Privacy: Linking Damage Awards to Values
If you’re someone caught up in a data breach or a person who can point to an actual violation of privacy, an obvious question is whether you suffered harm and should you be compensated? Three PIPEDA-related decisions from Canadian courts in 2010 offer a glimpse of different approaches to the subject of privacy-related damages.
Randall v. Nubodys Fitness Centres involved an employee who had a corporate membership in a gym that disclosed the frequency of visits to the employer. The employee discovered this fact and complained to the fitness centre. He eventually left the company but felt that his relationship with his employer had become damaged by reason of his complaint.
Following the Privacy Commissioner’s favourable finding, Mr. Randall made an application under s. 16 of PIPEDA for $85,000 in damages. The facts really didn’t provide any evidence that the disclosure was linked to the applicant’s dismissal and the court dismissed the application. In doing so, Mr. Justice Mosley stated:
“Pursuant to section 16 of the PIPEDA, an award of damages is not be made lightly. Such an award should only be made in the most egregious situations. I do not find the instant case to be an egregious situation.”
The next case of 2010, Stevens v. SNF Maritime Metal Inc., was really a last-gasp attempt to wring termination money out of a former employer and also has “unhelpful” language.
Stevens was an employee of a company that collected and recycled scrap metal who was tasked with delivering the scrap metal to a buyer on behalf of his employer. He opened a personal account with the buyer and had the proceeds of any delivery credited to his own account as opposed to his employer’s. When this was discovered, he was fired.
The Privacy Commissioner found PIPEDA had been violated with the release of the Stevens’ account information to his employer (it was, after all, a personal account) and Stevens then filed a s. 14 application seeking s. 16 damages in the amount of $148,000.
Mr. Justice Phelan saw through the ruse and I don’t think anyone would argue with the result but some of the language used raises further questions:
The Applicant’s claim, in excess of $148,000, is out of proportion to the privacy invaded. The information disclosed was not deeply personal or intimate. It was commercial and the type of information frequently spoken about in a social context.
Therefore, I find that the damages claimed are not those for breach of the Act but for wrongful termination. To the extent (if any) that privacy is involved, it is minimal and the Applicant has put forward no other evidence of impact on his standing or community perception or similar features of a breach of privacy claim.
Granted the awarding of damages under s. 16 is discretionary but, in Stevens, we now have some criteria to consider: the nature of the information, the extent of privacy invasion and evidence pertaining to standing or community perception.
From Randall one concludes that one is to look at the injury, the respondent’s conduct and then award damages only in the “most egregious situations”. “Most egregious situations” is a rather high bar. Stevens suggests only “deeply personal and intimate” information warrants an award of damages. Both these decisions would seem to apply traditional concepts of damages as compensation for harm. Yet PIPEDA can also be considered a “regulatory regime” and so shouldn’t damages have a broader role even if there is little evidence of harm to the individual?
In the last damages case of 2010, Nammo v. Transunion of Canada Inc., the applicant’s circumstances were very different and the court took a different approach. Mr. Nammo lost a business opportunity because he was denied a loan – a decision based a bad credit report and by being wrongly identified by Transunion. The Court awarded $5,000 in damages. Mr. Justice Zinn, while noting the “most egregious” language of Randall, addressed the subject of damages and relied on Vancouver (City) v Ward, where the Supreme Court of Canada awarded damages for a breach of the Charter even though no financial loss had been proven. At paras. 25 and 30, the Court wrote that:
For damages to be awarded, they must further the general objects of the Charter. This reflects itself in three interrelated functions that damages may serve. The function of compensation, usually the most prominent function, recognizes that breach of an individual’s Charter rights may cause personal loss which should be remedied. The function of vindication recognizes that Charter rights must be maintained, and cannot be allowed to be whittled away by attrition. Finally, the function of deterrence recognizes that damages may serve to deter future breaches by state actors. [emphasis in original]
However, the fact that the claimant has not suffered personal loss does not preclude damages where the objectives of vindication or deterrence clearly call for an award.
Mr. Justice Zinn stated:
The Supreme Court found that “to be ‘appropriate and just’, an award of damages must represent a meaningful response to the seriousness of the breach and the objectives of compensation, upholding Charter values, and deterring future breaches.” In my view, the same reasoning applies to a breach of PIPEDA, which is quasi-constitutional legislation.
In applying Ward to PIPEDA, Nammo offers a new way to argue damage claims in the context of privacy values. Let’s hope future decisions link privacy-related damages to what’s appropriate and just in upholding privacy values.