Columns

Canadian Courts Set High Bar for Privacy Damage Awards

When privacy violations occur, the first reaction for many victims is to search for a way to stop the offending conduct. The second response may be to invoke the law by filing a complaint with the Privacy Commissioner of Canada. Hundreds of complaints are filed every year and most are resolved with an explanation for what occurred, a change in corporate policy, or occasionally a formal apology.  My weekly technology law column (Toronto Star version, homepage version) notes that a growing number of complainants have been left unsatisfied with this outcome, however, and are turning to the courts for damage awards.

Two recent Federal Court decisions grappled with the issue of damage awards for privacy violations and arrived at the same conclusion – personal privacy is not worth much when it comes actual compensation for privacy breaches or abuses.

In one case, a company employee attended a fitness club with the company paying half of the monthly fee as a workplace benefit.  Unbeknownst to the employee, his attendance at the club was regularly reported back to the company.  The employee argued that the fitness club breached his privacy rights by disclosing his activities without obtaining appropriate consent.

Both the Privacy Commissioner and the courts agreed with the employee – the club had not disclosed its disclosure practices nor obtained the necessary consents.  The employee sought damages from the breach, pointing to an uncomfortable workplace environment where his workout habits were disclosed at a staff meeting.  The employee later left his job with the sense that he was reprimanded for raising his privacy concerns.

Yet despite concluding that there was a privacy violation, the court declined to award any damages, setting a very high bar for the prospect of damage awards under Canadian privacy law.  According to the court, “an award of damages is not be made lightly.  Such an award should only be made in the most egregious situations.”  

The court pointed to phone-tapping or secretive video taping as examples of egregious violations.  For most typical breaches, which often involve a misunderstanding and the absence of malicious behaviour, the court concluded that damages awards are inappropriate.

The second case also involved an employment situation gone bad, as the employee of a scrap metal company was terminated after his employer discovered he was conducting some trades through a personal account.  The company became aware of the activity after a disclosure of the employee’s personal account information without consent.

Once again, both the Privacy Commissioner and the court concluded that there was a violation of the law.  The court refused to award damages, however, citing the absence of malicious conduct or the intent to harm.

Damages or penalties are also missing from proposed new privacy reforms that would establish mandatory notification to affected individuals in the event of a privacy breach.  The reforms, which are scheduled to go before a House of Commons committee within the next few weeks, do not contain any specific penalties for failure to abide by the law.

While the desire to limit damage awards to serious privacy breaches is understandable, the evolving case law may have the unintended consequence of diminishing respect for privacy compliance. Many organizations adopt a bottom-line approach to managing legal risk.  By adopting an extremely high bar – it is rarely the case that organization will intentionally and maliciously violate someone’s privacy – it has largely removed damages as an option, sending the message that privacy violations are something to be resolved, rather than compensated.

13 Comments


  1. The first case is weak. If I have an agreement with my company that they pay half of my phone bill, then I’ll have to eventually show them the phone bill period. If I don’t want them to see it then I shouldn’t use the discount.

    “The employee sought damages from the breach, pointing to an uncomfortable workplace environment where his workout habits were disclosed at a staff meeting.”

    Now that’s a completely different issue. A company engaging in discussing private matters of the personnel at staff meetings is breaking elementary workplace conduct codes.

    Nap.

  2. email in the company
    There is an issue which is still quite unclear in the canadian law: emails on the workplace.

    * Email content when working in a company. Does the employer have the right to look at the content of emails of an employee (received and sent)? with notice. without notice.

    * Email content once the employes left the company. What is the secret of an email address of an employee who left the company.

    My take on this is that an email address and its content is part of the private mean of communication and must not be recorded or watched. If there is a policy of collective benefits then there should be a mailing list to cc: the communications for archiving.

    Once the employee has left, the most sensitive thing to do is to create an autoreply on the email saying back to the original sender: “Mr/Ms X has left the company Z on [date], his/her new email address is [email]. If you need to contact someone from the company Z, please send again your email to Mr/Ms Y.” The content of the email should not be readable by the company in any circumstances.


  3. @karl:

    The safe rule for employees is to assume that anything you do using the company’s infrastructure (including but not limited to terminals, servers, wireless/wired/VPN network) may be looked at accidentally or intentionally and without notice. And that all the information hosted on said infrastructure (including your corporate e-mail) is the company’s property.

    So even if you’re using your personal laptop to check your private Yahoo mail, if you do this through the corporate VPN or using their network, assume that they can peek into it.

    My advice: do your personal stuff on your personal hardware connected through your personal internet connection.

    Don’t mix personal and corporate stuff on the same computer. Use the corporate laptop for business and your personal one for personal matters. Never connect your personal hardware to the corporate network.

    Nap.

  4. Napalm, this is my personal policy. But that doesn’t answer the legal point. For example, in France, it is forbidden for the employer to do it.


  5. France is not always a good model to follow (think HADOPI lol).

    Normally a company is entitled to own all the work you have done for them as an employee. This includes your business e-mail, so unless there is a specific law or work contract mentioning otherwise, the e-mail is theirs to do whatever they please with it.

    Now here’s a more convoluted example:

    You’re an employee of company A, a manufacturer of hardware and software. They dispatch you on the premises of company B, their client, to diagnose a malfunction of a server. Company A issues you a notebook that contains field diagnostic software and a corporate Blackberry. During the tests you realize that a controller board in a server has corrupted firmware and you need a file with that firmware from your headquarters, then you could upload it to the controller’s memory and fix the issue.

    How do you jockey with your communications, as you have access only to company B network, and that firmware file is sensitive (patented, copyrighted and confidential).

    Nap.

  6. This is funny…well maybe 1984
    So, from reading this, since I am the politicians employer I can spy or bug all their communication…is that for real?


  7. @CndCitizen: “So, from reading this, since I am the politicians employer I can spy or bug all their communication…is that for real? ”

    Only those related to their work. Theoretically you shouldn’t need to bug them, they should provide that information themselves:

    http://en.wikipedia.org/wiki/Access_to_Information_Act

    Nap.

  8. @CndCitizen
    Realistically the relationship between the taxpayers and the politicians is more like the relationship between employees and the shareholders than employee/employer. A shareholder, for instance, has no right to know what your salary is; nor do they have a right to look at your emails. While this isn’t an exact comparison, look at it as a flavour of the relationship.

    Access To Information legislation confuses matters. Someone who doesn’t pay taxes has the same rights to government info that a taxpayer does, for the same price. The argument that they work for the citizens doesn’t hold water either; a resident non-citizen can make the same request for the same price. Note as well that not everything is releasable through Access to Information legislation. Classified info isn’t. As understand it Cabinet notes aren’t. Information which the IP is not owned by the Government of Canada cannot be released without consent of the owner (for instance, DND buys equipment from company X… a competitor cannot use the Access rules to acquire the documents from the Canadian government to build a replacement piece of gear or to interface to it).

  9. Nap/Anon-K

    Sorry, I should have put a smiley in my note…as I was being sarcastic 🙂 I know you can’t bug the politicians…


  10. @CndCitizen: “I know you can’t bug the politicians…”

    Your employer cannot bug you either. Installing video cameras in the washrooms or bugging your private cell phone are a no go.

    But he is supposed to have access to all the work you have officially done for him as an employee. He actually paid you for it, there’s no way to deny him access.

    And, unlike “arteests”, there’s no royalty system in place that mandates him to pay me for my whole life and 50 years after for work I did on some Monday.

    Nap.

  11. Bugged!
    Michael just tweeted this:

    http://parlvu.parl.gc.ca/ParlVu/ContentEntityDetailView.aspx?ContentEntityId=7018

    where you’ll be able to watch the C-32 committee meeting at 15:30.

    As you can see, the Parliament is already “bugged” for you.

    Nap.

  12. Kelly Manning says:

    privacy awards
    I collected $176 and change in Small Claims, BC Credit Reporting Act Minimum Civil Remedy, plus filing fees, service fees, and interest the last time a Realtor data mined my non-published name and address to solict me, then got that data leak plugged.

    An Ontario woman used Trespass to collect $500 from Columbia House back in 1992, related to commercial abuse of her name and address.
    Mather v. Columbia House (6 August 1992), 10315/91 (Ont. Ct. Gen. Div.)

    I also got a $100 credit, and an explanation, from Shaw Cable in 2006, but only after I got the Federal Privacy Commission involved. Prior to that Shaw told me that my account was flagged as Do Not Solicit and insisted it could not be happening, despite receiving copies of several sets of marketing material with my name and address.

    I got a reply from Shaw’s head of legal after that, saying that their marketer had ignored the Do Not Solicit flag when extracting names, unpublished addresses and unpublished phone numbers. I also got a $100 credit, despite my demand for $100 for each phone call and individual snail mail spam, based on the Credit Report Act Minimum Civil Remedy and the fact that I get paid a minimum of $80 if I get called about home after hours, even if it is just a 10 minute phone call.

    I made the point that personalized snail spam and statements from utilities is a gold mine for identify thieves and that I was free to charge whatever I wanted for my time spent burning or shredding junk mail with my name, address and other personal data on it.

    Shaw temporarily started printing DEAR RESIDENT on my monthly invoices, but reverted back to my name in the detailed Invoice area after the 2009/Feb invoice. That initial action showed initiative on Shaw’s part. The fallback showed that customer privacy and the risk of Invoices being used for Identity Theft is not something Shaw understand and apply consistently.

  13. شات صوتي says:

    http://voice.7p-e.com
    شات صوتي

    شات صوتيه

    دردشه صوتيه

    شات حبي

    شات الحب

    شات

    دردشه

    منتديات

    شات سعودي

    شات بنت ابوي

    دردشه كتابيه

    توبيكات

    توبيكات حبي

    العاب حبي

    العاب

    دليل مواقع

    دليل

    دليل حبي

    شات كتابي

    شات حب كام

    حب كام

    شات صوتي الوله

    مواقع صوتيه

    شاتات صوتيه

    شات صوتي

    شات صوتي بنات

    شات صوتي خليجي

    شات صوتي عربي

    شات صوتي بنات

    شات صوتي الغلا

    شات صوتي حسايف

    شات صوتي عفناك

    شات صوتي فوكس العرب

    شات صوتي جروح

    شات صوتي الرياض

    شات صوتي روعه المشاعر

    شات صوتي عرب توك

    شات دلع

    شات صوتي قلبي

    شات حسايف

    شات صوتي تعب قلبي

    طرب فله

    شات طرب فله

    دردشة طرب فله

    شات القصيم

    دردشه القصيم

    دردشة القصيم

    شات سكر بنات

    شات صوتي

    سكر بنات

    سعودي اح

    شات سعودي اح

    دردشة سعودي اح

    صوتية سعودي اح

    سعودي اح الصوتيه

    سعودي كام

    سعودي كول

    واو اح

    اح

    سعودي احيه

    كام اح

    بنت اح

    شات اح

    دلع اح

    شات عرش السحاب