Extract from Sarah Birkett and Clarissa Kwee’s article “Australia: Facial Recognition Technology Continues to Breach Australian Privacy Act”
Three years after its investigation commenced, the Office of the Australian Information Commissioner (OAIC) has found that retail giant Kmart Australia Limited (Kmart) breached the Privacy Act 1988 (Cth) (Privacy Act) through its use of facial recognition technology (FRT) in 28 retail stores between June 2020 and July 2022.
This determination marks the OAIC’s second major ruling on the use of FRT in retail settings, following the October 2024 decision against Bunnings (summarised in a previous post here).
Kmart deployed FRT for the purpose of detecting and preventing fraudulent refunds. Images of every customer presenting at in-store returns counters were matched against a historical database of individuals who had previously engaged in refund fraud or theft. If a match was identified, staff members could refuse refunds to those customers.
