Australia: Administrative Review Tribunal issued decision regarding Bunnings Group Limited's use of facial recognition technology

On 4 February 2026, the Administrative Review Tribunal issued a decision concerning Bunnings Group Limited’s use of facial recognition technology. The Tribunal affirmed the Privacy Commissioner’s findings that the company contravened Australian Privacy Principles (APP) 1 and 5 by failing to provide appropriate notice to individuals and by not conducting a formal, structured, and documented privacy risk assessment prior to deployment. The Tribunal also endorsed the Commissioner’s interpretive framework for assessing reliance on consent exemptions, including consideration of suitability, effectiveness, proportionality, and the availability of less privacy-intrusive alternatives. However, it diverged from the Commissioner’s conclusion under APP 3.3, finding that Bunnings was entitled to rely on a consent exemption for the limited purpose of preventing retail crime and protecting staff and customers from violence, abuse, and intimidation. Subsequent to the decision, an appeal period is applicable.