– AKA – How NOT to rely on your (and your contractor’s) privacy policy

The Office of the Australian Information Commissioner has recently published the Commissioner’s decision following an investigation into the use of facial recognition technology by 7-Eleven Stores Pty Ltd (7-Eleven).  Between 15 June 2020 and 24 August 2021, 7-Eleven collected more than 1.6 million survey responses through its customer feedback mechanism which incorporated an automated biometric identification system.  The Commissioner found the convenience store giant had breached Australian Privacy Principles (APP) 3.3 and 5 in relation to its collection of customers’ facial images and ‘faceprints’.  Accordingly, the Commissioner declared that 7-Eleven had interfered with the privacy of individuals whose facial images and faceprints it had collected, and ordered that all faceprints be destroyed within 90 days.

KEY TAKEAWAYS

This decision is a must-read for APP entities that collect – or intend to collect – any form of sensitive information (including biometric information) from their customers.  It highlights the importance of obtaining informed, voluntary, current and specific consent to the collection of sensitive information, and warns against the practice of relying on a privacy policy (published online) to give notice of, and obtain consent to, the collection of such information.

The Commissioner provided useful guidance on how entities should go about giving notice to, and obtaining consent from, their customers.  In particular, a collection notice and request for consent should both:

1. provide a detailed description of the kind of information to be collected, the recipient entities, the method of collection and the purpose of collection; and
2. be given expressly, separately from a privacy policy, and contemporaneously with the collection of the information.

Importantly, the Commissioner warned that a privacy policy is a transparency mechanism rather than a means of obtaining consent under APP 3.3, or giving notice under APP 5, and merely publishing a privacy policy online does not amount to compliance with those APPs.

BACKGROUND

7-Eleven’s customer feedback mechanism

7-Eleven, which is an ‘APP entity’ under section 6 of the Privacy Act 1988 (Cth) (Act), has more than 700 stores around Australia.  In mid-2020, 7-Eleven deployed a nationwide customer feedback mechanism whereby customers were asked to complete a voluntary survey about their in-store experience, using tablet devices located in each store.  The customer feedback mechanism was supplied by a third party (Service Provider).  Using its built-in camera, each tablet took facial images of survey respondents (images) while they completed the survey, and the images were then uploaded onto a secure server (Server) – where they were kept for 7 days – and deleted from the tablet.  The Service Provider used an Application Programming Interface to convert each image into an encrypted algorithmic representation of the respondent’s face (faceprint) to extrapolate information about the approximate age and gender of the respondent, and recorded that information.  Each faceprint generated from an individual’s image was directly linked to that individual’s survey response.  All faceprints collected by the same tablet within a 20-hour period were sent as a batch to another API to identify similarities between different faceprints in the same batch, and a ‘high probability match’ resulted in the corresponding survey responses being flagged.  Unlike the images, the faceprints were stored on the Server for an indefinite period of time.  The purpose of collecting images and faceprints was to enable 7-Eleven to understand its customers’ demographics and to detect instances where multiple survey responses were given by the same individual using the same tablet within a 20-hour period, thereby enabling 7-Eleven to exclude potentially non-genuine responses.

7-Eleven’s in-store notice and Privacy Policy

7-Eleven had, during the relevant time, displayed a notice (Store Notice) at the entrance of each store which included, amongst other things, an image of what appears to be a video or CCTV camera, accompanied by the following text:

Site is under constant video surveillance. 

By entering the store you consent to facial recognition cameras capturing and storing your image.

On the other hand, 7-Eleven’s Privacy Policy stated:

              What personal information we collect and hold

We only collect personal information that is reasonably necessary for our business functions and activities and to provide you with our products and services.

…

By acquiring or using a 7-Eleven product or service or providing your personal information directly to us, you consent to 7-Eleven collecting, storing, using, maintaining and disclosing your personal information for the purposes set out in this Privacy Policy.

…

7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent.  7-Eleven collects and holds such information for the purposes of identity verification.

How we collect personal information

Generally, We collect most personal information directly from you, for example where you:

…

• use a feedback kiosk from our stores; …

Otherwise, no other information was given about 7-Eleven’s collection of images and faceprints, on or near each in-store tablet, or during the survey process.

ISSUES

In order for the Act (and the APPs contained therein) to apply, the images and faceprints collected by 7-Eleven must fall within the definition of ‘personal information’ under the Act.  Section 6(1) of the Act defines ‘personal information’ as:

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not; and
2. whether the information or opinion is recorded in a material form or not.

Once that initial threshold has been met, it would be open to the Commissioner to determine whether 7-Eleven had breached APP 3.3 and 5.

APP 3.3 relevantly states:

              An APP entity must not collect sensitive information about an individual unless:

1. the individual consents to the collection of the information and:

…

(ii) if the entity is an organisation – the information is reasonably necessary for one or more of the entity’s functions or activities; or

1. subclause 3.4 applies in relation to the information.

(emphasis added)

The relevant issues to be determined under APP 3.3 were:

1. whether the images and faceprints were ‘sensitive information’;
2. whether survey respondents had consented to the collection of images and faceprints;
3. whether the collection of images and faceprints was reasonably necessary for 7-Eleven’s functions or activities; and
4. whether APP 3.4 applied in the circumstances.

APP 5 deals with the notification of the collection of personal information.  APP 5.1 states:

At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:

1. to notify the individual of such matters referred to in subclause 5.2 as are reasonable in the circumstances; or
2. to otherwise ensure that the individual is aware of any such matters.

(emphasis added)

APP 5.2 sets out the matters that an APP entity must notify the individual of, including:

• where the individual may not be aware that the entity has collected the personal information, the fact that the entity so collects, or has collected, the information and the circumstances of that collection” (APP 5.2(b)(ii)); and
• the purpose for which the entity collects the personal information (APP 5.2(d)).

The relevant issues to be determined under APP 5 were:

1. whether 7-Eleven took reasonable steps to notify survey respondents of the collection of images and faceprints, the method of collection and the purpose of collection; and, if so,
2. whether 7-Eleven gave notice to survey respondents before or at the time of, or as soon as practicable after, the collection of images and faceprints.

FINDINGS

Personal information

While considering whether the images and faceprints were ‘personal information’ under the Act, the Commissioner discussed the meaning of the terms ‘identified’ and ‘identifiable’ in the definition of ‘personal information’.  The Commissioner opined that, on one hand, an individual is identified in a group where they are distinguishable from all other members of the group.  On the other hand, an individual can be identifiable where, even though they may not necessarily be identified from the specific information being handled, they can ultimately be identified by any person or machine using that information in conjunction with other available information.  In finding that the images and faceprints were ‘personal information’, the Commissioner regarded the images to be information about identified individuals, whereas the faceprints were information about a reasonably identifiable individual.

APP 3.3 – Sensitive information

In order for APP 3.3 to apply, the images and faceprints must fall within the definition of ‘sensitive information’ under the Act.  Section 6(1) of the Act defines ‘sensitive information’ as including:

(d)         biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

(e)         biometric templates.

              (emphasis added)

The Commissioner opined that biometric information is information about an individual’s physiological features (e.g. their fingerprint, iris or facial geometry) or behavioural attributes (e.g. their gait, signature or keystroke patterns) – which are persistent, unique to the individual and cannot normally be changed.  Further, a biometric template is a digital or mathematical representation of an individual’s biometric information that is created and stored when that information is enrolled into a biometric system.  Moreover, a biometric system scans, measures, analyses and recognises a particular biometric feature to identify an individual.  Accordingly, the Commissioner found that the images and faceprints were biometric information as they recorded persistent and largely unique information about an individual’s face.  This information was processed and generated in an automated biometric identification system comprising the Server and the 2 APIs.  Further, faceprints were also found to be biometric templates as they were algorithmic representations of biometric information that were generated as part of that biometric system.  Accordingly, the images and faceprints were found to be ‘sensitive information’ under the Act.

APP 3.3 – Consent

The Commissioner found that none of the exceptions in APP 3.4 applied, and accordingly 7-Eleven was required under the first limb of APP 3.3 to obtain survey respondents’ consent to the collection of their images and faceprints.  The Commissioner helpfully set out the 4 key elements of consent, namely:

1. the relevant individual must be adequately informed prior to giving consent;
2. consent must be voluntarily given;
3. consent must be current and specific; and
4. the relevant individual must have the capacity to understand and communicate their consent.

Consent can be expressly given or implied from the conduct of both parties, however the Commissioner cautioned that APP entities should generally seek express consent before handling sensitive information.  In this case, there was no evidence that survey respondents expressly consented to the collection of their images and faceprints.  After examining 7-Eleven’s Store Notice and Privacy Policy, the Commissioner concluded that consent could not be inferred in the circumstances.  It is noteworthy that 7-Eleven sought to rely on the Service Provider’s privacy policy to establish consent, however the Commissioner rejected that argument on the basis that neither the Store Notice nor 7-Eleven’s Privacy Policy mentioned the Service Provider’s name, and accordingly survey respondents would not have been prompted to search for the Service Provider’s privacy policy online.

In finding that consent could not be inferred in the circumstances, the Commissioner remarked firstly that the Store Notice was ambiguous as it may have created the impression that 7-Eleven captured images using facial recognition CCTV cameras for the purpose of surveillance, given the prevalence of similar notices in public places.  Thus, the Store Notice was unclear as to the purpose for which facial images were captured and stored by facial recognition cameras.  Secondly, 7-Eleven’s Privacy Policy did not expressly link the practice of collecting photographic or biometric information to the use of a ‘feedback kiosk from [its] stores’.  In other words, the Privacy Policy did not make clear that 7-Eleven will collect photographic or biometric information whenever a customer uses an in-store ‘feedback kiosk’. 

Accordingly, the Commissioner found that:

• the survey respondents were not adequately informed about what they were asked to consent to;
• the Store Notice and Privacy Notice were neither current nor specific, as they did not seek consent contemporaneously with the survey process, or refer to the process at all; and
• the Privacy Policy, which bundles together multiple collections, uses and disclosures of personal information as well as requests for consent, deprives individuals of the opportunity to choose which collections they agree to and which they do not, and consequently undermines the voluntariness of any consent obtained.

APP 3.3 – Reasonably necessary for the entity’s functions or activities

Under the second limb of APP 3.3, 7-Eleven was required to justify that the collection of images and faceprints was reasonably necessary for one or more of its functions or activities.  The Commissioner opined that reasonable necessity is a higher threshold than ‘merely helpful, desirable or convenient’ and requires an assessment of whether the entity’s interference with an individual’s privacy was proportionate to the legitimate aims sought.  To that end, the Commissioner considered the primary purpose for which the images and faceprints were collected, how this information was used towards 7-Eleven’s functions or activities, and whether those functions or activities could have been performed without this information, or with less information. 

Whilst acknowledging that deploying systems to understand and improve customer experience is a legitimate aim of 7-Eleven, the Commissioner was not satisfied that the fulfilment of this aim was proportional to the potential harms of collecting biometric information.  In particular, unlike other forms of identification information, biometric information cannot be cancelled or reissued if misused or compromised.  Further, 7-Eleven did not conduct a privacy impact assessment in respect of its customer feedback mechanism to assess the proportionality of collecting biometric information to understand its customers’ in-store experience.  Moreover, there were potential alternatives available, which could have enabled 7-Eleven to understand its customers’ demographics and to detect potentially non-genuine survey responses, without needing to collect its customers’ images and faceprints.  On balance, the Commissioner found that the collection of images and faceprints may have been helpful or convenient, but not reasonably necessary for 7-Eleven’s functions or activities.

APP 5 – Reasonable steps to notify

While considering whether 7-Eleven took reasonable steps to give notice to survey respondents about the collection of images and faceprints, the Commissioner opined that what is reasonable will depend on the circumstances, including whether the personal information was sensitive information, the potential harms to, and special needs of, the relevant individual, and the practicality of taking steps.  Again, the Commissioner gave no weight to the Service Provider’s privacy policy and focused on examining the Store Policy and 7-Eleven’s Privacy Policy. 

The Commissioner found that the Store Notice and 7-Eleven’s Privacy Policy addressed some, but not all, of the matters required under APP 5.  Firstly, although both documents referred to the collection of images, neither document referred to the collection of faceprints, or how the images and faceprints were collected.  Secondly, neither document provided sufficient detail as to the purpose for which the images and faceprints were collected.  Further, the Commissioner opined that, given the sensitivity of the biometric information collected, 7-Eleven should have taken reasonable steps to give notice of its collection of such information before capturing the facial image of survey respondents.

To meet the above requirements, 7-Eleven should have, in the Commissioner’s view, provided a collection notice on or near each tablet device with similar wording to the below:

7-Eleven collects facial images of individuals who complete the feedback survey on tablets in front of cashiers in 7-Eleven’s stores.

7-Eleven analyses the facial images using facial recognition technology to generate and collect faceprints of those individuals.

7-Eleven collects facial images and faceprints for biometric matching, in order to identify if an individual is leaving multiple survey responses within a period of time, and to assist with demographic profiling.

You can access the full text of the Commissioner’s decision here.