When privacy violations occur, the first reaction for many victims is to search for a way to stop the offending conduct. The second response may be to invoke the law by filing a complaint with the Privacy Commissioner of Canada. Hundreds of complaints are filed every year and most are resolved with an explanation for what occurred, a change in corporate policy, or occasionally a formal apology. A growing number of complainants have been left unsatisfied with this outcome, however, and are turning to the courts for damage awards.
Two recent Federal Court decisions grappled with the issue of damage awards for privacy violations and arrived at the same conclusion – personal privacy is not worth much when it comes actual compensation for privacy breaches or abuses.
In one case, a company employee attended a fitness club with the company paying half of the monthly fee as a workplace benefit. Unbeknownst to the employee, his attendance at the club was regularly reported back to the company. The employee argued that the fitness club breached his privacy rights by disclosing his activities without obtaining appropriate consent.
Both the Privacy Commissioner and the courts agreed with the employee – the club had not disclosed its disclosure practices nor obtained the necessary consents. The employee sought damages from the breach, pointing to an uncomfortable workplace environment where his workout habits were disclosed at a staff meeting. The employee later left his job with the sense that he was reprimanded for raising his privacy concerns.
Yet despite concluding that there was a privacy violation, the court declined to award any damages, setting a very high bar for the prospect of damage awards under Canadian privacy law. According to the court, “an award of damages is not be made lightly. Such an award should only be made in the most egregious situations.”
The court pointed to phone-tapping or secretive video taping as examples of egregious violations. For most typical breaches, which often involve a misunderstanding and the absence of malicious behaviour, the court concluded that damages awards are inappropriate.
The second case also involved an employment situation gone bad, as the employee of a scrap metal company was terminated after his employer discovered he was conducting some trades through a personal account. The company became aware of the activity after a disclosure of the employee’s personal account information without consent.
Once again, both the Privacy Commissioner and the court concluded that there was a violation of the law. The court refused to award damages, however, citing the absence of malicious conduct or the intent to harm.
Damages or penalties are also missing from proposed new privacy reforms that would establish mandatory notification to affected individuals in the event of a privacy breach. The reforms, which are scheduled to go before a House of Commons committee within the next few weeks, do not contain any specific penalties for failure to abide by the law.
While the desire to limit damage awards to serious privacy breaches is understandable, the evolving case law may have the unintended consequence of diminishing respect for privacy compliance. Many organizations adopt a bottom-line approach to managing legal risk. By adopting an extremely high bar – it is rarely the case that organization will intentionally and maliciously violate someone’s privacy – it has largely removed damages as an option, sending the message that privacy violations are something to be resolved, rather than compensated.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at firstname.lastname@example.org or online at www.michaelgeist.ca.