A recent determination (Determination) issued by the Office of the Australian Information Commissioner (OAIC) has clarified how the Privacy Act 1988 (Cth) (Privacy Act) applies to the use of facial recognition technology.
The Determination highlights that the use of facial recognition technology in Australia will be heavily scrutinised and that organisations aiming to utilise such technology may need to overcome significant compliance hurdles.
The Determination relates to the use of facial recognition technology by 7-Eleven Stores Pty Ltd (7-Eleven).
Relevant Laws
Schedule 1 to the Privacy Act contains the Australian Privacy Principles (APPs), which regulate the collection, use, disclosure and security of personal information held by Australian government agencies and certain private sector organisations (APP Entity). Section 15 of the Privacy Act prohibits an APP Entity from doing an act, or engaging in a practice, that breaches an APP.
Personal information is defined under the Privacy Act to mean information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and the information or opinion is recorded in a material form or not.
Relevant to the Determination:
- Under APP 3.3, an APP Entity must not collect sensitive information about an individual unless the individual consents to the collection of the information, and the information is reasonably necessary for one or more of the APP Entity’s functions or activities; and
- APP 5 requires APP Entities to take such steps as are reasonable in the circumstances to notify individuals of the collection of personal information.
Sensitive information is defined under the Privacy Act to include biometric templates and biometric information that is to be used for the purpose of automated biometric verification or biometric identification.
The Determination
From June 2020 to August 2021, 7-Eleven deployed facial recognition technology in 700 stores nationwide as part of a customer feedback mechanism. The relevant facial recognition technology was provided to 7-Eleven by a third party. Tablets at 7-Eleven stores allowed customers to complete surveys while taking facial images for the purposes of matching survey results to understand customer demographics. Each facial image was converted by 7-Eleven’s third party service provider into an encrypted algorithmic representation of the face (Faceprint). The Faceprints were analysed by a further program operated by 7-Eleven’s third party service provider, which looked for Faceprints that were similar. If there was a high probability match, then the corresponding matched survey results were flagged. The facial images were deleted from the tablet after they were uploaded to the third party service provider’s system, and deleted from the service provider’s system within 7 days.
The OAIC determined that:
- facial images are personal information, as they are clearly ‘about’ an individual; and
- the Faceprints were personal information as they were digital representations of a particular individual’s facial features and could be used to distinguish a particular person from other faceprints held in the server.
The OAIC also held that the facial images and Faceprints were biometric information and accordingly sensitive information for the purposes of the Privacy Act. Accordingly, 7-Eleven was required to obtain the consent of its customers prior to collecting their facial images and Faceprints.
7-Eleven did not obtain the express consent of its customers, but argued that customers gave implied consent to the collection of their sensitive information. 7-Eleven had placed notices in their stores stating that “By entering the store you consent to facial recognition cameras capturing and storing your image” and its privacy policy provided “Generally, We collect most personal information directly from you, for example where you…use a feedback kiosk from our stores”. However, the OAIC held that the notices placed by 7-Eleven and its privacy policy were not enough to satisfy the OAIC that each relevant individual had impliedly consented to the collection of their facial images and Faceprints, especially in light of the fact that:
- there was no information provided on or in the vicinity of the survey tablets, or during the process of completing the survey, about 7-Eleven’s collection of facial images and Faceprints.
- the store notices were unclear, and, given the prevalence of these kind of notices in stores and public places, may have created an impression that 7-Eleven captured customers’ images using a facial recognition CCTV camera as part of surveillance of the store.
- 7-Eleven’s privacy policy did not link the collection of photographic or biometric information to the use of in-store ‘feedback kiosks’.
The OAIC also determined that the collection of facial images and Faceprints was not reasonably necessary for one or more of 7-Eleven’s functions or activities, as the risks associated with collection of such information were not proportional to the function or activity of understanding and improving customers’ in-store experience.
Accordingly, 7-Eleven was found to be in breach of APP 3.3.
Further, 7-Eleven was also found to be in breach of APP 5 as it did not provide a collection notice to its customers (or include a collection notice on or near the relevant tablets) specifically stating that it collected facial images of individuals who completed the feedback survey on relevant tablets and would analyse the facial images using facial recognition technology to generate and collect faceprints of those individuals. In order to be compliant with the Privacy Act, such a collection notice should have also contained a detailed description of the purposes of collection.
It should be noted that the OAIC stated that, even if a privacy policy did contain adequate information for the purposed of APP 5, merely publishing such a policy on a website would not amount to compliance with APP 5. It is not reasonable to assume that individuals will have searched for a privacy online and read through it before entering a particular store or location.
Next Steps
The Determination provides clear guidance to companies wishing to utilise facial recognition technology in Australia as to the steps they should undertake in order to ensure that they are not in breach of the APPs or the Privacy Act. It is clear that facial images or other information derived from facial images will likely be considered to be sensitive information for the purposes of the Privacy Act and the consent of each relevant individual will therefore need to be obtained to the collection of such information.
If you have any questions or concerns regarding the application of the Privacy Act or the APPs to your business, please do not hesitate to contact us.