What happened
7-Eleven wanted to know what its Australian customers thought of its stores, so it put tablets running a feedback survey near the exits of around 700 of them. The tablets did more than record star ratings. Each had a built-in camera, and as a customer answered the survey it captured images of their face and turned them into a “faceprint,” an algorithmic template of their features. The stated reason was integrity: the faceprints let 7-Eleven detect when the same person filled in the survey more than once in a short window on the same tablet, and so weed out responses that were not genuine. A secondary purpose was to read a rough demographic profile of who was answering.
The customers were not meaningfully told any of this was happening, and they were not asked. Between June 2020 and August 2021 the system ran across the store network; in its first ten months alone customers completed some 1.6 million surveys. Faces were being converted into biometric templates at scale, quietly, as a side effect of rating a store out of five.
The Office of the Australian Information Commissioner investigated, and on its own initiative. In a determination issued in September 2021, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, found that 7-Eleven had breached the Privacy Act. Faceprints are sensitive information, a special category the law guards closely, and 7-Eleven had collected them without consent and where the collection was not reasonably necessary for its functions, contrary to Australian Privacy Principle 3.3, and had failed to take reasonable steps to notify customers of what it was doing, contrary to Australian Privacy Principle 5.1. The Commissioner found the practice disproportionate: whatever 7-Eleven gained from checking survey integrity this way did not justify collecting biometric data from millions of people. “Any benefits to the business in collecting this biometric information,” she found, “were not proportional to the impact on privacy.” She noted that biometric information is unique to a person and cannot normally be changed. 7-Eleven was ordered to stop the collection and to destroy the faceprints it held. No fine was imposed; the remedy was the destruction order and the finding itself.
What an auditable version would have shown
The problem with the 7-Eleven system was not a failure that needed detecting after the fact; it was the design itself. The relevant question, whether there was a lawful basis to collect biometric information from every surveyed customer and whether they had been told, had a clear answer, no, and the system simply never asked it before switching on. There was nothing between the decision to use faceprints and the collection of 1.6 million people’s faces.
An auditable version makes lawful basis and notice a precondition that is checked and recorded before sensitive data is collected, not a question raised by a regulator afterwards. Before a faceprint is generated, the system confirms that the collection is permitted and that the person has been notified and, where required, has consented, and it records that this check was made. With that, “we collect biometric data to verify surveys” is tested against the law at the point of collection, where the answer would have stopped it, instead of being adjudicated a year later across a network of 700 stores.
Where the gap was
The gap was that a system collecting sensitive biometric information ran without any check on whether it was lawfully entitled to, and without notifying the people it collected from. Consent and notice were not weighed and found sufficient; they were absent.
A ConstraintGate is the control. Collection of sensitive information is gated on a declared lawful basis and on notice to the individual, and it does not proceed where those conditions are not met; biometric data, which cannot be reissued like a password, sits at the strict end of that rule. A ConductRecord is the second: a record that, for each collection, the basis and notice were present, so the organisation can show it met the standard rather than assert it after the regulator asks.
What governance should have looked like
The pattern completes a set this library has seen before in Australian retail, where facial recognition was pointed at ordinary customers for ordinary commercial purposes, treating consent and proportionality as afterthoughts. The lesson each time is the same: sensitive data should not be collected until something has checked that it lawfully can be, and recorded that it checked. Biometrics raise the stakes because the person cannot get their face back.
The reference implementation of ConstraintGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.
Sources
- Commissioner initiated investigation into 7-Eleven Stores Pty Ltd (Privacy) [2021] AICmr 50 (OAIC determination)
- OAIC finds against 7-Eleven over facial recognition (OAIC media release)
- Privacy breach: 7-Eleven secretly scanned customer faces (InnovationAus)
- A tale of two OAIC investigations: privacy implications for the use of facial recognition technology (Allens)