Civil society groups are urging the federal government to take up a model law that would govern the use of facial recognition technology in Australia, where legislative loopholes risk creating a “Wild West”.
- A new model law has been proposed that would regulate facial recognition technology in Australia
- Civil society groups say reform is urgently needed to prevent abuse
- Attorney-General Mark Dreyfus has been urged to take up the bill
Drafted by the Human Technology Institute, the proposed rules would impose new obligations on both companies developing or distributing facial recognition systems and any entity deploying them, including police and employers.
The call comes amid growing alarm about the use of the technology by law enforcement, schools and, as consumer advocates CHOICE found in June, even popular stores such as Bunnings and Kmart.
There is also widespread agreement that Australia’s existing privacy regime — currently under review by Attorney-General Mark Dreyfus — is not keeping pace with the threats posed by emerging technology.
Edward Santow, former Human Rights Commissioner and co-author of the model code at the University of Technology Sydney, said Australian privacy law wasn’t drafted in anticipation of the “extraordinary rise” of facial recognition.
“We also know that the Privacy Act has as many holes as Swiss cheese,” he said.
“It’s riddled with exceptions and exemptions and so provides very limited protection.”
Kate Bower, a consumer data advocate with CHOICE, said her team is seeing growing use of facial recognition without clear guardrails.
CHOICE is endorsing the model law.
“If there is a chance of discrimination or bias or potentially harmful situations … then it puts some safeguards in place, or at least makes the hurdles very very high,” Ms Bower said.
‘The worst of all worlds’
The use of facial recognition technology by law enforcement has been under increasing scrutiny in Australia and overseas, but a comprehensive regulatory regime has proved evasive.
In 2020, the Australian Federal Police admitted that staff had trialled controversial software Clearview AI, which scrapes public images to provide what amounts to a face search engine.
The privacy commissioner later found the AFP had failed to comply with its privacy obligations in using the tool, and that the US company had breached the privacy of Australians.
The former Coalition government also proposed legislation in 2019 that would have allowed identity information about Australians, such as passport images, to be shared among federal, state and territory governments as part of identity-matching services.
The bill was knocked back in a rare rebuke from the Parliamentary Joint Committee on Intelligence and Security, which suggested it be redrafted with better privacy guidelines. The new Labor government’s plan for the so-called “Capability” remains unclear.
“We have not seen another bill, and yet we have seen over the last three years a continued and almost exponential rise in government and corporate use of facial recognition,” Mr Santow said.
“It’s the worst of all worlds.”
Plans for facial recognition regulation are complicated by Australia’s system of government, in which state law enforcement — often eager users of facial recognition — is largely governed by state law.
Mr Santow said that under the model law, the federal government could still regulate the vast majority of uses of facial recognition, not least for national agencies like the Australian Federal Police as well as corporate use.
He suggested it would also affect state police, given they don’t typically develop their own technology but purchase access to facial recognition services from developers, who would fall under the proposed rules.
A risk-based approach
There’s also growing concern about the potential deployment of facial recognition technology in the workplace.
Mark Morey, secretary of Unions NSW, said he wasn’t “writing the technology off” but remained highly concerned about its use to surveil and punish workers — to monitor toilet breaks or personal phone calls, for example.
“The technology is way in advance of the community debate and the requisite legislation,” he said.
“This could turn into the Wild West unless legislators start thinking about privacy.”
The model law doesn’t seek an outright ban on all facial recognition.
Instead it takes a risk-based approach based on how the technology is used in practice, Mr Santow said, recognising there are some cases that are consistent with human rights, such as accessibility tools for people with disabilities.
The model law proposes restrictions and safeguards based on three levels of risk: base level, elevated and high.
Use of facial recognition technology in a workplace raises the level of risk, for example, because workers can’t control that environment.
For high-risk uses, with extreme potential for human rights abuses, the default position is that the facial recognition application would be prohibited unless the entity seeks special authorisation from the regulator or in cases of research with ethical protections.
In addition, a special regime is proposed for law enforcement and national security agencies, including a proposed “face warrant scheme”.
Under that regime, a judge or independent authority would consider applications by police to conduct “live, repeated or routine use of [facial recognition technology] involving members of the public who are not suspected of having committed a crime”.
The model law suggests that any permission should be time-limited and for a specific purpose, and banned without such a “face warrant”, among other restrictions.
Greater transparency about the use of facial recognition
The model bill also calls for enhanced transparency. A developer or organisation seeking to use facial recognition technology would typically have to undertake a “Facial Recognition Impact Assessment” and make it publicly accessible.
It could then be challenged and audited by the regulator or interested parties.
Mr Santow said the group was agnostic about which body would act as regulator, but suggested the most obvious option was the Office of the Australian Information Commissioner — so long as it was given sufficient powers of oversight and enhanced resourcing.
The group now wants the Attorney-General to commit to reform based on the model bill and to lead a national approach to ensure facial recognition law is harmonised across Australia.
“The government doesn’t have any justification for delaying this reform,” Mr Santow said. “It’s urgent and overdue.”
A spokesperson for the Attorney-General did not comment on the model law, but said the treatment of sensitive information formed part of the Privacy Act review.
“This includes considering what privacy protections should apply to the collection and use of sensitive information using facial recognition technology,” she said.
CHOICE’s Ms Bower also agreed the need for new rules was dire.
“It’s only a matter of time until we see something go badly wrong,” she said.