It will come as no surprise to anyone who is somewhat technologically literate, that as technology advances, the concerns about privacy also increase. A valid concern considering the difference in speed at which technology and the law move. Overseas, facial recognition technology is used by government to create a social credit system for citizens, where their every move affects their standing in society, made possible only through this technological advance. In Australia, the concerns over a citizen’s privacy mean that all must tread carefully when obtaining and using a person’s private information, but this concern has not stopped businesses in using this technology. As citizens, we hope that the benefits to the bottom line do not invade our privacy to the extent seen overseas, but recent investigations and complaints made against a number of corporations indicate that perhaps this technology, is more far extensively used here than expected. But is it legal at the end of the day for these businesses to be using facial recognition technology?
What is Facial Recognition Technology?
In this article, Facial Recognition Technology is the technology used to automatically identify an individual’s photo of their face. This can be done by matching the photo provided by one person against another image of that same person to see if they are the same person. The alternative is where an image of an individual is identified by comparing it to a database of images. This form of Facial Recognition Technology is known as “one-to-many” and is the focus of this article. In general, Facial Recognition Technology is widely used in a number of accepted circumstances such as by immigration and by law-enforcement, but this article will focus on when it is used by businesses and if indeed it can be used by businesses.
The Current Law
Facial Recognition Technology in Australia is currently governed by different layers of law between federal and state governments. This area of law is regulated by the Office of the Australian Information Commissioner (“OAIC”).
For example, the surveillance aspect of Facial Recognition Technology is governed in New South Wales by the Surveillance Devices Act 2007 (NSW).
More relevantly in New South Wales, the Privacy Act 1988 (Cth) governs the privacy aspect of Facial Recognition Technology. Although the Privacy Act does not explicitly refer to Facial Recognition Technologies, it is intended to be technologically neutral and thus applicable in a broad set of circumstances. Schedule 1 to the Privacy Act, contains the 13 Australian Privacy Principles (“APP”) which applies to organisations with an annual turnover with $3 million or more and some other organisations. A maximum fine of $2.2 million is applicable in Australia for breaching the Privacy Act, much lower than many overseas jurisdictions.
Importantly, the law treats the biometric information obtained from Facial Recognition Technology i.e. for the purpose of “automated biometric verification” or “biometric identification” as a type of “sensitive information”. “Sensitive information” is afforded higher protections than other types of simple personal information.
Accordingly, except in certain circumstances, consent must be obtained prior to the collection of sensitive information by Facial Recognition Technology and the collection must be reasonably necessary.
Recent Cases
Recent cases in Australia have highlighted how the use of Facial Recognition Technology is a sensitive topic, and the public backlash in respect to its misuse.
Clearview AI, Inc.
On 14 October 2021, OAIC handed down a decision that Clearview AI, breached the APP’s. Clearview AI has since ceased collecting biometric information for individuals in Australia.
Clearview AI collected images of faces and biometric templates from social media and publicly available websites and provided a facial recognition tool to users. Users could upload a photo of an individual and then Clearview AI would link the photo with the images on its database.
As taken from the OAIC website: “The OAIC determination highlights the lack of transparency around Clearview AI’s collection practices, the monetisation of individuals’ data for a purpose entirely outside reasonable expectations, and the risk of adversity to people whose images are included in their database.”
Clearview AI was also fined 20 million euros by Greek data protection authorities, a 7.5 million pound fine by the UK data protection authority, 20 million euros by Italian data protection authorities for breaching relevant privacy laws overseas.
7-Eleven Stores Pty Ltd
On 29 September 2021, OAIC handed down a decision that 7-Eleven, breached the APP’s. 7-Eleven has ceased collecting facial images and destroyed the images it had collected.
7-Eleven obtained surveys between June 2020 and August 2021 on tablets which obtained facial images. These were used to generate face prints to assist in excluding response that are not genuine and providing understanding of the demographic profile of customers. Each 7-Eleven store had a notice outside that had an image of a surveillance camera and some also had the text “By entering the store you consent to facial recognition cameras capturing and storing your image”, further 7-Eleven privacy policy contained the words “you consent to 7-Eleven collecting, storing, using, maintaining and disclosing your personal information for the purposes set out in this Privacy Policy”. The OAIC found no consent (either implied or express) was provided and that these images were found to be sensitive information not necessary for the business of 7-Eleven.
The OAIC importantly stated that there are 4 elements to obtaining valid consent being that the individual must be adequately informed, have capacity to understand and communicate consent, voluntarily providing consent, and the consent must be current and specific.
Bunnings Group Limited and Kmart Australia Limited
On 12 July 2022, OAIC opened an investigation into Bunnings and Kmart, and are yet to hand down their determination. In the meantime, both Bunnings and Kmart have paused their use of Facial Recognition Technology.
Both Bunnings and Kmart captured images of people’s faces from video cameras and stored them as face prints, supposedly for the purpose of the protection of customers and staff and the reduction of theft. It is unclear what level of consent was obtained in relation to this collection of sensitive information.
It remains to be seen whether these companies have been determined to have breached the Privacy Act.
Takeaway - Conclusion
The use of Facial Recognition Technology is a sensitive subject.
Firstly, care should be taken in understanding the law in this area if a business is reasonably required to use Facial Recognition Technology.
Secondly, the practical outworking of how compliance with the law is different depending on a business’ particular circumstances and how Facial Recognition Technology is being used in those circumstances. Consideration should be given, amongst other things, to obtaining proper consent, and whether the use is reasonably necessary.
Thirdly, it should be understood that this area of law may be subject to change in the future as Facial Recognition Technology becomes more widely used and the law catches up to its use and misuse.
In short, businesses should be careful in their use of Facial Recognition Technology to avoid public backlash as well as an adverse determination by OAIC.
If you have any questions or concerns in this area, please contact our office on (02) 9688 6023 and speak with one of our lawyers.
This is not legal advice.
