Terms of Privacy Policies are not Consent – from the Australian Information Commissioner
The Office of the Australian Information Commissioner has recently published the Commissioner’s decision following an investigation into the use of facial recognition technology by 7-Eleven Stores Pty Ltd (7-Eleven). Between 15 June 2020 and 24 August 2021, 7-Eleven collected more than 1.6 million survey responses through its customer feedback mechanism which incorporated an automated biometric identification system. The Commissioner found the convenience store giant had breached Australian Privacy Principles (APP) 3.3 and 5 in relation to its collection of customers’ facial images and ‘faceprints’. Accordingly, the Commissioner declared that 7-Eleven had interfered with the privacy of individuals whose facial images and faceprints it had collected, and ordered that all faceprints be destroyed within 90 days.
The Commissioner provided useful guidance on how entities should go about giving notice to, and obtaining consent from, their customers. In particular, a collection notice and request for consent should both:
- provide a detailed description of the kind of information to be collected, the recipient entities, the method of collection and the purpose of collection; and
7-Eleven’s customer feedback mechanism
7-Eleven, which is an ‘APP entity’ under section 6 of the Privacy Act 1988 (Cth) (Act), has more than 700 stores around Australia. In mid-2020, 7-Eleven deployed a nationwide customer feedback mechanism whereby customers were asked to complete a voluntary survey about their in-store experience, using tablet devices located in each store. The customer feedback mechanism was supplied by a third party (Service Provider). Using its built-in camera, each tablet took facial images of survey respondents (images) while they completed the survey, and the images were then uploaded onto a secure server (Server) – where they were kept for 7 days – and deleted from the tablet. The Service Provider used an Application Programming Interface to convert each image into an encrypted algorithmic representation of the respondent’s face (faceprint) to extrapolate information about the approximate age and gender of the respondent, and recorded that information. Each faceprint generated from an individual’s image was directly linked to that individual’s survey response. All faceprints collected by the same tablet within a 20-hour period were sent as a batch to another API to identify similarities between different faceprints in the same batch, and a ‘high probability match’ resulted in the corresponding survey responses being flagged. Unlike the images, the faceprints were stored on the Server for an indefinite period of time. The purpose of collecting images and faceprints was to enable 7-Eleven to understand its customers’ demographics and to detect instances where multiple survey responses were given by the same individual using the same tablet within a 20-hour period, thereby enabling 7-Eleven to exclude potentially non-genuine responses.
7-Eleven had, during the relevant time, displayed a notice (Store Notice) at the entrance of each store which included, amongst other things, an image of what appears to be a video or CCTV camera, accompanied by the following text:
Site is under constant video surveillance.
By entering the store you consent to facial recognition cameras capturing and storing your image.
What personal information we collect and hold
We only collect personal information that is reasonably necessary for our business functions and activities and to provide you with our products and services.
7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.
How we collect personal information
Generally, We collect most personal information directly from you, for example where you:
- use a feedback kiosk from our stores; …
Otherwise, no other information was given about 7-Eleven’s collection of images and faceprints, on or near each in-store tablet, or during the survey process.
In order for the Act (and the APPs contained therein) to apply, the images and faceprints collected by 7-Eleven must fall within the definition of ‘personal information’ under the Act. Section 6(1) of the Act defines ‘personal information’ as:
information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Once that initial threshold has been met, it would be open to the Commissioner to determine whether 7-Eleven had breached APP 3.3 and 5.
APP 3.3 relevantly states:
An APP entity must not collect sensitive information about an individual unless:
- the individual consents to the collection of the information and:
(ii) if the entity is an organisation – the information is reasonably necessary for one or more of the entity’s functions or activities; or
- subclause 3.4 applies in relation to the information.
The relevant issues to be determined under APP 3.3 were:
- whether the images and faceprints were ‘sensitive information’;
- whether survey respondents had consented to the collection of images and faceprints;
- whether the collection of images and faceprints was reasonably necessary for 7-Eleven’s functions or activities; and
- whether APP 3.4 applied in the circumstances.
APP 5 deals with the notification of the collection of personal information. APP 5.1 states:
At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:
- to notify the individual of such matters referred to in subclause 5.2 as are reasonable in the circumstances; or
- to otherwise ensure that the individual is aware of any such matters.
APP 5.2 sets out the matters that an APP entity must notify the individual of, including:
- where the individual may not be aware that the entity has collected the personal information, the fact that the entity so collects, or has collected, the information and the circumstances of that collection” (APP 5.2(b)(ii)); and
- the purpose for which the entity collects the personal information (APP 5.2(d)).
The relevant issues to be determined under APP 5 were:
- whether 7-Eleven took reasonable steps to notify survey respondents of the collection of images and faceprints, the method of collection and the purpose of collection; and, if so,
- whether 7-Eleven gave notice to survey respondents before or at the time of, or as soon as practicable after, the collection of images and faceprints.
While considering whether the images and faceprints were ‘personal information’ under the Act, the Commissioner discussed the meaning of the terms ‘identified’ and ‘identifiable’ in the definition of ‘personal information’. The Commissioner opined that, on one hand, an individual is identified in a group where they are distinguishable from all other members of the group. On the other hand, an individual can be identifiable where, even though they may not necessarily be identified from the specific information being handled, they can ultimately be identified by any person or machine using that information in conjunction with other available information. In finding that the images and faceprints were ‘personal information’, the Commissioner regarded the images to be information about identified individuals, whereas the faceprints were information about a reasonably identifiable individual.
APP 3.3 - Sensitive information
In order for APP 3.3 to apply, the images and faceprints must fall within the definition of ‘sensitive information’ under the Act. Section 6(1) of the Act defines ‘sensitive information’ as including:
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
The Commissioner opined that biometric information is information about an individual’s physiological features (e.g. their fingerprint, iris or facial geometry) or behavioural attributes (e.g. their gait, signature or keystroke patterns) – which are persistent, unique to the individual and cannot normally be changed. Further, a biometric template is a digital or mathematical representation of an individual’s biometric information that is created and stored when that information is enrolled into a biometric system. Moreover, a biometric system scans, measures, analyses and recognises a particular biometric feature to identify an individual. Accordingly, the Commissioner found that the images and faceprints were biometric information as they recorded persistent and largely unique information about an individual’s face. This information was processed and generated in an automated biometric identification system comprising the Server and the 2 APIs. Further, faceprints were also found to be biometric templates as they were algorithmic representations of biometric information that were generated as part of that biometric system. Accordingly, the images and faceprints were found to be ‘sensitive information’ under the Act.
APP 3.3 – Consent
The Commissioner found that none of the exceptions in APP 3.4 applied, and accordingly 7-Eleven was required under the first limb of APP 3.3 to obtain survey respondents’ consent to the collection of their images and faceprints. The Commissioner helpfully set out the 4 key elements of consent, namely:
- the relevant individual must be adequately informed prior to giving consent;
- consent must be voluntarily given;
- consent must be current and specific; and
- the relevant individual must have the capacity to understand and communicate their consent.
Accordingly, the Commissioner found that:
- the survey respondents were not adequately informed about what they were asked to consent to;
- the Store Notice and Privacy Notice were neither current nor specific, as they did not seek consent contemporaneously with the survey process, or refer to the process at all; and
APP 3.3 – Reasonably necessary for the entity’s functions or activities
Under the second limb of APP 3.3, 7-Eleven was required to justify that the collection of images and faceprints was reasonably necessary for one or more of its functions or activities. The Commissioner opined that reasonable necessity is a higher threshold than ‘merely helpful, desirable or convenient’ and requires an assessment of whether the entity’s interference with an individual’s privacy was proportionate to the legitimate aims sought. To that end, the Commissioner considered the primary purpose for which the images and faceprints were collected, how this information was used towards 7-Eleven’s functions or activities, and whether those functions or activities could have been performed without this information, or with less information.
Whilst acknowledging that deploying systems to understand and improve customer experience is a legitimate aim of 7-Eleven, the Commissioner was not satisfied that the fulfilment of this aim was proportional to the potential harms of collecting biometric information. In particular, unlike other forms of identification information, biometric information cannot be cancelled or reissued if misused or compromised. Further, 7-Eleven did not conduct a privacy impact assessment in respect of its customer feedback mechanism to assess the proportionality of collecting biometric information to understand its customers’ in-store experience. Moreover, there were potential alternatives available, which could have enabled 7-Eleven to understand its customers’ demographics and to detect potentially non-genuine survey responses, without needing to collect its customers’ images and faceprints. On balance, the Commissioner found that the collection of images and faceprints may have been helpful or convenient, but not reasonably necessary for 7-Eleven’s functions or activities.
APP 5 – Reasonable steps to notify
To meet the above requirements, 7-Eleven should have, in the Commissioner’s view, provided a collection notice on or near each tablet device with similar wording to the below:
7-Eleven collects facial images of individuals who complete the feedback survey on tablets in front of cashiers in 7-Eleven’s stores.
7-Eleven analyses the facial images using facial recognition technology to generate and collect faceprints of those individuals.
7-Eleven collects facial images and faceprints for biometric matching, in order to identify if an individual is leaving multiple survey responses within a period of time, and to assist with demographic profiling.
You can access the full text of the Commissioner’s decision here.