A landmark decision by the Administrative Review Tribunal has found that Australian hardware giant Bunnings was reasonably entitled to use Artificial Intelligence (AI) facial recognition technology to combat store crime and protect staff. While the ruling reversed a previous finding by the Privacy Commissioner, it establishes a significant legal precedent that will influence privacy and cyber security strategies across all sectors.
The tribunal found that the retailer did not breach privacy laws by scanning customers’ faces, noting that the technology was a proportionate response to serious retail crime and physical threats to employees. However, the ruling also serves as a critical reminder that even with the best intentions, the burden of transparency and data governance remains incredibly high.
The Tool is Not the Issue: Data Processing vs. AI
An important takeaway from this case is that the use of AI itself for processing personal information was not flagged as the primary issue. The tribunal’s focus remained on the handling of personal data, regardless of the specific technology used.
This demonstrates that whether an organisation uses AI, a traditional algorithm, or another digital tool, the legal and security results are similar. The privacy obligations are triggered by the act of processing the data, not by the “intelligence” of the software. For businesses, this means that “AI-specific” regulations are only one part of the puzzle; the fundamental principles of data protection apply to all automated processing systems.
The “Momentary Collection” Rule: A Major Cyber Security Shift
Perhaps the most consequential aspect of this precedent is the clarification of what constitutes a “collection” of personal information. The tribunal reaffirmed that the momentary collection of personal information by advanced digital tools—even if held for only milliseconds before being deleted—constitutes a formal collection under the Privacy Act.
This has immediate implications for the broader cyber security landscape. It is no longer possible to argue that “fleeting” data processing falls outside of privacy obligations. This shift impacts various areas, including:
- Automated Threat Detection: Cyber security tools that scan network traffic for malicious activity may be “collecting” data the moment an identifier is processed, regardless of how quickly it is discarded.
- Biometric Access Controls: Systems used for secure entry that scan fingerprints or faces trigger these privacy obligations at the very point of the initial scan.
- Algorithmic Verification: Any software using automated logic to monitor user behaviour or verify identities must be managed with the understanding that the initial capture is a regulated event.
Lessons for Businesses in Global Markets
As this case demonstrates, the use of advanced technology for security is a powerful asset, but it must be matched by rigorous governance. For organisations operating in international markets such as Australia, the UK, or the USA, this ruling highlights several essential strategies:
- Transparency is Essential: It is vital to provide clear, visible signage and updated privacy policies that inform individuals when any form of automated scanning is in use.
- Proportionality Matters: The use of invasive technology must be justified by the severity of the risk it intends to mitigate.
- Privacy by Design: Security systems should be engineered to include automatic and permanent deletion of non-essential data, but this must be supported by a robust legal and governance framework.
- Cyber Resilience: Any database containing biometric markers or personal identifiers becomes a high-value target. Protecting this data requires the highest levels of encryption and rigorous access controls.
Navigating the Future of Secure Technology
The Bunnings case serves as a roadmap for how modern organisations must balance innovation with responsibility. It proves that while advanced technology can contribute to a stronger defence, it must be implemented with a deep understanding of evolving privacy standards.
Whether you are implementing AI or traditional automated tools, the focus must remain on the secure and transparent handling of information. If you are considering how these technologies could help protect your business, consider reaching out to the experts at Vertex. We can provide tailored advice to help you implement high-quality protections that align with your organisational goals and international compliance requirements.
For further information on securing your data and navigating the complexities of modern cyber security contact our team today.