Australian Information Commissioner opens investigatoin into Bunnings and Kmart regarding use of facial recognition technology
July 13, 2022 |
In light of the finding of a breach of the Privacy Act 1988 by Clearview AI regarding its use of facial recognition technology in Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54 there was always a reasonable chance that the Information Commissioner would respond to the comprehensive complaint made by Choice against Bunnings, Kmart and the Good Guys regarding their use of facial recognition technology.
Today the Commissioner announced that her office had opened an investigation into Bunnings and Kmart.
The statement provides:
The Office of the Australian Information Commissioner (OAIC) has opened investigations into the personal information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies’ use of facial recognition technology.
The investigations follow a report from consumer advocacy group CHOICE about the retailers’ use of facial recognition technology.
The OAIC has commenced preliminary inquiries with Good Guys Discount Warehouses (Australia) Pty Ltd following public reports that the company has paused its use of facial recognition technology.
In line with the OAIC’s Privacy regulatory action policy, no further comment will be made while the investigations are ongoing.
The Commissioner’s findings in the Clearview investigation were welcome. That there was no penalty of any sort beyond effectively cease and desist was disappointing.
Interestingly in an article published only a few days ago, 11 July, Innovations AU in Retailers’ facial recognition roll-out should have been avoided reports that privacy experts at a Privacy Enhancing Technologies Symposium took the view that a risk assessment/privacy impact assessment would have stopped the exercise before it started. In an ideal world yes. But the rigor of risk assessments in Australia varies widely and has not been the subject of any regulatory scrutiny.
The article provides:
A simple risk assessment would likely have stopped Bunnings, Kmart and The Good Guys from deploying controversial facial recognition security systems, according to privacy experts, who say that mandating the considerations could create a “seismic” improvement in data practices.
The three retailers are now facing backlash after consumer group Choice revealed their use of facial recognition technology last month and filed a complaint with the federal privacy regulator.
The companies defended the use of the technology as a way to make their stores safer and argued consumers had been informed by signage and privacy policies.
But under mounting pressure, The Good Guys backed away, saying it would “pause” its trial of the technology. The Wesfarmers retailers said they will continue to use it while awaiting a possible investigation.
At the Privacy Enhancing Technologies (PETS) Symposium in Sydney on Monday, experts said the high-profile incident demonstrated a lack of awareness about privacy risks and how to mitigate them.
“If Bunnings and Kmart had actually done a risk assessment on their technology and whether it was suitable to record everybody entering the store and check their facial characteristics, then I don’t think they would have come to the conclusion that it was such a good idea,” New South Wales Privacy Commissioner Samantha Gavel said at the event.
Privacy impact assessments are not required by law but are strongly recommended by the regulator for large businesses and government agencies when dealing with personal information, particularly sensitive information like the biometrics collected by facial recognition technology.
The assessments provide organisations with a systematic method for assessing the privacy impact of projects and then mitigate the risks.
Business consultant and lawyer Peter Leonard wants the risk assessments mandated to force companies to consider likely harms before deploying privacy invasive technologies or information sharing.
Mr Leonard, a member of the NSW Government’s Artificial Intelligence Review Committee, said requiring the assessment would be the fastest way to shift the needle to better data practices.
“If you’re regulated to require that — like you require environmental impact assessment to be done before somebody builds a new building or puts a new playing field somewhere — that would make a seismic shift, I think, in the level of compliance awareness out there,” he said at the PETS Symposium.
“Sometimes the difficult problems can be started to be solved in simple ways. I think risk assessment is really important.”
The weeklong event is showcasing the cutting edge in privacy enhancing technologies and providing workshops for the developers behind them.
Ms Gavel urged the participants to not think of the technology as a silver bullet.
“PETS can help ensure information is protected and kept secure. But security is only one piece of the privacy puzzle. On its own, it doesn’t ensure protection of privacy rights or compliance with privacy law.
“…Personal information needs to be secured and protected. But it’s equally important that it’s collected, used and shared lawfully as well.”