The Overreach of Privacy Regulation: Why Transient Data Processing for Machine Vision & FRT Isn't Data Collection

In the wake of the recent determination by the Australian Privacy Commissioner regarding Bunnings Group Limited’s use of facial recognition technology (FRT), a critical discussion has emerged about the interpretation of data collection under the Privacy Act 1988 (Cth). The Commissioner posited that even fleeting retention of personal information—mere milliseconds in volatile memory—constitutes a collection of sensitive personal data. This stance raises significant concerns about the practical application of privacy laws and underscores the necessity of involving technology experts in policymaking.

At the heart of the debate is the distinction between transient data processing and the actual collection of personal information. Under the Privacy Act, “collection” refers to the gathering or acquiring of personal data by any means, which typically involves some form of recording or retention of that information. Facial recognition systems, particularly advanced ones used in retail settings, often process data in real-time using RAM (Random Access Memory) without storing any personal information. The data is analyzed and immediately discarded, leaving no digital footprint.

This process is analogous to a security guard observing customers in a store. The guard perceives and assesses individuals without recording or retaining any personal information. Similarly, FRT systems that do not store data are merely observing, not collecting. Conflating transient processing with data collection not only misinterprets the technical functionalities of these systems but also stretches the intent of the Privacy Act beyond its reasonable boundaries.

If transient processing is deemed equivalent to data collection, the ramifications extend far beyond facial recognition technology. Standard security systems like Digital Video Recorders (DVRs) and Network Video Recorders (NVRs) also process vast amounts of video data transiently. These systems use RAM to handle live feeds, and not all processed data is stored. Under the Commissioner’s interpretation, these ubiquitous security measures could inadvertently fall under stringent privacy regulations, potentially hindering businesses’ ability to protect their premises effectively.

Such an outcome could impose onerous compliance requirements on entities employing standard security technologies, leading to increased operational costs and reduced security effectiveness. The unintended consequence is a regulatory environment that penalizes essential security practices rather than focusing on genuine privacy threats.

This situation highlights a critical issue: the importance of involving experts who deeply understand the technology when making regulatory decisions. Policymakers and regulators must grasp the nuances of how technologies like FRT operate to craft laws that protect privacy without stifling innovation or compromising security.

Experts can provide valuable insights into:

Technical Functionality – Clarifying how data is processed, whether it is stored, and the actual risks involved.

Risk Assessment – Evaluating the genuine privacy implications versus the benefits provided by the technology.

Practical Implementation – Advising on how regulations can be effectively implemented without imposing unreasonable burdens on businesses.

By leveraging expert knowledge, policymakers can avoid overbroad interpretations that may lead to adverse outcomes and instead develop balanced regulations that address privacy concerns while allowing technological progress.

The protection of individual privacy is undeniably crucial in an increasingly digital world. However, regulations must be carefully crafted to distinguish between practices that pose real privacy risks and those that are essential for operational efficiency and security.

Facial recognition technology, when used responsibly and without data retention, offers significant benefits:

Enhanced Security – Real-time analysis can help prevent theft and ensure the safety of customers and staff.

Operational Efficiency – Streamlined processes and reduced reliance on manual monitoring.

It’s imperative to adopt a risk-based approach, focusing regulatory efforts on practices involving data retention and sharing, which carry higher privacy risks. Transient data processing necessary for system functionality should not be conflated with data collection.

The Privacy Commissioner’s current stance on transient data processing reflects a misunderstanding of the technology and its implications. By considering any form of data processing as data collection, we risk imposing unreasonable regulatory burdens on essential security technologies. This not only hampers businesses but also potentially compromises the safety measures in place to protect individuals.

Incorporating the expertise of technology professionals in the regulatory process is essential. It ensures that laws are informed, practical, and capable of keeping pace with rapid technological advancements. By doing so, we can achieve a regulatory framework that safeguards privacy without impeding innovation or security.

1. Privacy Act 1988 (Cth) – Section 6(1):

[Federal Register of Legislation – Privacy Act 1988](https://www.legislation.gov.au/Details/C2023C00020)

2. Australian Privacy Principles (APP) Guidelines (July 2019):

[Office of the Australian Information Commissioner (OAIC) – APP Guidelines](https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines)

3. Legal Commentary on Collection:

Svantesson, D., & Clarke, R. (2010). Privacy and Consumer Risks in Cloud Computing, Computer Law & Security Review, Volume 26, Issue 4.

The authors defines that “collection” in privacy regulation involves activities where personal information is retained or recorded.

https://www.sciencedirect.com/science/article/abs/pii/S0267364910000828

4. OAIC – Information Sheet on Collecting Personal Information:

[OAIC – Collecting Personal Information](https://www.oaic.gov.au/privacy/guidance-and-advice/collecting-personal-information)