Kmart Australia’s implementation of facial recognition technology violated privacy protections

Kmart Australia has faced significant scrutiny after the Office of the Australian Information Commissioner (OAIC) ruled that the retailer breached the privacy of potentially “hundreds of thousands” of individuals by using a facial recognition technology system to detect refund fraud over a two-year period. The OAIC found that Kmart “indiscriminately” collected personal and “sensitive biometric information” from all individuals entering 28 stores where the technology was implemented between June 2020 and July 2022. As a result of this ruling, Kmart has been ordered to issue a public apology, which must be displayed prominently on its website. A spokesperson for Wesfarmers, Kmart’s parent company, expressed disappointment with the ruling and indicated that the company is considering its options for appeal.

The controversial pilot program, which began on June 20, 2020, aimed to detect and prevent fraudulent activity, including identifying individuals with a history of theft or refund fraud. The OAIC’s investigation, initiated on July 15, 2022, revealed that the system used CCTV video feeds to capture facial images of all individuals entering the stores and at the returns desk. The software generated multiple images from the footage, which were then compared against a database of suspected fraudsters. While Kmart maintained that images were only retained if they matched a person of interest, the OAIC argued that less intrusive methods could have been employed. Commissioner Carly Kind stated that the benefits of the system did not outweigh the significant impact on individuals’ privacy, emphasising that the collection of sensitive information from all store entrants was not justified.