Kmart’s goal, of stopping fraudulent returns, was narrow. But its execution was anything but. What it amounted to was the surveillance of every child, every parent, every person having their biometric signature – a digital replica of their face – recorded without their knowledge, for years.
“The sensitive biometric information of every individual who entered a store was indiscriminately collected by the FRT system,” Commissioner Carly Kind said in her ruling.
“I do not consider that Kmart could have reasonably believed that the benefits of the FRT system proportionately outweighed the impact on individuals’ privacy.”
Privacy commissioner Carly Kind. Credit: Nine
The rise of retail violence is very real, and issues of threats and phsyical attacks against staff and customers is on the rise. The fact that retailers like Kmart, Bunnings and The Good Guys would feel the need to enact mass surveillance shows their desperation.
But the fact is, facial recognition technology isn’t just another security camera.
Unlike a CCTV feed, which captures blurry images that may or may not be useful, FRT generates biometric data. That data is unique, unchangeable and highly sensitive. If your password is hacked, you can reset it. If your “faceprint” is hacked, there’s no reset button.
It’s for that reason that the Privacy Act treats biometric data as “sensitive information”, which is subject to higher protections than other data.
The commissioner says that new laws may be needed to specifically deal with FRT.
“In the absence of parliamentary intervention to specifically authorise the use of FRT systems without consent, these are the kinds of considerations I will continue to bring to my application of the Privacy Act to these emerging technologies, on a case-by-case basis,” Kind said.
Loading
For everyday Australians, the ruling represents a rare victory in the privacy arena. We’re living in an age where our data trails us everywhere: supermarket loyalty cards such as Flybuys track our shopping, smartphones log our movements and smart doorbells monitor our streets. We’re relatively used to that by now, and we’ve collectively accepted the trade-off that our phones and other devices need our data to ably function.
Facial recognition adds another layer, however – one that turns our identities into trackable, storable and potentially hackable data.
The collection and use of that data without consent is a trade-off that hasn’t yet been accepted.
Until now, one might have assumed that these types of technologies were confined to airports or policing. But as the Kmart and Bunnings cases show, the same tools are quietly creeping into the everyday spaces where we work, socialise and shop.
Loading
The lines of what’s acceptable are still being drawn. Some will argue that if you’ve done nothing wrong you’ve got nothing to hide. But the truth is, privacy still matters.
The commissioner’s ruling is a reminder that our faces aren’t loyalty cards, and that companies can’t just indiscriminately hoover up our most sensitive data without our permission.
As the commissioner herself put it: “The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted.”
There are legitimate reasons for businesses to use technologies such as FRT. But amid this era of data breaches, cyberattacks and escalating retail violence, we need to find a better balance that works for everyone.
