings matter shows how differently those judgements can be made.
A spectrum of outcomes
Viewed together, the recent cases form a spectrum.
- Clearview AI Mass biometric database built without consent. Privacy intrusion: extreme. Outcome: unlawful.
- 7-Eleven Biometric collection for survey integrity. Privacy intrusion: high. Operational benefit: low. Outcome: unlawful.
- Kmart Facial recognition for fraud prevention. Privacy intrusion: significant. Outcome: unlawful.
- Bunnings Facial recognition for staff safety and serious offending. Privacy intrusion: significant. Security justification: stronger. Outcome: contested, with Tribunal finding partial justification.
Across this spectrum, the legal outcomes appear to turn on a central question: Is the security benefit strong enough to justify the level of privacy intrusion?
The ethical dimension: biometric data is different
Even where the law permits biometric collection, a deeper ethical issue remains. Biometric identifiers are:
- Permanent
- Unique to the individual
- Difficult or impossible to change
- Capable of being reused for purposes far beyond their original intent
If a password is compromised, it can be reset. If a credit card is stolen, it can be cancelled. If a facial template is misused, the individual carries that risk indefinitely.
This creates a structural imbalance:
- The organisation gains operational or security advantages.
- The individual bears the long-term consequences.
That imbalance sits at the heart of public discomfort with biometric surveillance.
An evolving boundary
The recent Bunnings decision does not settle the debate. It exposes it.
Across the retail, corporate, and government cases, several themes are emerging:
- Biometric data is treated as highly sensitive, even where security benefits are claimed.
- Section 16A creates a grey zone around what is “necessary” and what qualifies as a “serious threat.”
- The legal position is still evolving.
Australia is now in the middle of defining the practical boundary between security and privacy in the age of biometric surveillance.
The technology is advancing quickly. The law is adapting more slowly. The ethical questions sit somewhere in between.