Australia: Privacy Commissioner issued statement on administrative tribunal's decision on Bunnings's use of facial recognition technology

On 5 March 2026, the Privacy Commissioner issued a statement on the administrative review tribunal’s decision on Bunnings’ use of facial recognition technology (FRT) under the Privacy Act. The Tribunal found that Bunnings’ use of FRT to address significant retail crime and protect staff and customers could be justified due to the scale of violence and theft in its stores and the security safeguards in place. However, it upheld earlier findings that Bunnings failed to properly notify customers and lacked adequate policies governing the technology. The Commissioner stated that the decision confirms that biometric data collected through facial recognition remains subject to Privacy Act safeguards, even when processed briefly. The Commissioner also noted that the ruling sets a high threshold for the deployment of facial recognition technology and that organisations must conduct detailed risk assessments before using such systems.