If your business uses AI tools, automated monitoring systems, or real-time analytics, a landmark Australian tribunal ruling has just changed what you need to worry about. The decision in Bunnings Group Limited v Privacy Commissioner (ARTA 130) has confirmed that even temporarily processed personal information counts as “collected” under the Privacy Act 1988. This is not a technicality. It closes a loophole that many businesses have been unknowingly relying on, and the compliance implications are significant.

This post explains what the ruling decided, which systems it affects, and what your business needs to do right now.

What the Bunnings v Privacy Commissioner Case Actually Decided

The Bunnings case centred on the retailer’s use of facial recognition technology across its hardware stores. The Office of the Australian Information Commissioner (OAIC) found that Bunnings had breached the Privacy Act by collecting sensitive biometric information without adequate notice or consent. Bunnings appealed the finding to the Australian Administrative Review Tribunal (ARTA).

The Tribunal’s decision in ARTA 130 upheld the Commissioner’s core finding. One of the most consequential aspects of the ruling was its treatment of transient data processing. Bunnings argued, among other things, that certain facial data which was processed and immediately discarded had not been meaningfully “collected.” The Tribunal rejected that argument.

The ruling confirms that the act of processing personal information, even if that information is never permanently stored, constitutes collection under the Privacy Act. The law does not require retention. It requires only that the information passed through your system in a way that was purposeful and under your control.

It is worth noting that specific details of the Tribunal’s full reasoning remain subject to legal commentary and review. Businesses should obtain their own legal advice on how the ruling applies to their specific circumstances. However, the core principle is now clearly established: transient processing equals collection.

What “Transient Collection” Means in Practice

This is where many businesses will be caught off guard. The concept of transient collection applies to a much wider range of systems than most people assume. Here are the scenarios that now sit squarely within Privacy Act obligations:

CCTV Systems with Facial Analysis

Your standard CCTV footage may already be covered by existing obligations, but modern systems that include AI-powered facial analysis are a different matter entirely. If your cameras attempt to identify or match faces in real time, even when no match is found and no record is saved, personal information has been collected. This applies to retail environments, office buildings, healthcare facilities, and transport hubs.

AI-Powered Chatbots

A chatbot that processes a customer’s name, email address, or account details to handle a query is collecting personal information during that interaction, even if the conversation log is never retained beyond the session. This applies whether the chatbot is customer-facing or internal.

SIEM and EDR Security Tools

Security Information and Event Management (SIEM) platforms and Endpoint Detection and Response (EDR) tools routinely process user activity data, access logs, and communications metadata. Even when this data is processed purely for threat detection and is not permanently stored, the Privacy Act now clearly applies. Most organisations have not assessed their security tooling from a privacy compliance perspective.

Real-Time Fraud Detection

Payment processors, e-commerce platforms, and financial services firms often run transactions through automated fraud detection engines. These engines may assess behavioural patterns, device fingerprints, location data, and transaction history in real time before returning a decision and discarding the input. Under the Bunnings ruling, that processing is collection.

Automated Form Scanning and Data Extraction

Systems that scan submitted documents or forms to extract and validate fields, then discard the raw input, are also caught. This is common in onboarding workflows, insurance claim processing, and legal document review tools.

API-Based Data Enrichment

If your CRM or marketing platform makes real-time API calls to enrich a contact record with third-party data, even if that enrichment data is evaluated and not saved, it has been collected. The same applies to identity verification services that process government ID data to confirm a match.

Why This Matters More Than You Think

The Bunnings ruling has implications far beyond facial recognition. Most Australian businesses have deployed at least one system that processes personal information transiently without thinking of it as data collection. The reason this has flown under the radar is straightforward: privacy compliance has traditionally focused on what you store, not what you process.

That framing no longer holds.

The “We Don’t Store It” Defence Is Gone

Many privacy policies and vendor contracts include language to the effect that certain data is “processed but not retained.” Under the Bunnings ruling, that distinction does not reduce your Privacy Act obligations. You still need to:

• Have a lawful basis for the collection
• Notify individuals via your Privacy Policy or at the point of collection
• Handle the data securely during processing
• Ensure any third-party tools processing the data on your behalf meet APPs requirements

Small and Mid-Market Businesses Are Not Exempt

Businesses with an annual turnover above $3 million are subject to the full Privacy Act regime. If you operate a SaaS platform, a professional services firm with online intake forms, a retail business with modern analytics, or a financial services business with automated processes, the Bunnings ruling applies to you. Even some smaller businesses are covered if they handle health records or operate as contracted service providers.

Vendor Risk Is Now Your Risk

If a SaaS tool you use processes personal information transiently as part of its normal operation, you are the responsible party under the Privacy Act. The vendor’s privacy policy does not protect you. Your data processing agreements need to reflect the obligations that now apply.

What Australian Businesses Must Now Do

This is the practical part. The following checklist is a starting point, not a substitute for legal advice.

Step 1: Map Your Transient Data Flows

You cannot manage what you have not mapped. Work through every system in your environment and identify where personal information passes through without being permanently stored. This includes:

• AI and machine learning inference engines
• Real-time analytics platforms
• Security monitoring tools (SIEM, EDR, DLP)
• Chatbot and virtual assistant platforms
• Automated document processing systems
• Third-party enrichment and verification APIs

Document what data is processed, for what purpose, for how long, and by which vendor or tool.

Step 2: Update Your Privacy Policy

Your Privacy Policy must describe your data collection practices accurately. If it currently only describes data you store, it is likely incomplete. Update it to include transient processing activities that constitute collection under the Privacy Act. Be specific about the categories of data involved and the purposes for which they are processed.

Step 3: Establish a Lawful Basis for Each Collection Point

Under the Australian Privacy Principles (APPs), you must collect personal information only if it is reasonably necessary for one or more of your functions or activities. For sensitive information (including biometric data), the threshold is higher. Document the legitimate purpose for each transient collection point you have identified.

Step 4: Review Vendor Contracts and Data Processing Agreements

Any vendor that processes personal information on your behalf must be covered by a data processing agreement that requires them to handle that data in accordance with the APPs. Review your current contracts and update them where gaps exist. Pay particular attention to AI tool vendors, analytics platforms, and security service providers.

Step 5: Implement Security Controls for Transient Processing

The Privacy Act requires that personal information be protected from misuse, interference, loss, and unauthorised access. This obligation applies to data in transit and in processing, not just data at rest. Ensure that transient data flows are encrypted, access-controlled, and logged for audit purposes.

Step 6: Train Your Team

Your IT, legal, and compliance teams need to understand that the scope of privacy obligations has expanded. Privacy-by-design principles need to be applied to the design and procurement of any new system that processes personal information, regardless of whether that information is retained.

The Broader Picture: 2026 Privacy Act Reforms Coming Together

The Bunnings ruling does not exist in isolation. It arrives alongside a significant package of Privacy Act reforms that are reshaping compliance requirements for Australian businesses. For a full overview of those reforms and the December 10 automated decision-making (ADM) obligations, see our detailed guide to the 2024 Privacy Act reforms.

Two developments are particularly relevant in the current environment:

Automated Decision-Making Obligations (December 2025 / In Force 2026)

From December 10, businesses that use automated systems to make decisions that significantly affect individuals are required to provide transparency about how those decisions are made. If your transient data processing feeds into an automated decision, you have obligations under both the Bunnings ruling and the new ADM rules.

OAIC Enforcement Activity Is Escalating

The OAIC has signalled that it will conduct compliance sweeps across industries as part of its 2026 enforcement strategy. Facial recognition, AI tools, and automated processing pipelines are explicitly on the OAIC’s radar. Businesses that have not updated their privacy practices in response to the Bunnings ruling are at elevated risk of being caught in an enforcement action.

Additionally, the definition of personal information has been expanded in recent legislative amendments to explicitly include IP addresses, cookies, and device identifiers in many contexts. This widens the scope of transient collection significantly for any business running web analytics, behavioural advertising tools, or session recording software.

AI Tools and Automated Systems: The Biggest Compliance Gap

This is the area where most businesses are most exposed, and where the least preparation has been done.

Microsoft Copilot and Enterprise AI

Microsoft Copilot, Google Workspace AI, and similar enterprise AI tools process vast amounts of personal information as part of normal usage. When an employee asks Copilot to summarise an email thread containing customer details, or uses it to draft a response that references a client’s personal circumstances, personal information is being processed. Whether that processing constitutes transient collection under the Bunnings ruling depends on the specific configuration of the tool and the retention settings in place.

Most businesses have deployed these tools without conducting a Privacy Impact Assessment (PIA). That is now a significant gap.

Customer-Facing Chatbots

If your website or support platform uses a chatbot, and that chatbot is capable of receiving messages containing personal information (which is almost any chatbot), you have a transient collection point that requires attention. This applies even if the chatbot is powered by a third-party provider and the conversation logs are held entirely in their infrastructure.

Analytics and Tracking Tools

Session recording tools, heatmap software, and behavioural analytics platforms routinely capture personal information. Many of these tools process and aggregate data transiently before returning analytics outputs. Under the Bunnings ruling, that processing requires a lawful basis, appropriate notice, and security controls.

What to Do About Your AI Stack

• Conduct a Privacy Impact Assessment for every AI tool you have deployed
• Review the data processing terms for each tool
• Identify whether any tool processes biometric data, health data, or other sensitive information
• Ensure your Privacy Policy discloses AI-based processing activities
• Consider whether any of your AI tools trigger the December 10 ADM obligations

Frequently Asked Questions

Does this ruling apply to my small business?

The Privacy Act generally applies to businesses with an annual turnover above $3 million. However, certain categories of business are covered regardless of turnover, including health service providers, businesses that trade in personal information, and contractors to Commonwealth agencies. If you fall within one of these categories, or if you are approaching the $3 million threshold, you need to assess your transient data flows now.

What is “sensitive information” and why does it matter more?

Sensitive information includes biometric data, health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal records. The Privacy Act imposes stricter requirements for collecting sensitive information, including requiring explicit consent in most cases. Facial recognition systems, health-related chatbots, and identity verification tools are likely to be processing sensitive information transiently.

We use a third-party SaaS tool that processes data on our behalf. Are we still responsible?

Yes. You are the data controller. The SaaS vendor is your processor. Your obligations under the Privacy Act do not transfer to the vendor simply because they handle the technical processing. You need a data processing agreement in place, and you need to satisfy yourself that the vendor’s practices meet APP requirements.

Do we need to notify customers about transient data collection?

Yes, in most cases. Your Privacy Policy needs to accurately describe your collection practices, including transient processing that constitutes collection under the Bunnings ruling. Where collection occurs at a specific interaction point (such as a chatbot or intake form), you should provide a just-in-time notice at that point as well.

How quickly do we need to act on this?

The Bunnings ruling is already decided. The compliance obligations are not new; what is new is the clarity about how far they extend. If you have systems that transiently process personal information, you should be mapping those flows and updating your documentation now. Given the OAIC’s stated enforcement priorities for 2026, this is not a matter to defer to the next annual compliance review.

Get Ahead of This Before the OAIC Does

The Bunnings ruling has reset the privacy compliance baseline for every Australian business using modern technology. If you have AI tools, automated monitoring, real-time analytics, or any system that processes personal data as part of its operation, you are almost certainly caught by the expanded definition of collection.

The businesses that act now will be in a far stronger position when OAIC scrutiny arrives. The ones that wait will be scrambling to catch up.

Otto IT helps professional services firms in Australia navigate cybersecurity and compliance requirements. Our managed cybersecurity services include privacy and data handling assessments as part of a holistic security posture review. If you are not sure where your exposure sits, we can help you find out.

Book a consultation with our team to discuss your privacy compliance position, or get in touch with any questions.

This post is for general information purposes only and does not constitute legal advice. Businesses should seek independent legal advice regarding their specific obligations under the Privacy Act 1988.