Thursday, March 17, 2011

Damages Under PIPEDA by Greg

You should already know that the collection, use and disclosure of personal information by an organization carrying on commercial activity is regulated by the federal Personal Information Protection and Electronic Documents Act. But did you know that PIPEDA allows an applicant to claim damages for a privacy breach?

Here's the section setting out the Federal Court's powers on an application following a review by the Privacy Commissioner of Canada:

16. The Court may, in addition to any other remedies it may give,

(a) order an organization to correct its practices in order to comply with sections 5 to 10;

(b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a); and

(c) award damages to the complainant, including damages for any humiliation that the complainant has suffered.

To date, damages have been awarded in only one case. In Nammo v. TransUnion of Canada Inc., the applicant had been turned down for a business loan as a result of inaccurate credit information supplied by the respondent. The Privacy Commissioner's review determined that the breach had been resolved, but the applicant applied to court for damages as well as additional remedies under PIPEDA.

Zinn J. held as follows at para. 71-72, 74 in describing the circumstances in which damages should be awarded:

The fact that there is no precedent for an award of damages under PIPEDA should not impact the Court from making an award of damages where the circumstances and justice demands it. In my view, for the reasons that follow, this is such a case.

In Vancouver (City) v Ward, 2010 SCC 27, the Supreme Court awarded damages for a breach of the Charter even though it found that the breach was not “intentional, in that it was not malicious, high-handed or oppressive” and even though no financial loss had been proven. The Supreme Court addressed the different goals of awarding damages for a Charter breach; these include compensation, for which loss is relevant, but also vindication and deterrence, for which loss is not a determinative factor.

...

The Supreme Court found that “to be ‘appropriate and just’, an award of damages must represent a meaningful response to the seriousness of the breach and the objectives of compensation, upholding Charter values, and deterring future breaches.” In my view, the same reasoning applies to a breach of PIPEDA, which is quasi-constitutional legislation.

Zinn J. thus found that although the applicant had not proven any loss arising out of the PIPEDA breach, he was entitled to $5,000 in damages.

Other cases provide examples of circumstances where damages will not be awarded, including:

- where the applicant's real claim is for another type of wrong such as wrongful dismissal (Stevens v. SNF Maritime Metal Inc. ("Stevens") at para. 28, 31);

- where appropriate steps to remedy the breach have been taken by the respondent (Stevens at para. 32; Randall v. Nubodys Fitness Centres at para. 58-59); and

- where the applicant has signed a release agreement against liability for the subject matter of the complaint (Arcand v. Abiwin Co-operative Inc. at para. 39, 44).

In order to minimize the risk of a PIPEDA damages award, an organization should first take all reasonable steps to comply with PIPEDA in collecting, using and disclosing individuals' personal information. But even once a breach has occurred, an organization can significantly reduce its potential liability by taking steps to remedy the breach - both in revising its own practices to comply with PIPEDA, and in minimizing any damage to the complainant.

This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please do not hesitate to contact us if you require legal advice related to PIPEDA compliance and risk evaluation.

Leave a comment

Comments