An Overview of Recent Privacy Law Cases: Observations and Trends
Canadian Access and Privacy Association (CAPA) Presentation
December 2, 2013
Address by Patricia Kosseim
Senior General Counsel and Director General, Legal Services, Policy and Research Branch
(Check against delivery)
I have been asked to give a brief overview of recent privacy law jurisprudence. There are some years when one has more or less content to work with, but this year, I must say, has been a particularly prolific year for the courts in this area.
Overall, we see three interesting themes arising from the jurisprudence:
- Increased judicial recognition of non-pecuniary privacy harms
- More sophisticated understanding of technological impacts on privacy
- Greater appreciation of the need for transparency and accountability
Theme 1: Increased judicial recognition of non-pecuniary privacy harms
Let me examine each trend in turn, beginning with increased judicial recognition of legitimate privacy harms even in the absence of financial loss.
Under section 16 of PIPEDA, the Court may award damages, including damages for humiliation that the complainant has suffered. In the past 3 years there has been a distinct evolution in how the Courts have assessed whether damages should be awarded under PIPEDA.
One of the first cases, Randall v. Nubodys Fitness Centre, involved a Fitness Centre that disclosed the applicant's frequency of gym use to his employer, without consent. Even though the Federal Court found a breach of PIPEDA, it saw it as "an unfortunate misunderstanding" and found no injury to the applicant that could justify damages. The impact of the disclosure on the applicant was minimal and there was no evidence that the employer had benefited commercially from the breach or acted flagrantly, callously or in bad faith. The Court set a very high bar stating that an award of damages under section 16 should be reserved for only the most egregious situations.
A subsequent case, Nammo v. Transunion, involved a credit reporting agency that mistakenly disclosed inaccurate information about the applicant to a bank resulting in him being turned down for a loan. Applying its earlier reasoning in Nubody's, the Court found that this did constitute an egregious situation. The Court held s. 16 of PIPEDA provides exceptionally broad power to award damages, but damages should be awarded on a principled basis, and be appropriate and just in the circumstances. Despite the lack of specific evidence presented, the Court was satisfied that in the circumstances experienced by the applicant, it would be an exceptional person who would not have been humiliated. In assessing the award of damages, the Court took guidance from the intervening SCC decision in Ward that granted $5000 in non-financial damages under s. 24(1) of the Charter for humiliation suffered by an individual during a strip search. Adopting the criteria in Ward - meaningful compensation, vindication and deterrence -the Court held that $5000 in damages (same quantum as in Ward) was commensurate with the seriousness of the breach, would further the objects of PIPEDA, uphold the values it embodies and deter future breaches.
Following these two decisions, the Courts continued to award damages in a line of subsequent privacy cases using Nubody's and Nammo as their gage indicator to assess damages somewhere between $0 for "unfortunate misunderstandings" and $5000 for "egregious situations". With each case, the Court's damages analysis becomes more refined, picking up additional criteria along the way:
- The impact of the breach on the health, welfare, social, business or financial position of the applicant;
- The conduct of the respondent before and after the breach;
- Whether the respondent benefited from the breach;
- The nature of the information at stake;
- The nature of the relationship between the parties;
- Prior breaches by the respondent indicating lack of respect for privacy;
- Increased public responsibility of the respondent;
- Whether the alleged injury resulted directly from the misconduct; and,
- The culpable conduct of the applicant him or herself.
Using a combination of some or all of these criteria, the Court awarded $4500 in one case; $1,500 in damages plus $500 for costs in another; and $2,500 in a third. But never, it seemed, did the Court want to go over the "Ward ceiling" of $5000, until now that is…
In a most recent case of Chitrakar v. Bell TV, involving a non-consensual credit check of a first-time customer of satellite TV, the Federal Court awarded the applicant $10,000 in damages, $10,000 in exemplary damages, plus $1,000 in costs.
The Court acknowledged the difficulty of assessing damages absent evidence of direct loss, but in a marked departure from Nammo, went on to say "there is no reason to require that the violation be egregious before damages will be awarded" for to do so would undermine the legislative intent of section 16.
Privacy rights are being more broadly recognized as important rights in an era where information on an individual is so readily available even without consent. It is important that violations of those rights be recognized as properly compensable.
Applying the Ward criteria of meaningful compensation, vindication and deterrence, but not the Ward quantum of $5,000, the Court went on to say that "Bell is a large company for whom a small damages award would have little material impact." Has size of the respondent company, and possibly its global annual revenue, become yet another criterion in assessing damages? Time will tell…
Some commentators have written that the Bell TV case is just a blip with little precedential value. They say it does not mark a "sea change" in the courts' attitude towards damages under PIPEDA. The case involved unique circumstances of a respondent company found to have acted reprehensibly toward the applicant, disregarded the Privacy Commissioner's remedial recommendations, and failed to even participate in the Court's proceedings.
But is it really just a blip? Or is it part of a crescendo of cases demonstrating the Court's growing ease and comfort with assessing damages for privacy breaches in the absence of financial loss?
To answer this, one needs to zoom out of s. 14 applications before Federal Court under PIPEDA and take a broader look at what is happening elsewhere. The recent Ontario Court of Appeal decision in Jones v. Tsige that awarded $10,000 to the plaintiff for breach of her financial records by a fellow employee snooper, is significant in this regard. In one of the most recent and comprehensive reviews of the law of privacy, the Court of Appeal set out three elements of the new common law tort of intrusion upon seclusion in Ontario, emphasizing that "proof of harm to a recognized economic interest is not an element of the cause of action".
Interestingly, the Supreme Court of Canada faced a somewhat similar challenge in A.B. v. Bragg Communications. The case involved a teenage girl seeking a court order to identify the subscriber associated with the IP address used to create a fake Facebook profile with her picture, her name and inappropriate sexual comments. What was at issue was her accompanying request to proceed anonymously and under a publication ban. Although the offending FB profile had been taken down, she feared that disclosing her name and her picture and reproducing the cyber bully's offensive remarks as part of the public court record, would re victimize her forever on the internet. Both lower courts refused her request, citing the absence of evidence of specific harm that would result to her from publication of the order.
In deciding that the girl's privacy interests constituted a justifiable exception to the open courts principle in this case, the Supreme Court took a more common sense approach, and had no difficulty inferring harm by applying reason and logic. Even in the absence of scientific or empirical evidence, a court may conclude that there is an objectively discernible harm. "It is logical to infer that children can suffer harm through cyber bullying, given the psychological toxicity of the phenomenon."
Theme 2: Increased judicial understanding of the potential impacts of information technology
Another theme we see arising from the recent privacy jurisprudence is the courts' increasing level of sophistication with information technology and its potential impacts on privacy.
In setting out its rationale for creating the new common law privacy tort in Jones v. Tsige, the Ontario Court of Appeal expressly recognized the need to evolve the law with changes in technology.
The Internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic databases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled and the nature of our communications by cell phone, e-mail or text message.
The recent case of Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, involved a constitutional challenge to Alberta's private sector privacy legislation on the grounds that it unjustifiably prohibited unions' expressive activity in the context of lawful picketing. On that basis, the Supreme Court unanimously struck down the legislation, but not without first acknowledging that PIPA is rationally connected to pressing and substantial objectives particularly in the modern context where:
- "new technologies give organizations an almost unlimited capacity to collect personal information, analyze it, use it and communicate it to others for their own purposes",
- "the list of those who may access and use personal information has expanded dramatically and now includes many private sector actors" and,
- "potential harm … flows from the permanent storage or unlimited dissemination of personal information through the Internet or other forms of technology without an individual's consent."
Even more recently in R v. Vu, the SCC unanimously held that the particular privacy interests in computers or other similar devices require specific judicial pre-authorization before being searched in accordance with section 8 of the Charter. A warrant to search premises requires reference more specifically to the particular device as being a separate place. In recognizing the heightened privacy interests in computers, the SCC held:
- "It is difficult to imagine a more intrusive invasion of privacy than the search of a personal or home computer";
- they "store immense amounts of information, some of which, in the case of personal computers, will touch the 'biographical core of personal information'";
- they "contain information that is automatically generated, often unbeknownst to the user";
- "Computers …create information without the users' knowledge and they retain information that users have tried to erase. These features make computers fundamentally different from (other) receptacles…."
In questioning counsel for AG Canada, Justice LeBel even asked about the implications of cloud computing — which is exactly the kind of questions the Courts should be asking!
How the Court will treat subscriber information associated with an IP address is yet another complex technological question at issue in R v. Spencer to be heard December 9. What privacy protection will be afforded to this gateway information remains to be seen.
Theme 3: Increased judicial appreciation for the need for transparency and oversight
The third trend we see arising from the jurisprudence is recognition by the courts that even when privacy rights must give way to justifiable infringements in the name of security and law enforcement, there must be transparency and accountability for the collection, use and disclosure of citizens' personal information.
Telus Communications Company v. the Queen involved a case where the SCC grappled with whether the police's prospective, daily acquisition of text messages stored on Telus' servers was lawful under the general warrant power, or whether the more onerous threshold of wiretap authorization was required. The majority found that collecting the text messages constituted an interception within the meaning of s. 183 of the Criminal Code. Justice Abella reasoned that, "text messaging is, in essence an electronic conversation" that "…bears several hallmarks of traditional voice communication - transmission is generally instantaneous and there is an expectation of privacy in the communication".
Given this, a more rigorous wiretap authorization was required in order to ensure greater oversight and transparency over the extraordinary use of this power: the Attorney General must request the authorization, police must show that other investigative procedures have been tried and failed, they must provide notice to the targeted individuals, and they must identify which other individuals' private communications may be acquired in the course of the search.
R v. Tse 2012 concerned the constitutionality of the relevant section of the Criminal Code which allows police wiretapping without prior judicial warrant in narrow exigent circumstances. The SCC ruled that although the provision struck an appropriate balance between the right to privacy and the need to urgently intercept communications to prevent serious harms in narrow exigent circumstances, the provision nonetheless violated s. 8 of the Charter by not providing an oversight mechanism on the use of these extraordinary powers, nor an after-the-fact notice requirement to persons whose private communications had been intercepted. To repair these defects, the Government recently adopted Bill C-55 to provide for a proper reporting regime to Parliament and a notification requirement to targeted individuals so that they may rightfully challenge the interception and seek meaningful remedy in appropriate cases.
A more recent case is also illustrative of this third trend. In his 2012 Annual Report of the Communications Security Establishment Commissioner (CSEC), Justice Decary recommended that additional evidence be provided to the Federal Court about the nature and extent of the assistance CSEC may provide to CSIS. On reading this, Justice Mosley of the Federal Court summoned counsel of CSEC and CSIS to explain before him what was meant by Decary's recommendation and whether it was related to previous warrants he had issued under the CSIS Act permitting interception from within Canada of foreign communications of individuals while travelling outside Canada.
In a rare and rather extraordinary public summary of classified reasons rendered just last week, Mosley J. found that CSIS breached "its duty of candour" to the Court by not disclosing information that was relevant. The Court held that such information must be disclosed on any subsequent applications for similar warrants and made clear that the use of the assets by the Five Eyes community is not authorized under any warrant issued to CSIS pursuant to the CSIS Act.
It is not without reason then, that we are seeing increasing calls for more appropriate and effective oversight structures to oversee Canada's security intelligence activities.
These are indeed interesting times for privacy law before the Courts. I would be happy to take any questions or comments.
- Date modified: