Speech & Audio

Privacy agency finds .004 seconds of storage violates rights • The Register

Privacy agency finds .004 seconds of storage violates rights • The Register


Australian hardware chain Bunnings Warehouse will challenge a ruling by local regulators who found it violated shoppers’ privacy by checking their identities with facial recognition tech.

Australia’s privacy commissioner Carly Kind on Tuesday found “Bunnings collected individuals’ sensitive information without consent, failed to take reasonable steps to notify individuals that their personal information was being collected, and did not include required information in its privacy policy.”

The chain’s sin was in using CCTV to capture the face of everyone who entered 63 of its stores between November 2018 and November 2021.

“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology (FRT) was in use and especially that their sensitive information was being collected, even if briefly,” stated commissioner Kind.

Note the “briefly” in that canned quote – it’s a big part of why Bunnings has decided to seek a review of the decision.

“The electronic data of the vast majority of people was processed and deleted in 0.00417 seconds – less than the blink of an eye,” stated Bunnings managing director Mike Schneider in a company statement.

Schneider wrote that Bunnings only used FRT “to protect our team, customers, and suppliers against the ongoing and increasing exposure to violent and organized crime, perpetrated by a small number of known and repeat offenders.”

“While we can physically ban them from our stores, with thousands of daily visitors, it is virtually impossible to enforce these bans,” Schneider added. FRT gave Bunnings “the fastest and most accurate way of identifying these individuals and quickly removing them from our stores.”

Shoppers who weren’t suspected of being among those individuals were scanned by CCTV, had their mugshots compared to a database of suspected perpetrators of violence, before images were swiftly deleted if a match was not made.

‘We believe that customer privacy was not at risk,” Schneider therefore argued, adding that “electronic data was never used for marketing purposes or to track customer behavior.” And only six Bunnings staff could see the database of suspected violent shoppers – but reviews of the list were sporadic and not documented. Further, images captured using CCTV were of sufficient quality to be used in the database.

The GM expressed his disappointment that examples of violence against Bunnings staff didn’t sway the commissioner’s view.

But in her decision, commissioner Kind found Bunnings could not “have reasonably believed that collecting, via the FRT system, the personal information of all individuals who entered a relevant store was necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.”

She also felt that the hardware megastore’s big mistake was not informing customers about the FRT tests – even with a sign at the front of stores.

Such signs are often packed with dense text. When your correspondent briefly studied law, lecturers advised us to stop and read them – even if doing so could cause delays at the entrance to facilities like carparks – to make a point about taking terms and conditions seriously.

Privacy is a hot topic in Australia, thanks to recent high-profile data breaches and debate about shielding children from the worst of social media.

Bunnings, however, has achieved strangely iconic status in Australian life. Despite being owned by a ruthlessly profit-seeking megacorp and utterly dominating its industry, the chain is celebrated for hosting community group barbecues on weekends – a fundraising gimme that sporting clubs and charities covet. So pervasive is the chain that it was parodied in TV show Bluey – the most viewed program in the US last year – which re-named it “Hammerbarn.”

Bluey is so popular that Bunnings temporarily re-named some of its stores “Hammerbarn” as part of a cross-promotion that won it reams of good press.

But we digress: the regulator has told Bunnings not to do this again, and the chain is happy to comply. But that’s not going to stop it appealing the decision it breached its privacy obligations. When it’s all over, hopefully we’ll have a better idea of whether .004 seconds of data retention really does amount to a breach of privacy. ®

Privacy agency finds .004 seconds of storage violates rights • The Register

Source link