Australia's privacy commissioner has ruled that Kmart breached privacy laws by using facial recognition technology in 28 stores from June 2020 to July 2022 without obtaining customer consent, collecting sensitive biometric data unlawfully.

The ruling emphasizes that biometric data is highly sensitive and cannot be collected without proper notification and consent, and it highlights the need for new laws to regulate facial recognition technology.

Kmart plans to appeal the decision, arguing that the use of facial recognition was limited and justified for crime prevention, but the privacy commissioner rejected this, stating the benefits did not outweigh the privacy invasion.

Facial recognition technology generates unique biometric data that, unlike traditional CCTV footage, cannot be changed if compromised, raising significant privacy concerns.

As facial recognition becomes more embedded in daily life, there is an ongoing debate about balancing security needs with protecting personal privacy rights.

This ruling marks a rare victory for privacy advocates and calls for parliamentary action to better regulate the use of biometric surveillance tools like FRT.

The privacy commissioner emphasized that companies cannot indiscriminately collect biometric data without permission, asserting that both safety and privacy rights must be upheld.

The commissioner clarified that the ruling does not ban facial recognition technology but underscores the importance of respecting customer privacy while addressing security concerns.

Kmart stated that the facial recognition trial was limited, with data only retained if linked to refund fraud, and denied using the data for marketing or other purposes.

Kmart is reviewing its legal options following the privacy breach ruling, amid rising concerns about retail crime and anti-social behavior.

This is the second similar case against a retailer, with Bunnings also under review for using facial recognition to reduce violent incidents, highlighting a broader issue in retail security practices.

The use of facial recognition by retailers like Kmart and Bunnings demonstrates how biometric surveillance is increasingly entering everyday spaces, raising questions about privacy and consent.

Biometric data is considered sensitive personal information under the Privacy Act, and its collection without notice or consent constitutes a serious breach, especially since biometric data cannot be reset if compromised.