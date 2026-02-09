hen a match was made, staff were alerted. When no match was found, the data was deleted promptly. The system was designed to focus on repeat and high-risk behaviour, rather than general customer monitoring. For retail executives, though, the implications extend well beyond Bunnings. It asks whether AI surveillance can ever be part of the response to escalating store theft, and how retailers can balance the promise of greater security with community expectations of privacy and trust. However, legal experts have cautioned against reading the decision as a blanket endorsement of biometric surveillance. “This is only a partial win for Bunnings, not a complete win,” Clayton Utz law firm partner Steven Klimthas said. “Businesses should not read this decision as an endorsement of widespread use of biometric technologies. While this decision will be welcomed by businesses as an affirmation that privacy will not always trump business interests, it is far from a guarantee that facial recognition technology can be used without limitation.” Meanwhile, Holding Redlich general counsel Lyn Nicholson added that the Tribunal’s decision provides important clarification on how the Privacy Act applies to facial recognition in retail settings. “This week’s decision establishes that the Privacy Act does not impose a blanket prohibition on the use of facial recognition technology,” she said. “Its lawful use depends on a reasonable suspicion of unlawful activity and a proportionate response to that risk. “In this case, the Tribunal accepted that the scale and nature of violence and theft in Bunnings’ stores, including repeat offending, as well as features of the store environment such as multiple entry and exit points and the availability of items capable of being used as weapons, justified a targeted security response.” The Tribunal’s decision is the latest chapter in a messy legal dispute that followed an earlier ruling by the Office of the Australian Information Commissioner (OAIC), which, conversely, found that Bunnings had breached privacy laws by trialling the technology between 2018 and 2021. Bunnings appealed the decision, arguing that the technology was used narrowly to manage serious retail crime, violence, and threats against staff, rather than to monitor everyday customers moving through its stores. Now the Tribunal has finally agreed – but only in part. It accepted that facial recognition involves sensitive biometric data, yet found Bunnings was entitled to rely on a limited exemption under privacy law because it reasonably believed the technology was necessary to address real safety risks in its stores. At the same time, it upheld findings that Bunnings failed to meet its transparency obligations, ruling that customers were not adequately notified and that privacy disclosures were insufficient. The message was measured but firm: facial recognition can be lawful in retail settings where safety is at stake, but only when its use is proportionate, tightly governed and openly communicated. The Tribunal’s ruling did not land in isolation. Retail crime in Australia has risen sharply in recent years, with new data from the retail crime platform Auror highlighting why safety has become a pressing concern. Auror’s 2024 to 2025 data shows violent retail incidents rose 17 per cent year on year, threatening behaviour increased 26 per cent, and weapon-related events climbed 10 per cent. One in 10 retail crime events now involves violence or weapons, while one in five involves threats, intimidation or aggression. Auror told Inside Retail the Tribunal’s decision provides reassurance that retailers can use technology responsibly to protect frontline workers, provided strong governance, transparency and privacy safeguards are in place. In Bunnings’ case, managing director Mike Schneider has consistently cited staff safety as the motivation for the trial. As he stated following the Tribunal decision, “Our intent in trialling this technology was to help protect people from violence, abuse, serious criminal conduct and organised retail crime.” The Tribunal’s decision does not give retailers a free pass to roll out surveillance without accountability. Instead, it establishes a framework that allows crime prevention to justify the use of sensitive technologies under strict conditions. Clear signage and customer communication are required, and deployment must be proportionate and supported by documented privacy risk assessments. In its formal response, the OAIC reiterated that even momentary collection of biometric data constitutes collection under the Privacy Act, signalling continued scrutiny of facial recognition and other emerging technologies. The Bunnings ruling marks a watershed moment at the intersection of retail, technology and law in Australia. It suggests that, when used responsibly, AI surveillance can be part of the response to crime as traditional loss-prevention tools come under strain. It also sends a clear signal that technology without privacy governance is untenable. For retailers grappling with rising crime and tightening margins, the question is no longer whether the technology exists, but whether customers and communities will accept its use, and under what conditions. For now, the OAIC has not dropped the matter and may appeal the tribunal decision.