There has been a rapid expansion in the type and volume of information collected for security purposes following the terrorist attacks on the United States of America (‘US’) on 11 September 2001. This event has been described as precipitating a program of ‘globalized surveillance’. New technology, biometric identification and other developments such as metadata retention can provide governments with an increasingly comprehensive picture of citizens’ lives. This has resulted in a rapidly expanding use of human biometric information in law enforcement investigations and other applications. The first part of this article describes Automated Facial Recognition Technology (‘AFRT’) and its law enforcement and border security applications, as well as integration with image sources such as closed circuit television (‘CCTV’), social media and big data. Recent developments including biometric identification documents (licences and passports) and information sharing arrangements that promote searching between state, territory and national government databases to facilitate a national facial recognition system will be discussed. These developments are reviewed against the backdrop of tension between individual privacy rights and collective security objectives. The second part of the article examines existing privacy protections, law enforcement exemptions, and regulatory options based on an international review of current oversight models. As is often the case in relation to technological advancements, government regulation and the legal system have lagged behind, and potential regulatory approaches have not been adequately discussed in either public debate or the academic literature. In the absence of a constitutional bill of rights or a cause of action for serious invasion of privacy in Australia, there are limited protections in relation to biometric information, and those that do exist, such as protections provided by the Privacy Act 1988 (Cth), are subject to exemptions. This has led to a significant governance gap. In order to align with international regulatory practices, the functions and funding of the Office of the Australian Information Commissioner (‘OAIC’) should be strengthened or, alternatively, a Biometrics Commissioner should be introduced.