NZ Privacy Commissioner provides clarity for retailers on facial recognition technology

Finding published last week by NZ Privacy Commissioner on supermarket facial recognition trial places retailers on notice, says FRT technology risk expert.

Privacy Commissioner Michael Webster has found that the live facial recognition technology model trialed in 25 Foodstuffs North Island (FSNI) supermarkets during 2024 is compliant with New Zealand's Privacy Act. But the inquiry report highlighted that there are many steps an organisation implementing live facial recognition technology (FRT) needs to make in order to be compliant.

"While the Privacy Commissioner assessed the level of privacy intrusion as high due to every shopper’s face data being collected, the privacy safeguards in the trial reduced it to an acceptable level," said Nicholas Dynon, Group Brand Strategy & Innovation Director at Optic Security Group, and a certified security risk professional.

The outcome has been met with strong and immediate political support, with Justice Minister Paul Goldsmith lauding the result as “great news” and stating that he now expects the Ministerial Advisory Group for Victims of Retail Crime to “continue to look at this technology as an option to be used more widely".

“The outcome also provides some much-needed clarity for retailers – and other organisations – who have held back on considering FRT as a potential solution to their security issues due to the fear of ending up on the wrong side of privacy legislation," said Nicholas. "But it’s not a green light."

The Privacy Commissioner has highlighted several changes that FSNI needs to make in order to make its trial permanent or to expand it to more stores. The Office of the Privacy Commissioner (OPC) has also set out nine key expectations for organisations that are considering using FRT.

“Compliant FRT deployment is about more than just the technology itself," said Nicholas.

"Factors such as identifying and assessing the specific purpose for which you want to use FRT, maintaining watchlists, protecting the system from misuse and information breach, communications to customers, staffing and training, customer interventions, incident response, managing enquiries and complaints, and maintaining and monitoring the system, are all critical to compliance – and they involve significant research, planning, testing, and careful implementation.

"At the same time, retailers should be aware that the results of an OPC survey published just weeks ago demonstrate that many New Zealanders are not supportive of the use of FRT in retail stores," he said.

The survey of over 1,200 New Zealanders found that 41% of respondents are ‘concerned’ or ‘very concerned’ about the use of facial recognition technology (FRT) in retail stores to identify individuals. A total of 25% are neutral on the topic, 31% are either not so concerned or not concerned at all, and 3% are unsure. 49% of Maori respondents indicated concern over FRT in retail.

“For retailers considering FRT, this means not only ensuring all the privacy legislation boxes are ticked but also taking a step back and asking whether FRT is the most appropriate solution to your security problem," said Nicholas.

“Inappropriate FRT deployment exposes an organisation not only to legal risk but also to significant reputational risk. Engaging with trusted experts to understand the privacy dimensions and factors influencing social licence to operate this emerging technology are critical."

Notes:

• Nicholas’ peer reviewed research published in the National Security Journal collated 200 data points from 15 international research studies in order to ‘map’ the public acceptability of a range of FRT deployments. An abridged article was published in The Conversation.