Facial recognition technology on trial

On 4 February 2026, the Administrative Review Tribunal (ART) delivered its long-awaited decision in Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130.^[1]

Following an appeal by Bunnings Group Limited (Bunnings) of the Australian Privacy Commissioner’s 2024 determination, the ART has now held that Bunnings’ use of facial recognition technology (FRT) in its stores to identify higher-risk individuals was permitted under the Privacy Act 1988 (Cth) (Privacy Act).

What this means

1. Bunnings could rely on limited privacy exemptions to collect facial images and facial vector information using FRT without customer consent because it had evidence of repeated violence, threats and serious theft in its stores.
2. Bunnings will still need to uplift its practices and procedures for baseline privacy obligations including notice, transparency and governance.
3. This decision is not a ‘green light’ for organisations to use FRT or similar technologies without customer consent. The findings turned heavily on Bunnings’ specific circumstances and the nature of the risks it faced.
4. This provides some clarification on expectations for certain privacy exemptions for collecting sensitive information, while leaving notable room for organisations to interpret how to comply with their broader privacy obligations.
5. Organisations considering using FRT or similar technologies should consider whether other options will meet their needs, assess privacy risks (intrusiveness vs benefit), provide transparent notices to customers, and ensure their privacy policies are up to date.

Background

Between 6 November 2018 and 30 November 2021, Bunnings operated FRT in 62 stores across New South Wales and Victoria.^[2] The FRT system captured real‑time facial images of all customers entering stores from CCTV footage, converted them into unique vector sets (Input Vector Sets), and compared them against a database (Enrolment Database) of vector sets for individuals known to pose a risk to Bunnings’ operations because they were previously involved in, or reasonably suspected to have perpetrated actual or threatened violence to staff or customers, organised retail crime, refund fraud, or serious theft at Bunnings’ retail stores.

The Commissioner’s determination found Bunnings had interfered with the privacy of hundreds of thousands of individuals by collecting their personal and sensitive information through the use of FRT. Our previous article sets out more about the Commissioner’s determination here.

On 25 November 2024, around a month after the Commissioner’s determination, Bunnings applied to the ART to seek a review of the Commissioner’s determination.

In its decision, the ART partly overturned the Commissioner’s determination, and affirmed other aspects of it.^[3] It held that:

1. Bunnings did not breach APP 3.3 (the need to obtain an individual’s consent to the collection of their sensitive information) in its collection of facial images and Input Vector Sets through the FRT system without seeking individuals’ consent.
2. Bunnings’ collection of facial images and Input Vector Sets fell within an exemption under APP 3.4 and section 16A of the Privacy Act which allowed Bunnings to collect personal information (including sensitive information) without consent in certain situations, called ‘permitted general situations’. The relevant permitted general situations were in relation to the collection of information being necessary for Bunnings to take appropriate action in relation to suspected unlawful activity which related to its functions or activities (Unlawful Activity Exemption), or the collection being necessary to lessen or prevent serious threats to life, health or safety of individuals or the public (Serious Threats to Safety Exemption).

The ART otherwise affirmed the Commissioner’s determination that Bunnings breached its privacy obligations in relation to:

1. providing notice to individuals about the collection of their personal information (and sensitive information) (APP 5.1);
2. its governance requirements to comply with the APPs (APP 1.2); and
3. its transparency obligations in its privacy policies (APP 1.2 and 1.3).

The details of the decision

Were the facial images and Input Vector Sets ‘sensitive information’, and did Bunnings ‘collect’ them?

The ART considered whether Bunnings ‘collected’ ‘sensitive information’ about individuals under APP 3.3 before it considered whether Bunnings could rely on any exemptions.

Item 1: Did Bunnings ‘collect’ personal information through the FRT system?

There were two categories of individuals whose personal information (and sensitive information) Bunnings collected:

1. Enrolled Individuals, whose vector sets were stored in the Enrolment Database in the central server, the hard drives of Bunnings store servers, and in the random access memory (RAM) of the relevant local store’s server; and
2. Non-enrolled individuals, who were all other customers and individuals who entered Bunnings stores. Their facial images collected from the CCTV were converted to Input Vector Sets by the FRT, then compared with the vector sets in the Enrolment Database in the RAM of the local store’s server. When the Input Vector Sets did not generate a match, it was deleted from the RAM within approximately 4 milliseconds and not stored in the server’s hard drive.

The ART accepted Bunnings had collected the personal information of Enrolled Persons.^[4]

The ART found Bunnings had ‘collected’ the facial images for non-enrolled individuals because the FRT and CCTV did not act independently,^[5] the creation of the Input Vector Sets by the FRT was also a ‘collection’,^[6] and the temporary recording of the Input Vector Sets and facial images in the local server’s RAM for approximately 4 milliseconds for completing the matching process was a ‘collection’. ^[7]

Item 2: Was that information ‘sensitive information’?

The parties accepted that both the Input Vector Sets and the facial images were, at minimum, personal information, and additionally that the Input Vector Sets constituted biometric templates (and also sensitive information). ^[8] The ART then needed to determine whether the facial images constituted biometric information and therefore sensitive information.

Bunnings argued the facial images were not biometric information, as further technical processing was needed to reach that threshold.^[9]

The ART followed the Clearview decision and found that since the facial images were collected for the purpose of biometric identification, they constituted biometric information and were therefore sensitive information.^[10] This meant Bunnings had collected sensitive information for both Enrolled Individuals and non-enrolled individuals.

Item 3: Could Bunnings rely on the permitted general situation exemption?

In finding Bunnings collected sensitive information (without consent), the ART needed to consider whether Bunnings could rely on two exemptions under the Privacy Act, being the Unlawful Activity Exemption and the Serious Threats to Safety Exemption.

Could Bunnings rely on the Unlawful Activity Exemption so it did not need to seek consent from individuals to collect sensitive information?

To rely on the Unlawful Activity Exemption, Bunnings needed to demonstrate it:

1. had reason to suspect that unlawful activity, or misconduct of a serious nature, relating to its functions or activities has been, is being or may be engaged in; and
2. reasonably believed the collection was necessary to take appropriate action.

For (a), Bunnings submitted extensive evidence in relation to threatening or harmful situations, assaults or harassment, robbery and actual harm that occurred in its stores to demonstrate it ‘had reason’ to suspect unlawful activity had or was occurring.^[11] The ART found Bunnings had a “very serious problem with violence and theft being committed by repeat offenders”,^[12] and that Bunnings responded by implementing the FRT to identify, monitor and respond to repeat offenders.^[13]

For (b), the ART considered it most important that Bunnings established it held a ‘reasonable belief’ that the collection of the facial images and Input Vector Sets was ‘necessary’ to take appropriate action.^[14]

Considering evidence from Bunnings’ National Investigations and Security Manager, the ART appeared to find Bunnings had a subjective belief that it could not have taken other appropriate actions to proactively prevent theft, violence or aggression.^[15]

The ART assessed the reasonableness of Bunnings’ belief against the objective facts and circumstances, considering the:^[16]

1. ‘Suitability’ of the FRT: The ART considered the risks, purpose, effectiveness, and evidence that Bunnings significantly reduced instore theft, and found the FRT to be suitable. ^[17]
2. ‘Alternatives’ to the FRT: The ART considered the less invasive alternatives Bunnings previously used, Bunnings’ unique security challenges with its store layout and design, products sold, and found Bunnings held a reasonable belief that effective alternatives did not exist.^[18]
3. ‘Proportionality’ of the FRT: The ART considered Bunnings’ consideration of the FRT’s privacy risks, including how long the facial images and Input Vector Sets were held, vulnerability to cyber attacks, access controls, and risks of misuse, against the safer environment for staff and customers and found the use of FRT to be proportionate.^[19]

The ART found Bunnings’ belief to be ‘reasonable’ and it was therefore successful in relying on the Unlawful Activity Exemption, meaning it did not breach APP 3.3.^[20]

Could Bunnings rely on the Serious Threats to Safety Exemption so it did not need to seek consent from individuals to collect sensitive information?

For the Serious Threats to Safety Exemption, Bunnings needed to demonstrate it:

1. was unreasonable or impracticable to obtain individuals’ consent to the collection; and
2. reasonably believed the collection was necessary to lessen or prevent a serious threat to the life, health or safety of individuals or public.

The parties agreed (a) was met.^[21]

In relation to (b), the parties accepted that a ‘serious threat’ arose in relation to the incidents at Bunnings stores,^[22] and the ART accepted evidence that Bunnings believed that FRT would prevent serious threats to safety.^[23] The ART found that Bunnings’ belief was ‘reasonable’ as supported by the evidence, facts and circumstances for the Unlawful Activity Exemption.^[24]

Did Bunnings’ privacy notices tell individuals the relevant information about its use of FRT?

Bunnings relied on three privacy notices to satisfy its notice obligations under APP 5.1, including two entry notices used at different times, and a privacy poster. These made mention of ‘video surveillance’, and ‘video surveillance which may include facial recognition’.

The ART considered the content of the privacy notices, practical factors such as the speed of the FRT system, size and nature of the Bunnings stores, and demographics of Bunnings’ customers.

The ART affirmed the Commissioner’s determination that Bunnings did not meet its obligations under APP 5.1 in any of the privacy notices, nor APP 5.2 in one of the entry notices.^[25]

Were Bunnings’ governance steps sufficient?

Bunnings did not conduct a formal written privacy impact assessment or privacy threshold assessment in relation to the FRT. It did consider the FRT system’s inherent privacy safeguards, sought legal advice, trained staff, and had access controls and a minimum security standard.

The ART also upheld the Commissioner’s determination that Bunnings did not take reasonable steps to implement practices, procedures and systems to comply with the APPs,^[26] as Bunnings’ steps to meet its obligations fell short, particularly given the sensitivity of the facial images and Input Vector Sets.^[27]

Did Bunnings’ Privacy Policies set out information about its use of FRT?

Bunnings’ privacy policies made reference to images from video surveillance and cameras in store, but did not refer to FRT.^[28] Bunnings submitted it would not have been appropriate to make statements about the use of FRT as that would give potential offenders notice of a system intended to prevent such conduct.^[29] The ART found that such notification could act as a deterrent.^[30]

The ART affirmed the Commissioner’s determination that Bunnings breached APP 1.3 in not having a clear and up-to-date privacy policy.^[31]

How has the Commissioner responded?

The Commissioner issued a public statement on 4 February 2026 stating the decision was “an important reiteration of the key principles and protections contained in Australian privacy law.”^[32]

While acknowledging the ART’s finding that Bunnings could rely on a permitted general situation for “the limited purpose of combatting retail crime and protecting their staff and customers from violence, abuse and intimidation,”^[33] the Commissioner emphasised the decision “underscored the importance of APP entities maintaining good privacy governance” and reiterated that exemptions are “subject to robust criteria that must be assessed on a case‑by‑case basis.”

The Commissioner has not announced whether it will appeal but did note it is carefully considering the decision and its implications.^[34]

Takeaways from the decision

Bunnings’ unique circumstances had significant weight in the ART’s finding. For retailers or organisations using or considering using FRT or other biometric verification tools, the decision provides useful threshold tests for reliance on some exemptions to seeking individuals’ consent to the collection of their sensitive information. The thresholds are likely to be different for organisations relying on these exemptions for collecting personal information without consent.

The decision also provides some expectations around privacy notice requirements, governance requirements, and privacy policy requirements. However, still leaving much room for organisations to determine how they comply with these obligations, as that sits more in the Commissioner’s remit.

We recommend that organisations looking to use FRT, or which already use FRT consider:

• if they are seeking to rely on the Unlawful Activity Exemption or Serious Threats to Safety Exemption for the collection of personal information (and sensitive information) instead of consent:
  • reviewing the circumstances and evidence to support that FRT is the right solution;
  • whether FRT’s specific function will provide or contribute to the required outcome; and
  • whether there are less privacy intrusive options which may have a similar outcome;
• what notices they have in place to notify individuals about the use of FRT;
• what specific governance steps must be taken to assess the privacy risk, such as a privacy impact assessment, and what internal policies or procedures are needed to comply with the Privacy Act and APPs; and
• if their privacy policy is up to date and reflects the use of FRT.

Finally, as highlighted in the decision, organisations must nonetheless ensure that they are complying with the Privacy Act and other APPs.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Dudley Kneller, Partner
Mitchell Wright, Partner
Katherine Boyles, Senior Associate
Megan Grimshaw, Lawyer
Tilly Dalton, Lawyer

[1] Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130 (4 February 2026)

[2] Bunnings’ use of facial recognition technology found to breach the Privacy Act – What lessons can be learned? | Gadens

[3] Bunnings’ use of facial recognition technology found to breach the Privacy Act – What lessons can be learned? | Gadens

[4] [34]

[5] [39]

[6] [45]

[7] [59, [60], [64], [66]

[8] [68]

[9] [70] – [72]

[10] [76], [78], Clearview AI Inc v Australian Information Commissioner [2023] AATA 1069 at [125] – [126]

[11] [83] – [103]

[12] [96]

[13] [104]

[14] [114]

[15] [128]

[16] [132]

[17] [156]

[18] [161]

[19] [172]

[20] [174]

[21] [176]

[22] [177]

[23] [179]

[24] [180], [181]

[25] [205], [207], [209]

[26] [224]

[27] [225], [226]

[28] [230]

[29] [231]

[30] [232]

[31] [233], [234]

[32] OAIC statement on Administrative Review Tribunal’s Bunnings decision | OAIC

[33] OAIC statement on Administrative Review Tribunal’s Bunnings decision | OAIC

[34] OAIC statement on Administrative Review Tribunal’s Bunnings decision | OAIC