Choice makes complaint to the Australian Information Commissioner about Good Guys, Bunnings and Kmart using facial recognition. Meanwhile Good Guys is “pausing” its use of facial recognition

June 29, 2022 |

Choice has formally complained to the Australian Information Commissioner about the use of Facial Recognition by Kmart, Bunnings and the Good Guys.  Itnews has covered the story in Australian retailers named in facial recognition complaint

Choice’s announced the complaint by media release which provides:

CHOICE has asked the Office of the Australian Information Commissioner to investigate Kmart, Bunnings and The Good Guys for potential breaches of the Privacy Act (1988). CHOICE is concerned that the retailers’ practices related to their use of facial recognition technology pose significant risks to individuals. The social and economic risks include invasion of privacy, misidentification, discrimination, profiling and exclusion, as well as vulnerability to cybercrime through data breaches and identity theft.

Key issues

CHOICE has concerns with the retailers’ practices for two main reasons:

    1. Lack of notice and consent in the collection of sensitive information. The retailers’ use of online privacy policies and small signage in store as the key mechanisms to provide notice and obtain consent from individuals about the collection of their sensitive information is insufficient and non-compliant.
    2. The stated business purpose is disproportionate to the privacy harms posed to individuals. The retailers’ large scale collection and use of their customers’ sensitive information significantly invades the privacy of its customers. It is a disproportionate response to the risk of theft and anti-social behaviour in stores.

Choice has also made public the 16 page formal complaint.  It is comprehensive and refers to the Determination by the Information Commission against Clearview AI (Commissioner initiated investigation into Clearview AI, Inc. [2021] AICmr 54).  It is quite an impressive document. 

Choice alleges that the Kmart, Bunnings and the Good Guys breach the following Australian Privacy Principles (APPs):

APP 1.3 – have a clearly expressed and up-to-date APP Privacy Policy about how the
entity manages personal information;
? APP 3.3(a)(ii) – only collect ‘sensitive information’ where it is reasonably necessary;
? APP 3.3(a) – only collect ‘sensitive information’ with consent;
? APP 3.5 – only collect personal information by lawful and fair means; and
? APP 5.1 – take reasonable steps to notify an individual of the APP 5 matters or to
ensure the individual is aware of those matters.

As a prelude to the publishing its findings Choice undertook a survey of 1000 Australians about their awareness of facial recognition technology and found:

  • 76% of respondents didn’t know retailers were using facial recognition.
  • 83% of respondents think retail stores should be required to inform customers about the
    use of facial recognition before they enter the store.
  • 78% expressed concern about the secure storage of faceprint data.
  • 65% are concerned about stores using the technology to create profiles of customers
    that could cause them harm.

That is a very clever move.

Regarding the potential breaches :

APP1

Choice argues

  • retailers’ privacy policies (Appendix B) do not clearly express how the entities manage personal, including sensitive, information obtained through use of facial recognition technologies
  • retailers were not forthcoming on how they manage sensitive information obtained through facial recognition technologies. There is a reluctance by the retailers to be clear, transparent and upfront about their privacy practices

APP3

Choice argues:

  • The collection of any type of personal information, no matter how benign, must be reasonably necessary
  • this test involves consideration as to whether the impact on individuals’ privacy is “proportionate to a legitimate aim sought
  • the risk posed to the individuals must be weighed against the business objectives, and serious consideration must be applied to determining whether those objectives could be achieved in a less privacy-invasive manner
  • Risks associated with the collection and use of sensitive information through facial recognition technology include social and economic harms such as invasion of privacy, misidentification, discrimination, profiling and exclusion. In addition, data collected by the retailers could be vulnerable to cybercrime such as data breaches and identity theft
  • any benefit to the retailers is disproportionate to, and fails to justify, “the potential harms associated with the collection and handling of sensitive biometric information”, as outlined in your Determination against 7-Eleven
  • none of the exceptions, such as those listed at s.16A of the Act, apply to the retailers’ practices that are the subject of this complaint. The test for meeting the s.16A exception uses the phrase “necessary” rather than “reasonably necessary”, suggesting a higher threshold for an exception to be applied.
  • general claims about “loss prevention or store safety purposes” do not reflect a situation that is serious, immediate and/or targeted such as to justify the use of facial recognition on all customers entering a store as “necessary.
  • seeking express consent for the collection of sensitive information is critical “given the greater privacy impact this could have  but the retailers have not sought their customers’ express consent before handling their sensitive information.
  • the retailers did not seek oral or written consent from customers before their sensitive information was handled
  • the retailers have not obtained a valid consent from every individual whose sensitive information is being collected
  • The retailers cannot infer consent simply because they provided customers with notice of a proposed collection, use or disclosure of personal information as:
    • . Customers may not have seen the notices and
    •  may not have understood the implications, of the notices
  • the ‘voluntary’ element is missing, as customers have no alternative to conduct their shopping without being subject to facial recognition

APP5

Choice argues:

  • retailers have not provided sufficient notice to their customers regarding the collection and use of sensitive information in their privacy policies and signage in store
  • the online privacy policy does not provide sufficient notice to individuals about the collection and use of sensitive information in store
  • the signage at the entrance to the store is insufficient in notifying customers of the collection and use of sensitive information, as the signs do not expressly state that facial recognition technology is used to collect sensitive biometric information and for what purpose
  • due to the sensitivity of the personal information being collected, the retailers should have taken more rigorous measures to ensure that individuals were made aware of the retailers’ practices

As a result of Choice’s complaint the Good Guys have paused the use of facial recognition technology as reported in The Good Guys pauses facial recognition trial ( also covered with The Good Guys to temporarily stop using facial recognition technology amid privacy watchdog’s probe and The Good Guys to pause facial recognition technology following backlash) which provides:

The Good Guys, Australia’s second-biggest appliances chain, is pausing a trial of facial recognition technology in stores after a consumer group referred it to the privacy regulator for possible enforcement action.

Use of the technology by The Good Guys, owned by JB Hi-Fi, and two other retail chains was “unreasonably intrusive” and potentially in breach of privacy laws, the consumer group CHOICE told the Office of the Australian Information Commissioner (OAIC) in a complaint published on Monday.

The Good Guys said it would “pause the trial of the upgraded security system with the optional facial recognition technology being conducted in two of its Melbourne stores”. 

The company took confidentiality of personal information seriously and was confident it had complied with relevant laws, but decided “to pause the trial at this time pending any clarification from the OAIC regarding the use of this technology”, it added.

The decision by The Good Guys to pause the trial leaves the two other chains named in the CHOICE complaint, Bunnings, which is Australia’s biggest home improvement chain, and the domestic version of big box retailer Kmart, both owned by Wesfarmers, in the sights of the regulator, which has powers to fine companies that breach privacy law.

“This is an important step in the right direction for The Good Guys, and a decision we know reflects community expectations,” CHOICE policy adviser Amy Pereira said in a statement.

“Bunnings and Kmart are lagging behind when it comes to any kind of commitment to stop the unethical and unnecessary use of facial recognition technology in their stores.”

A Kmart spokesperson said the company was giving the technology a trial “in a small number of stores for the limited purposes of safety and loss prevention” and complied with the law.

Bunnings was not immediately available for comment on the decision by The Good Guys but said previously that it only used the technology for security after an increase in the number of “challenging interactions” faced by its team. It accused CHOICE of an “inaccurate characterisation”.

The OAIC has said it is reviewing the complaint.

Last year, the regulator ordered the Australian 7-Eleven chain to destroy “faceprints” collected at 700 convenience stores on iPads set up to run customer surveys.

It also ordered US software developer Clearview AI, which collects images from social media websites to build profiles of people, to destroy data and stop the practice in Australia.

 

Some of the interesting

Leave a Reply





Verified by MonsterInsights