USE OF FACIAL RECOGNITION TECHNOLOGY – PRIVACY ACT OBLIGATIONS

Facial recognition technology, use this guide when collecting and handling biometric information

Increasingly businesses are using facial recognition technology to improve their security processes, prevent theft or to glean the demographic profiles of customers for marketing purposes. However, many people see facial recognition technology as an invasion of their privacy.

The collection of sensitive biometric information under the Privacy Act 1988 (Cth) is afforded a greater level of protection and non-compliance may result in enforcement action. Such was the case with 7-Eleven Stores Pty Ltd. It was collecting customers' facial images and faceprints and matching them with their customers' instore survey experience. The Office of the Australian Information Commissioner initiated investigation held that 7-Eleven:

  • did not get informed and current consent from their customers for the collection of this sensitive biometric information and biometric templates;
  • store notices and privacy policy did not adequately notify customers of the kinds of information they were collecting and the method and purpose of collection.

Material Facts

7-Eleven’s 700 stores nation-wide enabled a customer to complete a voluntary survey about the customer’s instore experience on a tablet inside the store. Each tablet had an inbuilt camera that took facial images of a customer as they completed the survey. The facial images were uploaded to a secure server hosted in Australia and the images were then deleted from the tablet. The service provider of the facial recognition tool used an application to convert the facial images to an encrypted algorithmic representation of the face (faceprint), which assessed and recorded inferred information about the customer’s approximate age and gender.

7-Eleven’s purpose for capturing the facial images and generating faceprints was to see whether customers were leaving multiple responses to the survey within a 20-hour period on the same tablet, so they could be flagged as potentially non-genuine and excluded from the survey results and to get a broad understanding of the demographic profile of customers.

The faceprints and customers’ answers to the survey were stored in an encrypted database. As at March 2021, 1.6 million survey responses had been completed.

Collection of facial images and faceprints were sensitive information

The facial images and faceprints were biometric information used for the purpose of automated biometric verification or identification and the faceprints were also biometric templates and thus sensitive information within the meaning of s6(1) of the Privacy Act.

Individuals depicted in the facial images and faceprints could reasonably be identified.

Given 7-Eleven collected sensitive information, APP 3.3 required 7-Eleven to obtain consent to the collection of information and it must be reasonably necessary for one or more of 7-Eleven’s functions or activities (unless an exception applies).

Consent

Four key elements of consent:

  • The individual is adequately informed before giving consent.
  • The individual gives consent voluntarily.
  • The consent is current and specific.
  • The individual has the capacity to understand and communicate their consent.

If you are handling an individual’s sensitive information, you should get their express consent before handling that information. However, the conduct of the individual may infer implied consent, but there must be no ambiguity or doubt about the individual’s intention.

7-Eleven claimed they gave notice at the entrance to its stores to alert customers they may be subject to facial recognition technology. There were three notices displayed with one saying “By entering the store you consent to facial recognition cameras capturing and storing your image.”

The privacy policy noted:

By acquiring or using a 7-Eleven product or service or providing your personal information directly to us, you consent to 7-Eleven collecting, storing, using, maintaining and disclosing your personal information for the purposes set out in this Privacy Policy.

….

7-Eleven may collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.

Generally we collect most personal information directly from you, for example where you:

use a feedback kiosk from our stores.

The customers were not informed on the tablet, in the vicinity of the tablet or during the process of completing the survey that 7-Eleven was collecting their facial images and faceprints.

The store notices were unclear and given their location, created an impression customer images captured using facial recognition CCTV camera was for the purpose of surveillance of the store.

The privacy policy did not link the collection of photographic or biometric information to the use of in-store feedback kiosks.

The Commissioner was of the view the customers were not adequately informed about what they were being asked to consent to, the store notices and privacy policy were neither current or specific and the general statement “acquiring or using a 7-Eleven product or service or providing your personal information directly to us, you consent …” undermined the voluntariness of any consent because it did not give a person the opportunity to choose what collections of information they were agreeing to and what they were not.

Was the collection of facial images and faceprints reasonably necessary for 7-Eleven’s functions and activities?

Implementing systems to improve customers’ in-store experience is a legitimate function or activity in support of 7-Eleven’s main function of selling petrol and convenience items in its stores, but it was not reasonably necessary or justified to collect customers’ sensitive biometric information (ie facial images and faceprints) to understand and improve the customers in-store experience. The risk of adversity to the individual if the information was misused or compromised was not proportional to the function or activity of understanding and improving customers’ instore experience.

7-Eleven did not conduct a privacy impact assessment (PIA) in relation to the in-store feedback mechanism project. A PIA would help analyse the possible impacts on individuals’ privacy resulting from collection and handling of biometrics and identify options for avoiding minimizing or mitigating adverse privacy impacts and they could have assessed the proportionality of collecting biometrics for the purpose of understanding customers’ in-store experience.

The Commissioner was of the view that 7-Eleven could have asked additional relevant survey questions in order to identify non-genuine responses and for demographic profiling.

Notification of the collection of personal information – APP 5, Privacy Act

APP 5.1 requires a business that collects personal information about an individual to take reasonable steps to notify the individual of such matters referred to in APP 5.2.

In conclusion, the Commissioner held the 7-Eleven store notices and privacy policy:

  • referred to the collection of images, but did not inform individuals about the collection of faceprints or the method by which 7-Eleven collected facial images and faceprints as required by APP 5.2(b);
  • did not adequately inform individuals about the purpose for which the above information was collected as required by APP 5.2(d). The store notices may have created a false impression facial images were captured for the purpose of store surveillance. The privacy policy noted the collection of photographic or biometric information for the purpose of identity verification when that was not the case. The notice could have stated the collection of facial images and faceprints for biometric matching in order to identify if any individual is leaving multiple survey responses and to assist with demographic profiling.

Publishing a privacy policy on a website will not provide notice and obtain consent

Even if the privacy policy did provide adequate information, simply publishing a privacy policy on a website does not infer consent because it is not current and specific to the circumstances in which information is being collected.

The Commissioner noted that while a privacy policy is a transparency mechanism that must include information about an entity’s personal information handling practices, it is not a way of providing notice under APP5. It is not reasonable to assume that customers will have searched for 7-Eleven’s privacy policy online and read it before entering the store and completing the survey.

If a business intends to collect sensitive information from its customers, a request for consent should:

  • clearly identify the kind of information to be collected, the recipient entities and the purpose of collection;
  • be sought expressly and separately from a privacy policy at a current point in time;
  • be fully informed and freely given.

If you don’t do the above, you arguably don’t have the individual’s consent to collect their sensitive information.

Key take-aways

  1. Conduct a PIA for any project involving the collection of biometric sensitive information which is a high risk activity. It will help analyse possible impacts on individuals’ privacy resulting from the collection and handling of sensitive information.
  2. If you collect and handle an individual's sensitive biometric information and biometric templates, get express informed consent from the individual.
  3. Make sure the collection notice is current (ie not a privacy policy sitting on a website) and specific on the facts and circumstances for collection of the sensitive biometric information and biometric templates and the method and purpose of collection, that way will you have current and informed consent.