Key points
In-store notices stating that patrons are "under surveillance" may be insufficient to comply with the store's privacy obligations, particularly if biometric analysis of facial images is involved.
The collection of biometric information requires customer consent and must be "reasonably necessary" for the store's functions or activities.
A general notification that patrons are "under surveillance" may not provide adequate notice, or elicit effective consent, for the purposes of the Privacy Act 1988.
The existence of a privacy policy will not necessarily satisfy the notification requirements set out in Australian Privacy Principle 5.
With the increasing use of biometric analysis in connection with the monitoring of customer behaviour, businesses should give careful consideration to their in-store "surveillance" signs.
The issue
It is commonplace for stores to install CCTV for security reasons, and to utilise image-capturing devices for a range of other purposes.
Businesses need to ensure that in monitoring individuals in this manner, they comply with applicable Australian data protection laws.
Commonly, stores will post a notice in a public area, alerting patrons that the premises are under surveillance. Properly displayed, these notices may be effective from a privacy perspective if the function of CCTV surveillance is merely to provide real-time security observation of individuals' movements within the store in order, for example, to guard against shoplifting.
Much depends, however, on how the captured images are used. When biometric analysis is involved, for example, some in-store surveillance notices may prove to be inadequate.
Biometric identification, in this context, involves the capturing of physical characteristics, such as facial features, and then matching that data against other stored information in order to identify a known individual, or to ascertain whether images of two unnamed individuals in fact involve the same person.
Surveillance of this nature raises a number of issues under the Privacy Act 1988:
- Is the collection of "personal information" involved? If so, and assuming the business has an annual turnover of $3m or more, the information must be handled in accordance with the Australian Privacy Principles.
- If "personal information" is involved, does that information also fall into the category of "sensitive information"? If so, then the consent of the individual is required as a condition of collection. Furthermore, the collection of that information must be "reasonably necessary" for one or more of the store's functions or activities.
- If the collection of personal information (including sensitive information) is involved, does the method of collection comply with Australian Privacy Principle (APP) 3, and has the individual been provided with adequate notice as to the purpose of collection and associated matters prescribed by APP 5?
There is no question that CCTV security footage which identifies an individual entering a store will constitute the "collection" of personal information for the purposes of APP 3.1 CCTV is not, however, the only means by which facial images may be captured, nor are facial images necessarily collected only for security purposes. Captured images may be used for specific individual identification through the generation of encrypted algorithmic representations of the customers' faces, or "faceprints".
Such were the issues considered in a matter recently before the Privacy Commissioner, 7-Eleven Stores Pty Ltd [2021] AICmr 50. The Commissioner was required to determine whether the store had interfered with customers' privacy through the use of a facial recognition tool in connection with a customer survey and feedback mechanism. The technology, incorporated within a tablet, was deployed over a 2-month period during which customers were invited to complete a voluntary survey. The purpose of capturing the faceprint was to eliminate persons who distorted the survey by providing multiple responses, and also to gain an understanding of customer demographics.
Against this background, a key issue of relevance to Australian businesses was the adequacy of the store's notices which alerted customers to the possibility that they were under surveillance.
"Personal information"
The first issue to be determined by the Commissioner in 7-Eleven was whether the collection of "personal information" was involved.
Personal information is defined in section 6(1) of the Act as, inter alia, "information or an opinion about an identified individual, or an individual who is reasonably identifiable". The definition accordingly has two elements – whether an individual is "reasonably identifiable", and whether the information is "about" that individual.
The two elements are necessarily intertwined. It may be possible to identify an individual by analysing information collected for a distinct technological function but which is not information "about" that individual. Hence in Privacy Commissioner v Telstra Corporation Ltd2, the Full Court of the Federal Court held that although an IP address was allocated by Telstra to a mobile device which could be owned by a particular individual who in some instances might be identifiable, the information was not "about" the individual but "about" the way in which Telstra delivered a call or message to its intended recipient.
This was pertinent in 7-Eleven because whilst it may have been fairly uncontentious that the facial images initially collected on the tablets were "about" the individual data subject, the issue became clouded once those images had been converted to digital representations in the form of faceprints. In this instance, the Commissioner concluded that the faceprints also amounted to "personal information", noting that a person can be identifiable "where it is possible to identify the individual from available information, including, but not limited to, the information in issue".
As customers' facial images were analysed to generate faceprints, and these faceprints were compared to other faceprints to identify similarities, it was possible to distinguish a specific individual from others whose faceprints were held on the server. The facial recognition tool directly linked individuals' faceprints with survey responses, by using each faceprint as an 'identifier' to detect if the same individual was leaving multiple survey responses, and this process also enabled individuals to be identified.
On this basis, the Commissioner concluded that faceprints could constitute "personal information".
"Sensitive information"
Having determined that "personal information" had been collected, it was necessary in 7-Eleven for the Commissioner to determine whether that information was "sensitive information". "Sensitive information" may only be collected with the consent of the individual3, and the collection must be reasonably necessary for one or more of the collecting entity's functions or activities.4
Relevantly in this instance, the definition of "sensitive information" in section 6 of the Act expressly incorporates "biometric information that is to be used for the purpose of automated biometric verification or biometric identification", and "biometric templates".
"Biometric" is not defined in the Act but the Commissioner had little difficulty concluding that the images collected by the facial recognition tool satisfied this requirement, noting that the term "biometrics" encompasses "a variety of different technologies that use probabilistic matching to recognise a person based on their biometric characteristics" and the term "biometric template" was a "a digital or mathematical representation of an individual's biometric information" which could be used by machine learning algorithms to match with other biometric information for verification or identification purposes.
The notification process
Having established that the collection of "sensitive information" was involved, one of the issues to be considered by the Commissioner in 7-Eleven was whether the individual customers had provided their consent.
This led to a consideration of the adequacy of privacy policies and store notices.
The store notices included a statement that "By entering the store you consent to facial recognition cameras capturing and storing your image", and the privacy policy contained the following statement:
7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.
The Commissioner concluded that the existence of these notices was inadequate to constitute "consent". Although use of the tablet for the survey was voluntary, the act of using it did not unambiguously indicate an individual's agreement to collect their facial image and faceprint, particularly bearing in mind that the store notices were unclear and "given the prevalence of these kind of notices in stores and public places, may have created an impression that the respondent captured customers' images using a facial recognition CCTV camera as part of surveillance of the store". Any such notice should have bene specific to the survey, advised customers how their personal information would be used, and unbundled from consent to other forms of surveillance within the premises.
It was also relevant that the store's privacy policy did not link the collection of photographic or biometric information to the use of in-store 'feedback kiosks'. In this regard, the Commissioner added, significantly, that:
Even if the Privacy Policy had included comprehensive information about the information collected by the respondent through the facial recognition system and how it is handled, an APP entity cannot infer consent simply because it has published a policy about its personal information handling practices. A privacy policy is a transparency mechanism that, in accordance with APP 1.4, must include information about an entity's personal information handling practices, including how an individual may complain and how any complaints will be dealt with. It is not generally a way of providing notice and obtaining consent. Any consent inferred from the existence of a privacy policy would not be current and specific to the circumstances in which the information is being collected.
Reasonable necessity
Having determined that the store failed to elicit effective consent from customers, it was further determined in 7-Eleven that the collection of the sensitive information was in any event not reasonably necessary for the store's functions or activities.
Whilst the implementation of a system to help understand and improve customers' in-store experience was a legitimate function or activity in itself, the collection of customers' sensitive biometric information (including facial images and faceprints) was not "reasonably necessary" to that end. The risk of the misuse or compromise of the data was disproportionate to the objectives of the survey. There were other less invasive ways of identifying potentially non-genuine responses or collecting demographic information, particularly through the use of additional questions.
This scenario might have been averted, the Commissioner said, if the store had conducted a privacy impact assessment (PIA) prior to implementing the project.
Collection notice
The respondent asserted that its store notices and privacy policy satisfied the requirements of APP 5.
The Commissioner concluded, however, that the store notices were inadequate because they did not adequately inform individuals about the fact and circumstances of collection of facial images and faceprints as required by APP 5.2(b). Although they referred to the collection of images, they did not inform individuals about the collection of faceprints, or the method by which the respondent collected facial images and faceprints. The Commissioner observed:
To meet the above requirement, I would expect the respondent to have provided a collection notice that specifically stated that:
– The respondent collects facial images of individuals who complete the feedback survey on tablets in front of cashiers in the respondent's stores.(I would expect a similar level of detail in descriptions of any other locations of tablets.)
– The respondent analyses the facial images using facial recognition technology to generate and collect faceprints of those individuals.
The Commissioner also considered that the privacy policy was insufficient to enable individuals to understand the specific function or activity for which the respondent collected the personal information. The respondent did not collect facial images and faceprints to verify individuals' identities. The respondent collected this information to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. In this regard, the Commissioner observed:
To meet the above requirement, I would expect the respondent to have provided a collection notice with a more detailed description of the purposes of collection. For example, the collection notice could have stated that the respondent collects facial images and faceprints for biometric matching, in order to identify if an individual is leaving multiple survey responses within a period of time, and to assist the respondent with demographic profiling.
Importantly, at a more general level, the Privacy Commissioner added a reminder that simply publishing a privacy policy does not amount to compliance with APP 5, because it is "not reasonable to assume that customers will have searched for the respondent's Privacy Policy online and read through it before entering the store and completing the survey". The Commissioner observed:
Instead, having regard to the sensitivity of the information, the respondent should have included a collection notice on, or in the vicinity of, the tablet screen. The collection notice should have notified customers about APP 5 matters before the start of the survey, and crucially, before the first facial image of the customer was captured. This was a practical and cost-effective step that the respondent could reasonably have taken in the circumstances, to draw customers' attention to the collection of their sensitive biometric information and the purpose of that collection. However, the respondent did not take such a step.
Surveillance legislation
Given the common use of the term "surveillance" in in-store notices, it is appropriate to make passing reference to Australia's surveillance legislation.
Australia has a mix of federal, State and Territory surveillance Acts.5 Not all of that legislation is relevant to the circumstances under discussion in this article, but in some circumstances the regulation of optical surveillance devices may raise similar issues regarding the adequacy of the consent process – this may arise under the Victorian, New South Wales and Western Australian legislation.
In addition, workplace surveillance laws applicable in Victoria, New South Wales and the Australian Capital Territory give rise to questions about the adequacy of surveillance notification in the workplace environment, but this is starting to stray from the central focus of this article.
"Invasion of privacy"
Finally, and again in passing, it should be noted that some customers who find that they have been unwillingly and unconsciously subjected to video surveillance may feel that their privacy has been invaded in a more general sense. Be that as it may, there is no common law remedy under Australian law for "invasion of privacy".
The absence of a remedy in tort for invasion of privacy was initially established by the High Court in 1937.6 The court gave some indication in 2001 that the issue might be reconsidered7 but, despite some early speculation8, it is clear that a common law remedy is yet to emerge.9
The creation of a statutory remedy has been the subject of numerous recommendations and reports, and is currently included within the scope of a Commonwealth government discussion paper dealing with a range of issues arising out of the ACCC's 2019 Digital Platforms Inquiry. Simply titled Privacy Act Review: Discussion Paper, the stated objective of the review is to "consider whether the scope of the Privacy Act 1988 and its enforcement mechanisms remain fit for purpose". A review and assessment of numerous contentious issues is foreshadowed, including the question of whether a statutory tort for serious invasion of privacy should be introduced.
Footnotes
1 Australian Privacy Principles Guidelines,
Version 1.1, July 2019, para 3.7
2 (2017) 249 FCR 24; 262 IR 230; [2017] FCAFC 4
3 Australian Privacy Principle 3.3(a)
4 Australian Privacy Principle 3.3(a)(ii)
5 Surveillance Devices Act 2004 (Cth); Surveillance
Devices Act 1999 (Vic); Surveillance Devices Act 2007
(NSW); Surveillance Devices Act 1998 (WA);
Surveillance Devices Act 2016 (SA); Invasion of
Privacy Act 1971 (Qld); Listening Devices Act 1991
(Tas); Listening Devices Act 1992 (ACT)
6 Victoria Park Racing and Recreation Grounds v Taylor
(1937) 58 CLR 479
7 Australian Broadcasting Corp v Lenah Game Meats Pty Ltd
(2001) 208 CLR 199; 76 ALJR 1; [2001] HCA 63
8 Grosse v Purvis [2003] Aust Torts Reports 81-706; [2003]
QDC 151; Doe v Australian Broadcasting Corp [2007] VCC
281
9 Kalaba v Commonwealth [2004] FCA 763; Giller v
Procopets (No 2) (2009) 24 VR 1; [2009] VSCA 72; Giller v
Procopets [2004] VSC 113; Sands v South Australia
[2013] SASC 44; Wilson v Ferguson [2015] WASC
15
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
