Information Commissioner issues determination into 7- Eleven Stores Pty Ltd [2021] AICmr 50 (29 September 2021) for breaches of Australian Privacy Principles 3 and 5 through use of facial recognition technology of unsuspecting customers.

October 19, 2021 |

The Australian Information Commissioner (the “Commissioner”) has issued a very significant s determination resulting from a Commissioner initiated  investigation into 7-Eleven Stores Pty Ltd (Privacy)  [2021] AICmr 50 where she found that 7 Eleven had breached Australian Privacy Principle (APP) 3 and 5 of the Privacy Act 1988.

FACTS

From 15 June 2020 to 24 August 2021 7-Eleven used facial recognition technology in its stores as part of a customer feedback mechanism (the Facial Recognition Tool) in its 700 stores nationwide [4]. The Facial Recognition Tool was supplied by a third party supplier (the Service Provider). 7-Eleven described its use of the Facial Recognition Tool as:

  • a tablet was located inside the 7-Eleven stores enabled a customer to complete a voluntary survey about his or her’s in-store experience.
  • each tablet had a built-in camera that took facial images of the customer while that person was  completing the survey.
  • the customer’s facial image was captured twice, when the individual  first engaged with the tablet and then after completing the survey.
  • the facial images were stored on the tablet for around 20 seconds before being uploaded via a secure connection to a secure server hosted in Australia within the Microsoft Azure infrastructure (the Server). Once the upload occurred, the facial image was deleted from the tablet.
  • the Service Provider processed the facial images  (the Detect API) by converting each facial image to an encrypted algorithmic representation of the face (faceprint) and assessed and recorded inferred information about the customer’s approximate age and gender;
  • the faceprint was then sent to another API (the Similarity API), along with all other faceprints generated by responses entered on the same tablet for the previous 20 hours;
  • these faceprints were compared to other faceprints to identify faceprints that were sufficiently similar.  The Facial Recognition Tool  directly linked individuals’ faceprints with survey responses, by using each faceprint as an ‘identifier’.  These processes enabled an individual depicted in a faceprint to be distinguished from other individuals whose faceprints were held on the Server [38].
  • the Similarity API looked for faceprints that were similar. If there was a high probability match, then the corresponding matched survey results were flagged;
  • the facial images were retained on the server for 7 days so that  the Service Provider could identify and correct any issues, and reprocess survey responses if necessary;
  • while there was no defined retention period for faceprints after 24 hours if there was any attempt to identify a match using the Similarity API that would come up as an error;
  • the faceprints and customers’ survey answers were stored in a dedicated encrypted database. All survey responses were timestamped and associated with the relevant store where the relevant tablet was located [6]

As at March 2021, approximately 1.6 million survey responses had been completed [7]
The ostensible reason for generating faceprints were to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. If they were, their responses may not have been genuine, and were excluded from the survey results. 7-Eleven said it wanted to have a broad understanding of the demographic profile of customers who completed the survey [8]. 7-Eleven could access individual survey responses at any time on the Service Provider’s portal[9].

7-Eleven submitted that:

  • the Facial Recognition Tool was ‘entirely optional and voluntary’ and that if a customer did not consent to the use of this technology, the customer could elect to not enter the store or not use the tablet [88]
  • in an effort to be transparent with customers about the use of this technology, it displayed a notice at the entrance to its stores to alert customers that upon entering the store they may be subject to facial recognition technology [89]
  • its Privacy Policy, available on its website,stated [91]:

We only collect personal information that is reasonably necessary for our business functions and activities and to provide you with our products and services.

If you are a customer and you decide not to provide certain personal information to Us, We may not be able to provide you with the product or service you are after.
By acquiring or using a 7-Eleven product or service or providing your personal information directly to us, you consent to 7-Eleven collecting, storing, using, maintaining and disclosing your personal information for the purposes set out in this Privacy Policy.

7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.
How we collect personal information
Generally, We collect most personal information directly from you, forexample
where you:

use a feedback kiosk from our stores; …

and


7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.

Generally, We collect most personal information directly from you, for example,
where you:
• order and purchase goods or services through our website and/or apps;
• register for participation in a competition, promotion or survey;
• request customer service or contact us;
• apply for employment;
• make a franchise or other specific enquiry necessitating a response;
• participate in a digital interactive activity;
• use a feedback kiosk from our stores; or
• register for and use a product or service, such as the 7-Eleven Fuel Card,  or a relevant 7-Eleven App.

Unless otherwise disclosed during the collection process,personal information which We collect from you is used only for the purposes consistent with the reasons it was provided, for a related purpose, or where otherwise permitted by law.
Examples of how We may use your personal information include:
• to provide products and services to you and provide you with information about them;
• to process your payments or refunds;
• to administer, manage, and improve our products and services, including to perform identity related checks;
• to understand the use of our products, services and digital channels and to make improvements to them;
• to respond to particular requests from you;
• to assist in investigating your complaints and enquiries;
• in general to promote and market to you our various businesses,  services, products and special offers and those of our trading partners.

We may disclose your personal information to:
• our payment processing provider for the purposes of processing your  payment or refund;
• your authorised representative, when you ask us to do so;
• our franchisees

    • law enforcement agencies and other government and regulatory bodies  as required or authorised by law.
      We will not otherwise disclose this personal information except when authorised  to do so by law. 

DECISION

Legal Principles

7-Eleven submitted that Facial images and faceprints were not personal information because:

  • they are not used to identify, monitor or track any individual;
  • the Service Provider’s system operated independently from 7 Eleven’s other systems;
  • none of the information collected by the Facial Recognition Tool was associated or matched with any personal information or customer data;
  • a limited number of the Service Provider’s employees could access the images for the purposes of identifying errors and other issues with the system;
  • the images were heavily blurred so that the faces were notidentifiable;
  • the ‘raw’ images (where faces were identifiable) could only be accessed by a very small number of the Service Provider’s software engineers;
  • the faceprint was unique for every photo (so uploading the same photo twice would result in two different faceprints). The faceprint was a random string of characters, and could not be used to detect duplicate faces outside the Similarity API [30]

The Commissioner quoted the definition of  “Personal information”, at s 6(1) as:

‘information or an opinion about an identified individual, or an individual who is  reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not’ [25].

The Commissioner quoted from Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC  in stating that whether Information or an opinion is ‘about’ an individual where the individual is the subject matter of the information or opinion where the Federal Court stated:

The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not “about an individual” it might be about the individual when combined with other information.’[26]

Whether information or an opinion is ‘about’ an individual is ultimately a question of fact, depending on context [27] and whether a person is ‘reasonably identifiable’ is an objective test that has practical regard to the context as well [28] however

  • an individual is ‘identified’ when, within a group of persons, the individual is ‘distinguished’ from all other members of a group [28].
  • certain information may be unique to a particular individual, and therefore may (in and of itself) establish a link to that person [29].
  • for an individual to be ‘identifiable’, they do not necessarily need to be identified from the specific information being handled as he or she can be ‘identifiable’ where the information is able to be linked with other information that could ultimately identify the individual [29] & [37]

Regarding the relevant Australian Privacy Principles (APPs) the Commissioner stated:

  • APP 3 outlines when an APP entity may collect solicited personal information [40] and APP 3.3 prohibits an APP entity from collecting sensitive information about an individual unless:
    • there is  consent to the collection of the information, and the information is reasonably necessary for one or more of the entity’s functions or activities. or
    • one of the exceptions in APP 3.4 applies in relation to the information.
  • an APP entity ‘collects’ personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication’ [42] with ‘record’ in s 6(1) including a document or an electronic or other device.
  • an APP entity ‘solicits’ personal information ‘if the entity requests another entity to provide the personal information, or to provide a kind of information in which that personal information is included’ with a ‘request’ being an active step taken by an entity to collect personal information [43]
  • ‘collection’ applies broadly, and includes:
    • gathering, acquiring or obtaining personal information from any source and by any means, including from individuals, other entities, and biometric technology, such as voice or facial recognition [44].  
    • collection by ‘creation’ which may occur when information is created with reference to, or generated from, other information the entity holds [44]
  • ‘sensitive information’ extends to two particular kinds of biometric information:
    •  ‘biometric information that is to be used for the purpose of automated biometric verification or biometric identification’,  The terms is not defined. and
    • biometric templates’ [45]. The term is not defined.
  • ‘Biometrics’ encompasses a variety of different technologies that use probabilistic matching to recognise a person based on their biometric characteristics.
  • biometric characteristics can be:
    • physiological features; or
    • behavioural attributes

which cannot normally be changed and are persistent and unique to the individual [47].

  • ‘Biometric systems’ scan, measure, analyse and recognise a particular and unique biometric  physical, biological and behavioural traits and
    characteristics to identify a person [48].
  • a ‘biometric template’ is a digital or mathematical representation of an individual’s biometric information that is created and stored when that information is ‘enrolled’ into a biometric system.
  • machine learning algorithms use the biometric template to match it with other biometric information, for verification, or to search and match against other templates within a database, for identification.

Regarding consent the Commissioner stated that:

  •  the four key elements of consent are:
    • there is adequate informed before giving consent.
    • the consent is voluntarily.
    • the consent is current and specific.
    • the individual had the capacity to understand and communicate consent [50].
  • if express it is given explicitly, either orally or in writing. An APP entity should generally seek express consent from an individual before handling the individual’s sensitive information, given the greater privacy impact this could have.
  • implied consent arises where consent may reasonably be inferred from the conduct of the individual and the APP entity.
  • there is no implied consent:
    • if an individual’s intent is ambiguous
    •  there is reasonable doubt about the individual’s intention[53] .

Regarding what is reasonably necessary the Commissioner stated:

  • the terms, ‘function’ and ‘activity’, not being defined
  • ‘function’ is relevantly defined to mean ‘a kind of action or activity which is proper to a person, thing or institution’; or ‘the purpose for which something is designed or exists’; or a ‘role’ [56]
  • ‘Activity’ is defined as ‘a specific deed, action, function, or sphere of action’ [57]
  • functions or activities include:
    • current functions or activities  
    • proposed functions or activities the organisation has decided to carry out and for which it has established plans
    • activities the organisation carries out in support of its other functions and activities, such as human resource, corporate administration, property management and public relations activities [57].
  • while ‘necessary’ is not defined the Commissioner referred to the High Court decision of Mulholland v Australian Electoral Commissioner [2004] HCA 41 which stated  ‘there is, in Australia, a long history of judicial and legislative use of the term ‘necessary’, not as meaning essential or indispensable, but as meaning reasonably appropriate and adapted’.
  • must be more than merely helpful, desirable or convenient [58]
  • it is necessary to consider whether any interference with personal privacy is proportionate to a legitimate aim sought. This is a test specifically formulated by the Commissioner The Commissioner cited Jurecek v Director, Transport Safety Victoria [2016] VSC 285, where Bell J stated, in the context of a similar provision in the Victorian legislation:

Reasonable proportionality comes into the interpretation and application of the provisions of cl 1 of the Information Privacy Principles because the specified standards are evaluative in nature: it is necessary to determine in a given case what is ‘necessary’ in IPP 1.1, ‘lawful and fair’ and not ‘unreasonably intrusive’ in IPP 1.2, ‘practicable’ and ‘reasonable’ in IPP 1.3, ‘reasonable and practicable’ in IPP 1.4 and what are ‘reasonable steps to ensure’ in IPP 1.5.To a greater or lesser extent, matters of fact and degree are involved, which requires consideration of   what is at stake for the individual (including the nature of the personal information in question) and balancing, in a reasonably proportionate way, the  nature and importance of any legitimate purpose and the extent of the interference [59].

  • factors relevant to determine whether a collection is reasonably necessary include:
    • the primary purpose of collection 
    • how the personal information will be used , and
    • whether the entity could undertake the function or activity without collecting that personal information, or by collecting a lesser amount of personal information [60]
  • it is the responsibility of an APP entity to be able to justify that a particular collection is reasonably necessary [61]

The Commissioner stated that APP 5.1 requires an APP entity that collects personal information about an individual to take such steps (if any) as are reasonable in the circumstances to notify the individual  of such matters referred to in APP 5.2 or to otherwise ensure that the individual is aware of any such matters [108].
Those obligations are intended to ensure that individuals have knowledge of, and choice and control over, how information about them is handled. These matters are relevantly:

  • the fact that the the information is collected and the circumstances of that collection, including the method of collection
  • the purposes for which the  personal information is collected including the primary purpose of collection [110]
  • notifying individuals under t or before the personal information is collected [109]

Consideration

The Commissioner stated that the images captured by the tablets were digital images of an individual’s face [31] and as the facial images showed individuals’ faces she considered that those images were ‘about’ an individual [32] and that an individual  was reasonably identifiable from a facial image because

  • a facial image alone will generally be sufficient to establish a link back to a particular individual, as these display identifying features unique to that individual.
  • 7-Eleven processed facial images for the purpose of biometric identification [33]

As these face prints were digital representations of a particular individual’s facial features the Commissioner was  satisfied that they were ‘about’ an individual [36] and found that the faceprints were ‘personal information’ within the meaning of s 6(1) [39].

The Commissioner stated that with 7-Eleven requestig customers to complete the survey using tablets available for that purpose which  process involved the active step of capturing the individual’s facial image and using this information to generate a faceprint  7 – Eleven ‘solicited’ facial images and faceprints within the meaning of s 6(1) [62] – [63].

As the tablets and Server were ‘records’ within the meaning of s 6(1), as these were each an ‘electronic or other device’, facial images were ‘collected’ [65]
The Commissioner was satisfied that 7- Eleven ‘collected’ the facial images and faceprints because:

  • the tablets were set up in 7=Eleven’s stores for its purposes.
  • the collection on the tablets  was to improve the genuineness of the customer feedback and assist  with demographic profiling
  • it had a contractual right to use the tablets for its internal business
    purposes.
  • it had contractual control over its data held on the Server [redacted].
  • faceprints were generated from other information 7- Eleven held (namely facial images) and as such the faceprints were collected for inclusion in a record, and were therefore ‘collected’ within the meaning of s 6(1) [76].
  • the faceprints
    • were generated in accordance with the terms of an Agreement, at 7-Eleven’s request and for its purposes.
    • were generated from the customers’ facial images, while they were completing surveys about their in-store experiences [79]
  • 7- Eleven had contractual control over its data held on the Server
  • 7- Eleven had a contractual right to use the Server that processed the faceprints, for its internal business purposes [80].

The Commissioner considered that the facial images and faceprints were ‘biometric information’ and that they were used in an automated biometric identification system [82] and that individuals depicted in facial images and faceprints were reasonably identifiable, because the Facial Recognition Tool enabled an individual depicted in a faceprint to be distinguished from other individuals whose faceprints were held on the Server [82]. As the faceprints are ‘an algorithmic representation of a face’, derived from biometric samples and enrolled in a biometric identification system the faceprints are ‘biometric templates’ [83].
The Commissioner regarded both the facial images and faceprints are sensitive information [84].

While the Commissioner acknowledged that the  use of the tablet was voluntary, she was not satisfied that the act of using it unambiguously indicated an individual’s agreement to collect their facial image and faceprint, where:

  • there was no information provided on or in the vicinity of the tablet, or during the process of completing the survey, about the collection of facial images and faceprints;
  • the Store Notices were unclear, and, given the prevalence of these kind of notices in stores and public places, may have created an impression that the  capturing of customers’ images using a facial recognition was through CCTV camera as part of store surveillance;
  • 7 – Eleven’s Privacy Policy did not link the collection of photographic or biometric information to the use of in-store ‘feedback kiosks’ [93].
  • customers were not adequately informed about what they were being asked to consent to. The Store Notices and Privacy Policy did not state what information was being collected and how it would be handled by 7 – Eleven[94].
  • the Store Notices and Privacy Policy were neither current nor specific, as they did not request consent contemporaneously before or during the survey process, or refer to it.
  • the Privacy Policy bundled together multiple collections, uses and disclosures of personal information, preceded by a general statement that ‘[b]y acquiring or using a 7-Eleven product or service or providing your personal information directly to us, you consent to 7-Eleven collecting, storing, using, maintaining and disclosing your personal information for the purposes set out in this Privacy Policy’[94]
  • it is not possible to infer consent simply because it has published a policy about its personal information handling practices. Any consent inferred from the existence of a privacy policy would not be current and specific to the circumstances in which the information is being collected [95].
  • any request for consent should:
    • clearly identify the kind of information to be collected, the recipient entities, and the purpose of the collection;
    • be sought expressly and separately from a privacy policy at a current point in time; and
    • be fully informed and freely given .

There was no evidence that individuals expressly consented to the collection of their facial images or faceprints [86] and the  consent cannot be implied in the circumstances [92].  As such the Commissioner found that individuals did not consent to the collection of their sensitive information [97].

The Commissioner, did not accept that 7-Eleven collecting its customers’ sensitive biometric information  was ‘reasonably necessary’ for understanding and improving customers’ in-store, at [102], experience stating:

  • she was not satisfied that it was reasonably necessary to collect ‘sensitive’ biometric for this function or activity.
  • there was a  risk of adversity to individuals should this kind of information be misused or compromised as it cannot be reissued or cancelled like other forms of compromised identification
    information. The risks associated with collection of such information are not proportional to the function or activity of understanding and improving customers’ in-store experience.
  • there was no  privacy impact assessment (PIA) in relation to the in-store feedback mechanism 
  • there are other ways to identify potentially non-genuine responses and collected demographic information, which could have had a lesser privacy impact on individuals [103].

The Commissioner was not satisfied that the large-scale collection of customers’ sensitive biometric information, was reasonably appropriate or adapted to the activity of understanding and improving customers’ in-store experience [106] and that 7-Eleven breached in breach of APP 3.3 by interfering with the privacy of individuals whose facial images and faceprints it collected through its customer feedback mechanism, by:

  • collecting those individuals’ sensitive information without consent,
  • in circumstances where that information was not reasonably necessary for its functions and activities.

The Commissioner stated that the Store Notices and  Privacy Policy did not address all the APP 5  matters [115] because:

  • neither informed individuals about the fact and circumstances of collection of facial images and faceprints, as is required by APP 5.2(b) [116]. To comply 7- Eleven should have provided a collection notice that specifically stated that:
    • it collects facial images of individuals who complete the feedback  survey on tablets in front of cashiers [117]
    • it analyses the facial images using facial recognition technology to generate and collect faceprints of those individuals.
  • the Store Notices and Privacy Policy did not adequately inform individuals about the purpose for which the above information was collected [118].  It should have provided a collection notice with a more detailed description of the purposes of collection.

The Commissioner was unimpressed by 7-Eleven’s Privacy Policy noting that even if the Privacy Policy provideed adequate information about APP 5 matters simply publishing it on a website does not amount to compliance with APP 5 [120].  It is not reasonable to assume that customers will have searched for the  Privacy Policy online and read through it before entering the store and completing the survey [121].  Rather, the Commissioner stated, it should have included a collection notice on, or in the vicinity of, the tablet screen which should have notified customers about APP 5 matters before the start of the survey, and crucially, before the first facial image of the customer was captured.
The Commissioner found that 7 – Eleven breached APP 5 and  interfered with the privacy of individuals whose facial images and faceprints it collected, by failing to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collection of that information.

The determination provides, at [1]:

I find that from 15 June 2020 to 24 August 2021, 7-Eleven Stores Pty Ltd (the respondent)  interfered with the privacy of individuals whose facial images and faceprints it collected  through its customer feedback mechanism, within the meaning of the Privacy Act 1988
(Cth) (Privacy Act), by:
a. collecting those individuals’ sensitive information without consent, and where that information was not reasonably necessary for the respondent’s functions and activities, in breach of Australian Privacy Principle (APP) 3.3
b. failing to take reasonable steps to notify individuals about the fact and circumstances of collection and the purposes of collection of that information, in breach of APP 5.

As a consequence she made the following declarations,[2]:

I make the following declarations under the Privacy Act:
a. I declare under s 52(1A)(a) that:
i. in the period 15 June 2020 to 24 August 2021, the respondent interfered with  the privacy of individuals whose facial images and faceprints it collected through the customer feedback mechanism referred to in paragraph 4, and
ii. the respondent must not repeat or continue this conduct.
b. I declare under s 52(1A)(b) that within 90 days of the date of this determination, the respondent must:
i. destroy, or cause to be destroyed, all faceprints that it has collected through the customer feedback mechanism, in breach of APPs 3.3 and 5, and provide written confirmation to my office when it has complied with paragraph 2(b(i) above.

Remedies

While 7-Eleven took proactive remedial steps  the Commissioner was concerned that faceprints had not been deleted and de-identification was not a viable step in the circumstances [133]

The Commissioner made  a declaration requiring 7 – Eleven to destroy, or cause to be destroyed, all faceprints it has collected through the customer feedback mechanism, in breach of APPs 3.3 and 5, to ensure this act or practice is not continued. 7 – Eleven was required to provide written confirmation to the OAIC when it has complied with this declaration.

ISSUE

The determination is a valuable analysis of the operation of APP 3, the collection of solicited persona information, and APP 5, the notification of the collection of personal information.  Key issues include:

  1. facial images are personal information.  They can be used to identify a person.  That may seem obvious but 7-Eleven argued that they were not because they were not used to identify, monitor or track a person. Even if the organisation can not identify the person from the facial image is not a defence.  That person can be identified from other information.  The test is whether that image can distinguish one person from others. 
  2. facial images are sensitive information for the purpose of the Privacy Act because they are biometric information and biometric templates.  They also relate to a person’s ethnicity and potentially health, disability, religion and sexuality.
  3. Consent is key if an organisation seeks to collect sensitive information. Express consent is not entering a 7 – Eleven Store.  7 – Eleven argued that some stores had text next to images of surveillance camera reading “By entering the store you consent to facial recognition cameras capturing and storing your image”.  But its main argument was that the Privacy Policy permitted the collection of personal information and that if customers did not agree to 7 – Eleven doing so they didn’t have to enter the store or use the tablets.  That argument was roundly rejected. The Commissioner also was less than impressed when 7 – Eleven stated that the Privacy Policy was on its web site.  So customers could not even read in store the Privacy Policy that was somehow going to constitute their consent. 
  4. Privacy Policies are not consents and the touchstone of all matters privacy.  They are important but designed to provide transparency not provide, if drawn broadly enough, approvals and consents.
  5. Consents must meet 4 requirements:
    • a person must be adequately informed before giving his or her consent
    • that person must give consent voluntarily
    • the consent must be current and specific; and
    • the person must have the capacity to understand and communicate his or her consent
  6. Inferred consents are difficult to obtain.  They are clearly dependent on the facts of any situation but inferring consent is a high bar.
  7. if information is collected then reasonable steps are required to notify people of the collection.  7 – Eleven relied upon signs at the entry to its stores.  Anyone who has ever entered a 7 – Eleven Store would not be surprised to discover that this argument was rejected.  A relatively small collection notice in small font on a window in  a crowded and cluttered store is not sufficient. A properly drafted notice needs to advise the person who is collecting the information matters including, but not limited to, what information is being collected, when it will be collected and how it will be collected at the time of or before it is collected.  That needs to be provided irrespective of consent issues. They are separate matters.
  8. the collection of personal information must still be reasonably necesary.  Even if consent is provided and even if the collection notice is adequate an organisation does not have carte blanche to collect personal information.  Consents and collection notices are not permits to hoover up any information an organisation can get its hands on with new or old technology. The Commissioner’s test in this determination is that the collection is “proportionate to a legitimate aim sought” .  The Commissioner rejected 7 – Eleven’s rationalisation that it was used to understand and improve customer’s in store experniences.  7 – Eleven argued that facial recognition was used to maintain the integrity and improve the accuracy of its customer satisfaction surveys. In that way, it said, it was proportionate. The Commissioner cut through this poor argument by pointing out less invasive ways of achieving the same results and was more emphatic when she stated at [105] when she stated “Any benefit to the respondent was disproportionate to, and failed to justify, the potential harms associated with the collection and handling of sensitive biometric information”.   To comply with this principle it is important to weigh all the facts.  It may involve a careful analysis.  Which is how a Privacy Impact Assessment operates. 
  9. there is little point explaining the intricacies of how the information is handled by overseas and outside contractors and how its use is limited when there is a fundamental problem with the collection and consents.  The obligation was that of 7 – Eleven’s alone to get the consents and

Unfortunately the Commissioner’s ultimate determination is something of a damp squib.  Declaring that 7 – Eleven must not repeat or continue its interference with people’s privacy is as silly as its sounds.  It only has impact if 7 – Eleven behaves in an incredibly foolish manner and continues using facial recognition software in its tablets.  It was necessary for the Commissioner to declare that all faceprints held by 7 – Eleven be destroyed. 

7 – Eleven’s breaches were egregious and involved 1.6 million individuals.  7-Eleven breached multiple privacy principles and did so for more than a year, even while the Commissioner was investigating.  7 – Eleven may have been put to some expense and some minor reputational damage but effectively it is a slap on the wrist.  The Commissioner should have commenced civil penalty proceedings.  The restraints on bringing such proceedings are self imposed and unreasonable. They are a product of a timid culture.  In the United Kingdom there would have been a significant monetary penalty and in the United States the Federal Trade Commission would have imposed a 10 or 20 enforceable undertaking and a fine exceeding a million dollars.   It is an opportunity squandered. 

POST DETERMINATION

The Commissioner issued a media release on 14 October 2021 regarding the the determination stating:

Australian Information Commissioner and Privacy Commissioner Angelene Falk has determined that convenience store group 7-Eleven interfered with customers’ privacy by collecting sensitive biometric information that was not reasonably necessary for its functions and without adequate notice or consent.

It follows an investigation by the Office of the Australian Information Commissioner (OAIC) into 7?Eleven collecting facial images while surveying customers about their in-store experience.

The investigation found customers’ facial images were used to generate algorithmic representations, or ‘faceprints’, which were compared with other faceprints to exclude responses that may not be genuine. The personal information was also used to give a broad understanding of the demographic profile of customers who completed the survey.

The surveys were completed between June 2020 and August 2021 on tablets with built-in cameras installed in 700 stores. Customers completed 1.6 million surveys in the first 10 months.

Commissioner Falk found the facial images and faceprints were sensitive information covered by additional protections under the Privacy Act 1988 because they were ‘biometric information that was used for the purpose of automated biometric identification’, and the faceprints were also ‘biometric templates’.

“Biometric information is unique to an individual and cannot normally be changed,” Commissioner Falk said.

“Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities.”

Commissioner Falk found that individuals did not give either express or implied consent to the collection of their facial images or faceprints, nor did 7-Eleven take reasonable steps to notify individuals of the collection of personal information.

The Commissioner also found that the large-scale collection of sensitive biometric information through 7-Eleven’s customer feedback mechanism was not reasonably necessary for the purpose of understanding and improving customers’ in-store experience.

“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy.”

In response to the OAIC investigation, 7-Eleven has ceased collecting facial images and faceprints as part of the customer feedback mechanism. It has also destroyed existing facial images.

Commissioner Falk has ordered that 7-Eleven also destroy all the faceprints it collected.

The Guardian ran detailed story with 7-Eleven took photos of some Australian customers’ faces without consent, privacy commissioner rules, 7-Eleven Australia deploys facial recognition on customer feedback tablets  and ZDNet with 7-Eleven breached customer privacy by collecting facial imagery without consent.

What is interesting about this determination is that in June 2020 7-Eleven made it known that it was deploying facial recognition technology.  There was a series of stories in the second half of June and early July of 2020 regarding this approach by 7-Eleven with Australian spokespeople for the company being quoted about using facial recognition.  Such as 7-Eleven Australia Deploys Facial Recognition Technology  and itnews’ 7-Eleven Australia deploys facial recognition on customer feedback tablets amongst many other stories at that time.  Even the Australasian Association of Convenience Stores (AACS) starting gushing with The MASSIVE change coming to 7-Eleven: Stores roll out controversial facial recognition technology putting customers under constant surveillance – and the reason will surprise you.  7-Eleven installed facial recognition in its stores in Thailand as far back as 2018.

This announcement was not met with uniform acclaim.  The New South Wales Council of Civil Liberties issued a release on 25 June 2020 Concerns about facial recognition inside every Australian 7-Eleven store.  It was a fairly drab and insipid release which did not even come close to address the issue of consent.  Little wonder it got no media traction.   On 9 July 2020 there was a negative story about this initiative with 7 News piece Customers concerned as 7-Eleven launches facial recognition inside every store.  On 13 July the Commissioner’s Office made “preliminary inquiries” to 7-Eleven.  It was made aware by the media coverage no doubt.  

The biggest practical lessons from this episode is that if an organisation is going to herald a practice or procedure which has privacy implications it needs to make sure it has complied with the Privacy Act.  Facial recognition technology has always been controversial in the developed countries.  The privacy issues are well known.  How this did not register with 7-Eleven’s lawyers is beyond easy understanding.  Perhaps they did raise it, in which case the Board of 7 – Eleven were reckless. 

If there is to be the implementation of privacy invasive technology it is also important for an organisation to show what has been done to comply with the Act if the regulator comes knocking.  It is clear from the determination that 7-Eleven put all of its energies into the process and none into the protection. Unfortunately that is not uncommon for organisations who find the lure of new shiny technology irresistable and the boredom of properly getting protections installed and proper consents insufferable. 7-Eleven’s assurances about the limited use of images,  the short period they were held for and arguing that facial images are not personal information because they were not used to identify or track someone had a distinct feel of ex post facto justifications.  Not that 7 – Eleven is alone.  I see on a semi regular basis organisations attempting to get their privacy and cyber security houses in order after a breach or a privacy complaint.  It rarely ends well.  For an organisation the size of 7-Eleven not to have done a Privacy Impact Assessment was a serious error.   

 

Leave a Reply





Verified by MonsterInsights