Corporate Conduct & Privacy Damages
The privacy bar sat up and took notice last week of a decision out of Halifax that upped the ante when it comes to PIPEDA damage awards. The case is more about “reprehensible conduct” than “harm suffered” and one question that immediately comes to mind is whether it represents an evolution in judicial thinking about privacy and corporate conduct.
Courts have tended to be more conservative that Commissioners when it comes to PIPEDA and I can recall only two damage awards to date – one for $5,000, the other for $4,500. Not exactly encouraging if one wants to change errant corporate behaviour when it comes to personal information. Given that context, I think it safe to say the $21,000 damage award in Chitrakar v. Bell TV stands out as extraordinary.
The story is as extraordinary as the damage award. While its rare that one can directly quote the facts in a judicial decision without reducing the word count, this case proves to be an exception:
“On December 1, 2010, Chitraker ordered satellite television service from Bell. He was a first-time Bell customer and had no credit history with Bell.
The service was installed on December 31, 2010. At that time Chitraker was required to provide his signature on what is known as a POD Machine (Proof of Delivery Device)… It is a 3” x 3” digital box which allows only for a signature. Chitraker believed that he was simply confirming delivery of the satellite system.
What Bell did with the signature was to embed it on its Bell TV Rental Agreement – a multi-page document in small print – and to then use the Rental Agreement. Chitraker was not given a copy of the Rental Agreement at that time.
This dubious contracting process was compounded by the provision in the Rental Agreement (Clause 5) which authorizes Bell to perform credit checks on a customer.
After service was installed, Chitraker ordered his credit report at which time he learned that Bell had accessed his credit history on December 1, 2010. Leaving aside concerns with the validity of Bell transferring Chitraker’s signature from the POD Machine to the Rental Agreement, the credit check was conducted one month before Mr. Chitrakar signed anything.”
The Court’s condemnation was as swift as it was pithy:
“Bell’s conduct in this matter is reprehensible in respect to Chitraker’s privacy rights. Not only did Bell violate those rights, it has shown no interest in compensation or apparently any interest in addressing the CSR’s actions nor in following the Privacy Commissioner’s remedial recommendations. Its failure to appear in this Court is consistent with its disregard of Chitraker’s privacy rights.
Of particular significance were the court’s comments about calculating damages:
“…there is no reason to require that the violation be egregious before damages will be awarded. To do so would undermine the legislative intent of paragraph 16(c) which provides that damages be awarded for privacy violations including but not limited to damages for humiliation.
Privacy rights are being more broadly recognized as important rights in an era where information on an individual is so readily available even without consent. It is important that violations of those rights be recognized as properly compensable.
The Court must bear in mind such factors as meaningful compensation, deterrence and vindication (see Vancouver (City) v Ward, 2010 SCC 27 (CanLII), 2010 SCC 27,  2 SCR 28).”
This is another instance of Ward being cited as part of the justification for awarding damages. Also the requirement for egregious conduct, as articulated in Randall v. Nubodys Fitness Centres and noted in this post set a pretty high bar for a claimant to meet. With this decision the “egregious conduct” test has been summarily jettisoned.
You don’t often see words as “reprehensible” and “dubious practice” associated with a major company in Canada and one does wonder if there is an internal process at Bell TV to ensure business practices do not run afoul of privacy requirements. With this decision, it would seem that corporate conduct is moving front and centre as part of the criteria for determining damages. As a result, corporate privacy officers should move “business process review” up as a work item on their “to do” lists.