18 February 2026 | Read time: 2 min
A significant decision from the Administrative Review Tribunal (Tribunal) has reshaped the conversation around facial recognition technology in Australian retail.
After a 2-year dispute, the Tribunal found that Bunnings was ‘reasonably entitled’ to use AI-driven facial recognition to combat serious retail crime and protect staff, despite an earlier determination by the Office of the Australian Information Commissioner (OAIC) that the practice breached the Privacy Act 1988 (Cth) (Privacy Act.)
The Tribunal concluded that Bunnings’ use of facial recognition – trialled from 2018 and later expanded to more than 60 stores – was justified given the scale of theft, violence and repeat offending in its stores. The technology’s design, which rapidly deleted non-matching biometric data, was considered to minimise privacy intrusion. However, the Tribunal also noted that Bunnings fell short in transparency, particularly around signage, customer notification and privacy policy clarity.
This ruling stands in contrast to the OAIC’s 2024 finding that Bunnings had interfered with customers’ privacy by collecting sensitive biometric information without adequate consent. The OAIC emphasised that even momentary collection of biometric data constitutes ‘collection’ under the Privacy Act, and that organisations must meet strict obligations when handling such information.
In its public statement, the OAIC reiterated that the Privacy Act provides strong protections that apply equally to emerging technologies like facial recognition. It also stressed the importance of robust governance, transparency and safeguards when organisations process sensitive information.
The decision may encourage other retailers to consider similar technologies, but it also serves as a warning: compliance is not optional. Even where a legitimate purpose exists – such as preventing crime – organisations must:
The Bunnings case highlights a growing tension between safety, innovation and privacy. While the Tribunal’s ruling provides some comfort to retailers seeking to adopt AI-based security tools, the OAIC’s stance underscores that biometric data remains highly sensitive and tightly regulated. Any organisation considering similar technologies should proceed with caution and seek legal advice to ensure compliance with the Privacy Act.
The Bespoke team has extensive expertise in privacy, intellectual property and technology law. Please reach out to us to discuss.
Director
Jeremy Szwider is the funder and managing director of Bespoke, where he leads with a vision to redefine the legal profession through innovation and client-focused (Read more)
