What’s Privacy Worth?

I recently came across a calculator while reading a Financial Times article (registration required) on the surveillance of consumers. It shows just how much marketers value our personal data – apparently it’s just pennies and we don’t even have those in Canada anymore. This 2010 Forbes article talks about the monetization of  personal data and even refers back to the last century (well, 1999) as to early efforts to do so. The European Commission even had a study done on the subject of pricing models for personal data privacy which you can find here. We’re also starting to see courts awards, which gives a rough valuation as to damages. Given these different aspects, people are increasingly interested in asking what’s privacy worth.

As we hear more and more about “big data, personal information will increasingly be at the heart of more sophisticated and personalized sales and marketing efforts. After all, Facebook is worth billions because it provides a platform to monetize the personal information shared there. The EC study shows that some thinking is being applied to the economics of privacy to see if there might be a means to compensate individuals for the use of their data. How that will work (micro-payments anyone?) remains to be seen but one does have to applaud the effort because it indicates a perspective where rights and the control of those rights reside with the individual. One might argue that information rights should be treated the same as intellectual property rights. Whether we ever get there is debatable but privacy advocates cannot continually remain on the defensive and complain about large scale collections of personal information. It may be time for new “non-regulatory” thinking with respect to personal information.

Whenever, the boundary between the real world and our personal lives is crossed, people can often experience a very raw, emotional, visceral reaction. The strength of that reaction can be linked to the intensity of the intrusion into the realm of what we consider “private”. Perhaps this is why the word “violations” is often and easily juxtaposed with “privacy”.

But it’s hard to assign a “number” to that violation, especially in the courts. A UK decision, Halliday v. Creation Consumer Finance Limited , about damages following a default judgment for breach of the U.K. Data Protection Act 1998  is, I think, the most recent illustration of this point. Mr Halliday sued, CCF did not defend and a default judgment was entered. Both the court of first instance and the appeal court declined to consider a claim for damages for distress. This seems odd given that section 13(2) of the UK legislation explicitly states that compensation for distress is permitted. A plain reading of the provision indicates that (1) the claimant has to be an individual, who (2) has suffered distress (3) caused by violation by a data controller of the Data Protection Act.

Upon further appeal, the nominal damage award of £1 opened the way for consideration of an award for damages for distress and it appears that, in Halliday, the question of damages under 13(2) has come before a UK court for the first time. In this case, there was no egregious violation of privacy and the court awarded £750 for distress. Two aspects of the case were intriguing. First, Mr. Halliday had to pursue the matter through three levels of courts (District Court, appeal to County Court and then another appeal  to the Court of Appeal) to get even a nominal amount. Second, the Court of Appeal rejected an analogy to discrimination cases in order to fix a value for the privacy violation.

The Halliday claim for distress was based in legislation and it is not clear he would have succeeded but for s. 13(2). In Canada, last year’s seminal Jones v. Tsige “intrusion upon seclusion” decision recognized that one element for any successful claim of damages is “any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong”. In Jones, the damages award was $20,000.

Also, the Federal Court, Trial Division has discretion to make any award under PIPEDA, arguably including an award for distress.  But PIPEDA damage awards did not arrive until the Nammo decision in 2010. There, the award was $5000. Damages awarded in Landry v Royal Bank of Canada in 2011 were slightly less at $4500. Whether these are aberrations or it just took the courts a few years to get comfortable with the idea of awarding damages remains to be seen.

These may seem decent award amounts to a causal reader but, as anyone who’s been in court will tell you, litigation is an expensive business. Those seeking to sue often need to be told that they might “win the battle but lose the war” given the potential for paying costs in the event of a loss and awards far less that their legal bills if they win. Evidence of this can be found in the fact that the plaintiff in Jones eventually was sued by her lawyer for his fees.

We may value privacy but we’re still trying to figure out what it’s worth.