• Federal Court Holds No Damages for Trivial Privacy Breaches
  • September 14, 2012 | Author: Roland Hung
  • Law Firm: McCarthy Tétrault LLP - Calgary Office
  • The recent decision Townsend v. Sun Life Financial adds to the emerging case law on privacy damage awards under Section 16 of Personal Information Protection and Electronic Documents Act. In Townsend, the Court refused to award to damages to Mr. Townsend, who had alleged that Sun Life disclosed his medical information to a third party without his consent and had failed to safeguard his personal information. The Court determined that the breach was minor, that Mr. Townsend suffered no injury and that Sun Life promptly and effectively corrected its errors.

    What Happened in This Case?

    Under PIPEDA, among other things, an individual can apply to the Federal Court for an award of damages, after the individual has complained to the Privacy Commissioner and the Privacy Commissioner has investigated and issued a report on the matter.

    Mr. Townsend complained to the Commissioner alleging that Sun Life:

    • breached PIPEDA by misplacing his medical information
    • failed to safeguard it by sending information to the insurance advisor and addressing letters to incorrect addresses

    After the Privacy Commissioner found that the complaints had been resolved, Mr. Townsend applied to the Federal Court, seeking $25,000.00 in damages and declarations that Sun Life had breached PIPEDA and compelling Sun Life to publish a notice outlining the preventative measures implemented following the breaches.

    Although the Court found two breaches of PIPEDA, Justice de Montigny concluded that no unauthorized disclosure resulted from the error. Of the two letters sent to the incorrect address:

    • one was ultimately delivered to Mr. Townsend
    • the other was returned to Sun Life unopened

    As for the letter sent to the insurance adviser, the Court noted that the extent of the disclosure was minimal and the advisor promptly destroyed it upon request.

    What’s the Damage?

    The Court held that when principles of proportionality are applied such trivial breaches are not sufficient to justify damages awards. Although section 16 of PIPEDA allows damages for humiliation, the Court found that it should only exercise that discretion in egregious circumstances. In this case, the Court observed that Mr. Townsend had failed to provide any evidence of humiliation.

    In deciding not to award damages, the Court observed that “nobody should be held to a standard of perfection.” The Court also considered the actions of Sun Life following the breach. In particular, Sun Life had:

    • never denied the errors
    • not acted in bad faith or gained a commercial benefit from the errors
    • apologized repeatedly
    • informed Mr. Townsend of the preventative measures implemented following the breach

    Section 16 and Previous Decisions

    Section 16 of PIPEDA provides no guidance as to the quantum of damages that may be granted. There are also limited number of cases where the courts have awarded damages under section 16.

    From these cases, it appears that damages tend to be awarded where the breach is serious (involving sensitive information) and the respondent acted in bad faith or attempted to cover up the breach. Even in those cases where damages have been awarded, the awards have been relatively small. In situations where the respondent promptly took steps to rectify the error and put in place measures to prevent future disclosures, damages are less likely to be awarded.

    Decison

    Type of Info

    Allegations

    Court Findings

    Breach?

    Nature of Breach/Info

    Injury Suffered?

    Respondent’s Conduct

    Damages Awarded?

    Randall v. Nubodys Fitness Centres

    Frequency of fitness centre usage

    Disclosure of personal information to applicant’s employer without consent

    Yes

    Minimal - Information was at the low end of sensitivity

    No injury justifying an award

    Respondent took steps to modify its procedures and documentation. Breach adequately remedied by implementing implement Privacy Commissioner’s recommendations

    No award

    Nammo v. TransUnion of Canada Inc.

    Credit information

    Disclosure of inaccurate personal information to a lending institution

    Yes

    Serious - Financial Information of high personal and personal importance.

    Yes

    Respondent failed to take responsibility for its actions and failed to take prompt, reasonable steps to investigate and correct the record

    $5,000 plus $1000 for disbursements

    Stevens v. SNF Maritime Metal Inc.

    Personal Account information

    Disclosure of personal information to the Applicant’s employer without consent

    Yes

    Minimal - Information claimed was not deeply personal or intimate.  Rather it was commercial.

    Loss claimed was tied to termination for cause

    No evidence that the Respondent proceeded maliciously or with intent to harm the Applicant. The Respondent took the step of voluntarily implementing a confidentiality policy to ensure such circumstances did not arise again

    No award

    Landry v. Royal Bank of Canada

    Personal account information

    Disclosure of  information to divorce counsel for the Applicant’s ex-husband, without consent

    Yes

    Serious - but a large part of the injury suffered was as a result of the Applicant’s own actions

    Yes - humiliation

    Respondent’s employee tried to cover up her wrongful conduct but there was no evidence that the Respondent acted in bad faith. Respondent held a refresher session for the employees responsible for processing requests from third parties

    $4,500 with interest and costs

    Girao v. Zarek Taylor Grossman Hanrahan LLP

    Applicant’s name and information related to her claim for increased benefits

    Disclosure of personal information without consent. A law firm posted the Report of Findings of the Privacy Commissioner and cover letter on their website

    Yes

    The information was at the low end - personal but not highly sensitive

    Record did not establish that the Applicant suffered humiliation

    Respondent was careless but did not act in bad faith. They deleted all references on their website to the Applicant once they became aware of the concern

    $1,500 plus $500 for out of pocket expenses