If you didn’t know Bunnings has a problem with theft and violent attacks on its staff, then you haven’t been watching the TV news. The Australian hardware chain’s press team has provided footage of in-store assaults to any network that will run it. Viewers have witnessed dramatic scenes of men brandishing guns, assaulting employees with hammers and charging past security guards with trolleys full of stolen power tools.
The decision by Bunnings’s owner, the Perth-based conglomerate Wesfarmers, to release those visuals didn’t come out of nowhere. It’s all part of the retailing giant’s battle to use facial recognition technology, or FRT, to monitor people entering its stores. By collecting data on all arrivals, managers are able to alert security guards about repeat offenders, adding vital seconds to call police and prepare staff for what might be coming their way.
It’s hard to argue against a business that has for years topped Roy Morgan’s “most trusted brand” list, particularly on such an emotive issue. Would you deny Bunnings the right to protect its staff and goods against violent thieves? The legal resistance encountered by Bunnings’s plans smacks of do-gooding over-regulation, in this case by the Office of the Australian Information Commissioner, or OAIC. Indeed, the message of Bunnings’s media campaign is that protecting staff, shoppers and property should trump the privacy enforcer’s concerns.
But here’s the thing: incidents of theft and assault in Bunnings stores have been declining across the country, according to data released during court hearings late last year. And that’s largely been a result of upgrades to traditional security measures rather than the decision to deploy FRT in sixty-three stores in New South Wales and Victoria. Those figures raise the not inconceivable possibility that the drive to embrace the technology is about something more than theft-proofing and occupational health and safety. Outsourcing security to technology could, of course, mean spending less on staff.
Throughout the Bunnings campaign, the OAIC has been adamant that FRT, which was deployed by the hardware retailer between 2018 and 2021, violates Australia’s 1988 Privacy Act. Contrary to Bunnings’s argument that the Hitachi-supplied FRT devices amounted to little more than glorified CCTV cameras, the OAIC argued the technology raised fundamental questions about how personal data can be collected and processed.
The OAIC’s November 2024 determination against Bunnings centred on the fact that, unlike CCTV, FRT collects personal data. The process starts with individual stores creating a database containing stripped-back facial images of customers previously identified as problematic. This isn’t a file of photos; it is a depository of biometric data extracted from CCTV stills according to a person’s facial features. The biometric data of people entering participating stores is compared, in a fraction of a second, to this database.
The key to the OAIC’s concerns is that the FRT collects the biometric data of all people entering the store. This is what distinguishes it from, say, CCTV, which merely offers shop assistants an additional set of eyes without in any way processing the images. Even the cameras mounted above self-checkout terminals in supermarkets, which store footage of all transactions, don’t qualify as FRT because they aren’t positioned in a way that identifies shoppers and they don’t process sensitive data.
Did Bunnings collect the biometric data in a way that would trigger the Privacy Act? The chain’s FRT devices collected customers’ data for 0.00417 seconds and discarded the information immediately if it didn’t match the database of “enrolled” repeat offenders. The OAIC concluded that, yes, Bunnings had collected “sensitive” personal data (which is how biometric data is classified). That it was stored for a mere 0.00417 seconds doesn’t matter — regardless of where you place the decimal point, the regulator said it amounts to “collection” under the Act.
The OAIC’s concerns were informed by recent court stoushes over the use, and misuse, of people’s images. It had successfully forced US-based image-scraping startup Clearview AI to shut down its operations in Australia and had castigated local police forces that used the company’s services. It also knew that FRT trials in New Zealand had produced “false positives,” identifying the wrong people as repeat offenders (with the faces of Pacific islanders particularly susceptible to mix-ups). In the United States, several people (many of them African Americans) have been arrested after being misidentified by Clearview, as outlined in New York Times tech writer Kashmir Hill’s 2024 book Your Face Belongs to Us.
The regulator appeared to be using the Bunnings case, as well as probes into FRT use by Kmart and 7-Eleven, to test the waters. Speaking to me in 2024, privacy commissioner Carly Kind conceded that, without a lot of jurisprudence available on FRT, she was making her “best and most informed efforts to apply the law as I understand it.” Because the use of FRT had never been reviewed by a court, the key provisions of the Privacy Act hadn’t been put to the test.
The OAIC would have preferred the matter to end up in the Federal Court. This would have given a judge with Privacy Act expertise the chance to undertake a “full-merits” review, examining everything from scratch. The Federal Court (and, to a limited extent, the High Court) had dealt with the OAIC’s case against Meta Platforms over the Cambridge Analytica data breach and revealed a readiness to dig deep into Australians’ right to privacy.
Bunnings had other plans. It launched an appeal with the newly established Administrative Review Tribunal, ensuring the focus would remain narrowly on the regulator’s determination rather than on broader privacy issues. A spokesperson told me at the time that Bunnings had hoped Kind would accept its claim that the technology was deployed in a way that “appropriately balances our privacy obligations and the need to protect our team, customers and suppliers against the ongoing and increasing exposure to violent and organised crime, perpetrated by a small number of known and repeat offenders”.
Both Bunnings and Wesfarmers were also lobbying for changes that would legalise — beyond any OAIC challenge — the technology’s use. Bunnings managing director Michael Schneider told the Australian Financial Review the time had come for “stronger protections and smart technology, like the responsible use of FRT, to keep people safe.” Without tougher laws, Wesfarmers managing director Rob Scott warned that organised crime gangs would continue to target the company’s stores, particularly in Victoria.
In Bunnings’s eyes at least, the appeal had become an existential fight.
The room allocated for the four-day hearing at the Administrative Review Tribunal’s Melbourne offices in October 2025 was small and stuffy. I arrived early, guessing there would be a scramble by observers wanting to plug their laptops into the room’s only accessible power point. A couple of other journalists sat with me at the start of the first day, though they left once it became clear how mind-numbingly technical the arguments would be.
But there were also some moments of levity. Representing Bunnings, barrister Ruth Higgins (subsequently appointed Australia’s solicitor-general) argued that the milliseconds required for the FRT to compare customers’ biometric data shouldn’t raise concerns under the Privacy Act. Rather, it was like gathering skimming stones on the shores of a lake, in which the mere picking up of the stone only to examine and discard it didn’t amount to its collection. Higgins went on to say that because Bunnings hadn’t captured CCTV stills but merely images “reduced to their mathematical form,” the process didn’t amount to the collection of sensitive data.
This was the first plank of Bunnings’s case. The company would also argue that even if the three-member tribunal ultimately found it had collected the biometric data, it was entitled to do so under privacy exemptions designed to reduce serious threats to life, health or safety, or to prevent risks to the public.
There were some tense exchanges along the way. The OAIC’s barrister, Michael Borsky, derided Bunnings’s video compilation of violent incidents in its stores, pointing out that the showreel’s highlight was a man in a balaclava wielding a shotgun. No FRT device would have identified him through a facemask, making its inclusion misleading. The privacy regulator’s legal team also suggested Bunnings had inflated the rise in the numbers of violent incidents by not factoring in an increase in the number of its stores around Australia — as a percentage, violent incidents had in fact decreased. The Bunnings witness conceded this was the case and also said there had been no visible decline in incidents as a result of the FRT trial.
At every turn, the OAIC was determined to emphasise what was at stake. Cross-examining a witness, Borsky suggested that in a single two-month period Bunnings had recorded sixteen false positives and no correct positives. The OAIC also suggested that most of the false positives involved women or racial minorities. The head of Bunnings’s security operations accepted there had been false positives, but said staff had used discretion when reviewing the alerts. What’s more, when a false positive occurred, the image that caused it was expunged from the database of recidivist shoplifters to ensure the FRT wouldn’t make the same mistake again.
This prompted Borsky to question why Bunnings had even bothered with the rollout. “You don’t need FRT to know you have to call the police,” the barrister declared on the second day of hearings.
As the days in the airless room passed, it was becoming clear from the questions posed by deputy president Peter Britten-Jones and his colleagues that, on significant issues at least, the tribunal was leaning towards the OAIC’s arguments.
First, Bunnings’s written warnings to customers that their biometric data would be collected and used by FRT software linked to the CCTV cameras were either non-existent or inadequate. On this front, Australian Privacy Principle 3.3 is crystal clear: a retailer may “only solicit and collect sensitive information if the individual consents to the sensitive information being collected.” Bunnings’s signage wasn’t adequate.
Second, the members of the tribunal also appeared to believe Bunnings had indisputably collected the data. The milliseconds needed to compare customer’s biometric data to that of the store’s database became irrelevant because Bunnings had already admitted to collecting and collating a database of banned individuals.
The Privacy Act boxes had been ticked — the skimming pebbles analogy hadn’t convinced them.
But would the tribunal accept that the real security threats identified by Bunnings would be enough to grant one of the Act’s exemptions? On that question, the OAIC appeared to be struggling. While it might have scored a point by demonstrating how the number of violent criminal attacks had declined as an overall percentage across Bunnings stores, the tally of incidents was still very high, as Britten-Jones pointed out. That shoplifters described by the retailer as “recidivist” accounted for 60 per cent of all stock lost was a real concern.
Higgins drove that point home. These were “very significant losses and the violence itself would suffice” as a justification for deploying FRT, she told the tribunal on the final day of hearings.
When the ART’s ruling was published in February this year, both Bunnings and the OAIC were able to claim a qualified win.
The hardware giant welcomed the ruling, saying the tribunal had “recognised the need for practical, commonsense steps to keep people safe.” But it had “also identified areas where we didn’t get everything right, including around signage, customer information, processes and our privacy policy, and we accept that feedback”.
The OAIC was less conciliatory. It welcomed the fact that two parts of its original determination had been upheld: Bunnings customers hadn’t been properly notified and the Privacy Act does extend to the capture of sensitive data, even if it’s only stored for milliseconds. The notoriously underfunded regulator said it wouldn’t be appealing the ART’s decision.
The take-home was that Bunnings and other retailers would be able to use FRT in their stores, but only with strict safeguards in place. The OAIC warned retailers to view the decision “as a useful case study, rather than a green light for deployments of biometric technologies.”
A close reading of the ruling does point to a pathway for FRT, though, particularly when it’s deployed to combat tangible cases of criminality and violence. “Bunnings was entitled to use FRT,” the tribunal found, “for the limited purpose of combating very significant retail crime and protecting [its]staff and customers from violence, abuse and intimidation within its stores.”
The tribunal also concluded that features of the Hitachi technology used by Bunnings were sufficient to mitigate privacy risks: the biometric data wasn’t stored for long and wasn’t held in a way that could leave it exposed to cybercrime and data breaches. This meant the use of FRT “wasn’t disproportionate when considered against the benefits of providing a safer environment for staff and customers in Bunnings stores”.
Still, FRT seems likely to return to Australian courts given the unanswered questions left by the tribunal’s ruling. For example, what happens if the wrong person’s sensitive data is added to the repeat-offender database? What right of redress might that person have? What if, as has been the case in the United States, false positives are found to unfairly affect certain ethnic groups? And under what circumstances, if any, would one store be able to share its database of offenders with other Bunnings retailers?
A Federal Court review of the case might have shed more light on these questions. In the meantime, the evidence that’s emerged suggests Bunnings — and all Australian retailers — may be well-advised to concentrate on more traditional security approaches. FRT may one day start to replace security guards, but that’s unlikely to happen any time soon. •
