Facial recognition is everywhere – but Australia’s privacy laws are ‘falling way behind’


New legislation has been introduced to govern the use of facial recognition and protect the privacy of Australians. But critics say it does not go far enough.
The use of facial recognition by the Australian government and lack of legislative oversight has been controversial since 2018 when a bill was introduced and not enacted. Source: Getty Images

There was intense pushback against the Australian government’s invasive use of facial recognition in 2019. A bill had stalled in Parliament the year before, amid criticism it did not adequately protect citizen privacy. Then came the coronavirus, when facial recognition was used extensively to monitor the movement of Australians, despite the absence of legislative guardrails.

Fast forward four years, and facial recognition is back on Parliament’s agenda. The Attorney General lodged the Identity Verification Services Bill (IVS) into Parliament on 13 September. While the proposed Bill governs some uses of ‘1:1’ facial recognition, it falls short of restricting ‘1:many’ uses of the technology. In the latter, an image of an individual is compared to a database of many images, for the purposes of identifying a person.

It is this application of facial recognition that has been highly criticised as invasive. Some 62% of Australians said they should be able to opt-out of facial recognition databases, in a 2020 Monash study. 49% of respondents to the Monash survey called using facial recognition to identify people in public places an invasion of privacy.

This week, Forbes Australia sat down with Edward Santow, UTS Professor of Responsible Technology and Australia’s former Human Rights Commissioner. In an exclusive interview, Santow clarifies what the new Bill does – and doesn’t – achieve in regulating the use of facial recognition technology.

“It does not put any brakes on those uses of 1:many facial recognition, outside of the Facial Identification Service (FIS) used by the government,” says Santow. “Clearview AI and many other 1:many facial recognition services will continue to operate in Australia and will not be regulated under the IVS Bill.”

Santow says it is vitally important to regulate companies scraping data from the internet and developing databases of people’s faces.

“That’s really necessary. We need those legal guardrails, and the fact that they don’t exist, or are inadequate, is a significant problem. This bill does nothing to address that problem,” says Santow.

He notes that there have been inaccuracies in reporting published since the Bill was introduced to Parliament, and wants to set the record straight.

“It has been reported that it prohibits the use of 1:many facial recognition in this scheme. Thats wrong,” says Santow. He cautions that citizens need to know that under this Bill, their data can still be compiled into databases and used for identification.

Facial recognition on city streets. Courtesy: Getty Images

“We know that the Australian federal police, as well as a number of state and territory police forces, use 1:many facial recognition systems,” says Santow.

The scope of the problem is large. Facial Verification Service, or FVS, is something that is used frequently, the Bill discloses. Not only was it used during the pandemic, but it continues to be used today.

“FVS was used 2.6 million in the 2022-2023 financial year,” says Santow. “Not all of those uses would have been because of the pandemic. The pandemic restrictions were receding.”

What the bill does address, Santow says, is the use of 1:1 facial recognition.

“That’s what you use on your smartphone, to verify your own identity,” says Santow. “The privacy risks generally are lower. It compares a new photo with stored photos. You are verifying your own identity, so there is a greater level of autonomy.”

Governing 1:1 facial recognition, and not addressing the 1:many use of the technology, does not adequately protect Australians, according to Santow.

“Are those protections effective enough [against] the very real risk of harm? I think on the face of it, the answer to that question is no,” says Santow.

young chinese man using smart phone to scan his face

The Attorney General’s office disagrees, telling Forbes Australia it considers the privacy safeguards and security measures in the new Bill ‘robust.’

“The use of facial recognition is not prohibited in Australia and is used in a range of government agencies, including law enforcement,” a spokesperson from the Attorney General’s Office told Forbes Australia in an email. “The IVS Bill does not regulate the use of biometric information, facial recognition technology, and identity matching undertaken outside of the Identity Verification Services.”

And that absence of regulation is alarming to Santow. Of particular concern to the co-director of the UTS Human Technology Institute, is the right to privacy for Australian citizens. While holding the position of Australian Human Rights Commissioner, Santow oversaw research into public sentiment on that issue.

“People genuinely care about the right to privacy in Australia,” says Santow. “Our privacy law has fallen way behind.”

So far behind, that a nation often criticised for human rights abuses and government overreach has surpassed Australia in its theoretical protection of citizen’s privacy.

“China has actually passed quite significant privacy legislation over the last few years,” says Santow, referring to China’s 2021 Personal Information Protection Law. “There are some significantly stronger privacy protections in China, than there are in Australia.”

The submission of the Attorney General’s bill to Parliament this week also revealed the pervasive use of the Document Verification Service, or DVS, by Australian government officials.

“In 2022, the DVS was used over 140 million times, by approximately 2,700 government and industry sector organisations,” says Santow. “That’s a really, really big number.”

He reiterated that this time period is when pandemic restrictions against the mobility of citizen’s were easing in Australia and raises doubt that 140 million DVS requests were made to monitor citizens as a consequence of the coronavirus. He is of the view that the new Bill does not go far enough in addressing the circumstances in which the personal data of Australians can be accessed.

“IVS essentially says that if a company or government agency is complying with state or federal privacy legislation, then that is really all that they have to do,” says Santow. He is concerned that existing privacy laws are too lax, especially because the new Bill relies on existing privacy laws as a safeguard against misuse.

“The Attorney General’s department has said that Australian privacy legislation is out of date. It needs to be modernised. It needs to be strengthened,” says Santow. “So, it is very difficult to reconcile those two ideas — that existing privacy law will be the protection [against facial recognition overreach], but also, that existing privacy law needs to be strengthened.”

The use of facial recognition in Australia needs to be regulated further according to UTS Co-director of the Human Technology Institute, Professor Edward Santow. Courtesy: Getty Images
The use of facial recognition in Australia needs to be regulated further says UTS Co-director of the Human Technology Institute, Professor Edward Santow. Courtesy: Getty Images

For its part, the Attorney General’s office directs any questions about the use of facial recognition during the pandemic to the ‘relevant jurisdiction.’ The Department did not directly respond to a question asking what legislation authorised the use of facial recognition during the coronavirus.

Instead, a spokesperson for the Attorney General’s office stated it is “aware of media reports on the trialing of facial recognition software by certain states and territory authorities during the COVID-19 pandemic.”

The Australian Government today issued a response to the Privacy Act Review Report, committing to “introduce legislation to protect the personal information of Australians in 2024.”

Given the push for the IVS bill to go through by the end of this year, that may be too late.

Santow would like to see privacy laws vastly improved before the IVS legislation is enacted. It is unlikely that could happen in time, however. Public hearings on the new Bill will likely take place in October, the Senate Legal and Constitutional Affairs Committee is due on 9 November, and a Parliamentary vote is expected by the end of the year.

“Any changes to the Privacy Act won’t happen before the IVS bill is due to be voted on in Parliament. That, to me, is a concern,” says Santow. “In order for this regime to achieve what it should achieve we need to strengthen privacy protection, at the very least.”

Santow adds that he is not against the use of facial recognition entirely. He believes it can be a highly valuable tool for multiple groups of stakeholders, when appropriately governed.

“When it is done well, it improves convenience for Australians, it can make government run more smoothly, it can be really useful for companies in the private sector as well,” says Santow. “It is just very important that there are clear legal rules that govern its use.”

Look back on the week that was with hand-picked articles from Australia and around the world. Sign up to the Forbes Australia newsletter here or become a member here.

More from Forbes Australia