The Overreach of Privacy Regulation: Why Transient Data Processing for Machine Vision & FRT Isn't Data Collection

In the wake of the recent determination by the Australian Privacy Commissioner regarding Bunnings Group Limited’s use of facial recognition technology (FRT), a critical discussion has emerged about the interpretation of data collection under the Privacy Act 1988 (Cth). The Commissioner posited that even fleeting retention of personal information—mere milliseconds in volatile memory—constitutes a collection of sensitive personal data. This stance raises significant concerns about the practical application of privacy laws and underscores the necessity of involving technology experts in policymaking.

At the heart of the debate is the distinction between transient data processing and the actual collection of personal information. Under the Privacy Act, “collection” refers to the gathering or acquiring of personal data by any means, which typically involves some form of recording or retention of that information. Facial recognition systems, particularly advanced ones used in retail settings, often process data in real-time using RAM (Random Access Memory) without storing any personal information. The data is analyzed and immediately discarded, leaving no digital footprint.

This process is analogous to a security guard observing customers in a store. The guard perceives and assesses individuals without recording or retaining any personal information. Similarly, FRT systems that do not store data are merely observing, not collecting. Conflating transient processing with data collection not only misinterprets the technical functionalities of these systems but also stretches the intent of the Privacy Act beyond its reasonable boundaries.

If transient processing is deemed equivalent to data collection, the ramifications extend far beyond facial recognition technology. Standard security systems like Digital Video Recorders (DVRs) and Network Video Recorders (NVRs) also process vast amounts of video data transiently. These systems use RAM to handle live feeds, and not all processed data is stored. Under the Commissioner’s interpretation, these ubiquitous security measures could inadvertently fall under stringent privacy regulations, potentially hindering businesses’ ability to protect their premises effectively.

Such an outcome could impose onerous compliance requirements on entities employing standard security technologies, leading to increased operational costs and reduced security effectiveness. The unintended consequence is a regulatory environment that penalizes essential security practices rather than focusing on genuine privacy threats.

This situation highlights a critical issue: the importance of involving experts who deeply understand the technology when making regulatory decisions. Policymakers and regulators must grasp the nuances of how technologies like FRT operate to craft laws that protect privacy without stifling innovation or compromising security.

Experts can provide valuable insights into:

Technical Functionality – Clarifying how data is processed, whether it is stored, and the actual risks involved.

Risk Assessment – Evaluating the genuine privacy implications versus the benefits provided by the technology.

Practical Implementation – Advising on how regulations can be effectively implemented without imposing unreasonable burdens on businesses.

By leveraging expert knowledge, policymakers can avoid overbroad interpretations that may lead to adverse outcomes and instead develop balanced regulations that address privacy concerns while allowing technological progress.

The protection of individual privacy is undeniably crucial in an increasingly digital world. However, regulations must be carefully crafted to distinguish between practices that pose real privacy risks and those that are essential for operational efficiency and security.

Facial recognition technology, when used responsibly and without data retention, offers significant benefits:

Enhanced Security – Real-time analysis can help prevent theft and ensure the safety of customers and staff.

Operational Efficiency – Streamlined processes and reduced reliance on manual monitoring.

It’s imperative to adopt a risk-based approach, focusing regulatory efforts on practices involving data retention and sharing, which carry higher privacy risks. Transient data processing necessary for system functionality should not be conflated with data collection.

The Privacy Commissioner’s current stance on transient data processing reflects a misunderstanding of the technology and its implications. By considering any form of data processing as data collection, we risk imposing unreasonable regulatory burdens on essential security technologies. This not only hampers businesses but also potentially compromises the safety measures in place to protect individuals.

Incorporating the expertise of technology professionals in the regulatory process is essential. It ensures that laws are informed, practical, and capable of keeping pace with rapid technological advancements. By doing so, we can achieve a regulatory framework that safeguards privacy without impeding innovation or security.

The legal landscape regarding transient data has shifted significantly since this article was first published. In February 2026, the Administrative Review Tribunal of Australia issued a landmark decision that provides a “common-sense” framework for the future of machine vision in retail.

The Verdict: Security Outweighs “Fleeting” Privacy Risks

The Tribunal overturned the Privacy Commissioner’s 2024 determination, finding that Bunnings was reasonably entitled to use AI-driven facial recognition to protect its workforce and customers from violence and organized crime.

While the Tribunal technically agreed with the Commissioner that even millisecond processing in RAM constitutes “collection” under the Privacy Act, they ruled that this collection was not a breach. Their reasoning centered on two critical points that align with our technical analysis:

• Data Ephemerality: The system’s ability to instantly and permanently delete non-matching data was a key factor in minimizing privacy intrusion.

• Proportionality: The high rate of repeat offenders (noted at roughly 70%) justified the use of advanced computer vision as a necessary safety tool.

This ruling effectively creates a legal pathway for other major retailers to implement similar AI systems. As noted by retail experts like Professor Gary Mortimer (QUT), “computer vision and AI systems are the way of the future,” not just for retail theft, but for broader public safety in transport and government service roles.

The takeaway for policymakers and businesses is clear: While the legal definition of “collection” remains broad, the actual risk associated with transient processing is low. Moving forward, the focus for retailers will be on transparency—ensuring clearer signage and updated privacy policies—rather than abandoning the life-saving potential of machine vision.