7-Eleven violated its customers’ privacy by secretly collecting their facial images at 700 stores over the last year for demographic profiling and data verification, the regulator has determined after a seven month investigation.
The convenience store chain claims its actions did not constitute a privacy breach and will face no punishment beyond being asked to destroy the images, despite the regulator describing the breach as “serious” and having to the power to issue fines.
Privacy experts said the determination still sends a clear message about businesses’ privacy obligations but more clarity in Australia’s legislation would help prevent similar incidents.
On Thursday Australia’s privacy regulator released its determination that 7-Eleven had interfered with the privacy of individuals whose facial images and ‘faceprints’ it collected through its customer feedback mechanism.
7-Eleven used a service provider’s facial recognition tool built into the customer feedback software used in 700 stores to collect as many as 1.6 million customer images in the 14 months to August this year.
The images were covertly taken when customers filled out voluntary customer feedback on an in-store tablet device. The images were uploaded to an Australian server using Microsoft’s cloud infrastructure by the service provider which converted them into an encrypted algorithmic representation of the face known as “faceprints”.
The faceprints were used to determine if the same person had filled out the survey multiple times, rejecting the invalid results, and were also used to understand the demographic profile of 7-Eleven customers.
The Office of the Australian Information Commissioner (OAIC) made preliminary inquiries about the practice with 7-Eleven in July last year and launched a formal investigation in February. 7-11 continued the practice until August this year when the regulator shared preliminary findings. Only then did the company stop collecting the images.
On September 29 the watchdog determined the facial images and faceprints were sensitive information covered by additional protections under the Privacy Act 1988 because they were considered biometric information.
“Biometric information is unique to an individual and cannot normally be changed,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said Thursday.
“Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities.
The privacy commissioner determined the 7-Eleven customers did not give either express or implied consent to the collection of their facial images or faceprints, nor did 7-Eleven take reasonable steps to notify individuals of the collection of personal information.
“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy,” she said.
7-Eleven disputed that it had breached its customers privacy. The company says it has already destroyed all facial images it collected in the exercise and was ordered by Ms Falk to also destroy the faceprints.
The remedy is surprising given the breach was described as “serious” by the regulator, who has the authority to issue fines, according to expert Anna Johnston of Salinger Privacy.
“One of the reasons it was serious is the sensitive nature of biometric information, yet no penalty,” Ms Johnston told InnovationAus.
Similar incidents in the future would likely attract tougher penalties from the regulator, Ms Johnston said.
“The next company that tries this would not get off lightly. Because now all all sectors of the economy are on notice that you can’t go around casually collecting people’s images for biometric verification or comparison purposes without complying with Privacy Act.”
The case also confirmed earlier determinations that organisations can not “contract out their privacy responsibilities” to service providers, and privacy policies are not a valid way of gaining consent for invasive information collection, Ms Johnston said.
“The days of burying things in your privacy policy or your terms and conditions, and then calling it consent, those are over,” she said.
“This is another nail in the coffin.”
However, clearer legislation would be welcomed by the privacy expert to clarify organisations’ privacy obligations, modernise the law and increase penalties.
Australia’s privacy legislation is currently under review after warning it was not well equipped to deal with the explosion of data collection.
However, the process has stalled with the government still yet to release a discussion paper two years after the review began. There are now concerns reform will not be implemented by the next election.
Ms Johnston said she is no longer confident reforms will occur during the current Parliament but believes they will eventually be implemented.
“I believe that that reform of the Privacy Act is a bipartisan issue so I am hoping that, regardless of who wins the next election, it will still be on the agenda for the government of the day.”
Do you know more? Contact James Riley via Email.
If the survey was anonymous and the faceprints solely used to detect duplicate entries, and then destroyed on completion of the survey, then I’m not sure what they did is so bad, even if there was a technical breach.
Can someone who disagrees please walk me through why?
It seems that the “faceprints” were retained for a long period, only destroyed by order. They were sufficient to identify an individual from a photo as having used the survey before, which means a significant loss of anonymity, equivalent or worse than retaining the photo. They were taken secretly, without consent, with no undertaking on their use, storage, protection, processing, transfer to service providers or other third parties, online storage, …
Sounds pretty serious to me. Maybe it depends on your definition of anonymity.
So… what exactly do you have to do to get a meaningful financial penalty? Is there any privacy breach that would actually get a real response?
If covertly photographing 1.6 million customers without consent doesn’t do it, what would?