Tribunal partially overturns ruling on Bunnings privacy breach

Bunnings privacy law — The ART’s ruling provided concrete interpretations of privacy law

By Harry Booth February 5, 2026

Text Size

Bunnings’s controversial facial recognition trial has been given a partial green light after a regulatory review of data collection practices.

The Administrative Review Tribunal (ART) has partially overturned the ruling of the Office of the Australian Information Commissioner (OAIC), which found Bunnings to be in breach of privacy law with its in-store facial recognition technology (FRT).

Between November 6, 2018, and November 30, 2021, Bunnings operated FRT in one store as a trial, before expanding to 62 stores in NSW and Victoria from January 2019. The ART said that Bunnings ceased operating the FRT system on November 30, 2021.

The OAIC opened an investigation into this period on July 11, 2022. On October 29, 2024, it was determined that Bunnings unlawfully collected biometric data from individuals.

After its review, the ART found that Bunnings acted under the belief that the technology was necessary to address retail crime in its store. It also raised concerns about the lack of a privacy impact assessment prior to its rollout.

Its decision stated: “Retail crime in the nature of violence and theft is a very serious issue for Bunnings, and it was entitled to take action in response.

“We recognise and respect the view that this involves a significant intrusion into the privacy of individuals, but the effect of the technology in the FRT system minimised the intrusion by ensuring that the sensitive information was only momentarily held and that it was thereafter permanently deleted and unable to be accessed.

“Further, the wording of the legislation clearly places an emphasis on whether Bunnings reasonably believes that the collection of personal information was necessary in the circumstances.

“We have reached the view that Bunnings held the belief that using FRT was necessary, and we find that this was a reasonable belief to have based on the objective circumstances.”

However, it added that Bunnings must take “reasonable” steps to notify customers that personal information is being taken and stored. The ART therefore found Bunnings not to be in breach of Australian Privacy Principle (APP) 3.3, which rules the collection of biometric data, but found it to be in breach of both the transparency and notification clauses.

The OAIC, in response to the tribunal, has said that it is reviewing the decision and its implications on Australian privacy law.

“Today’s decision confirms the Privacy Act contains strong protections for individual privacy that are applicable in the context of emerging technologies,” the OAIC said. “It underscored the importance of APP entities maintaining good privacy governance and complying with the Australian Privacy Principles in adopting new tech, and that limited exemptions are subject to robust criteria that must be assessed on a case-by-case basis.”

Bunnings’ MD, Mike Schneider, welcomed the decision from the ART. “We welcome the decision from the Administrative Review Tribunal regarding Bunnings’ past trial of FRT,” he said.

“The safety of our team, customers and suppliers has always been our highest priority. Our intent in trialling this technology was to help protect people from violence, abuse, serious criminal conduct and organised retail crime.”