The recent decision Townsend v. Sun Life Financial adds to the emerging case law on privacy damage awards under Section 16 of Personal Information Protection and Electronic Documents Act. In Townsend, the Court refused to award to damages to Mr. Townsend, who had alleged that Sun Life disclosed his medical information to a third party without his consent and had failed to safeguard his personal information. The Court determined that the breach was minor, that Mr. Townsend suffered no injury and that Sun Life promptly and effectively corrected its errors.
What Happened in This Case?
Under PIPEDA, among other things, an individual can apply to the Federal Court for an award of damages, after the individual has complained to the Privacy Commissioner and the Privacy Commissioner has investigated and issued a report on the matter.
Mr. Townsend complained to the Commissioner alleging that Sun Life:
- breached PIPEDA by misplacing his medical information
- failed to safeguard it by sending information to the insurance advisor and addressing letters to incorrect addresses
After the Privacy Commissioner found that the complaints had been resolved, Mr. Townsend applied to the Federal Court, seeking $25,000.00 in damages and declarations that Sun Life had breached PIPEDA and compelling Sun Life to publish a notice outlining the preventative measures implemented following the breaches.
Although the Court found two breaches of PIPEDA, Justice de Montigny concluded that no unauthorized disclosure resulted from the error. Of the two letters sent to the incorrect address:
- one was ultimately delivered to Mr. Townsend
- the other was returned to Sun Life unopened
As for the letter sent to the insurance adviser, the Court noted that the extent of the disclosure was minimal and the advisor promptly destroyed it upon request.
What’s the Damage?
The Court held that when principles of proportionality are applied such trivial breaches are not sufficient to justify damages awards. Although section 16 of PIPEDA allows damages for humiliation, the Court found that it should only exercise that discretion in egregious circumstances. In this case, the Court observed that Mr. Townsend had failed to provide any evidence of humiliation.
In deciding not to award damages, the Court observed that “nobody should be held to a standard of perfection.” The Court also considered the actions of Sun Life following the breach. In particular, Sun Life had:
- never denied the errors
- not acted in bad faith or gained a commercial benefit from the errors
- apologized repeatedly
- informed Mr. Townsend of the preventative measures implemented following the breach
Section 16 and Previous Decisions
Section 16 of PIPEDA provides no guidance as to the quantum of damages that may be granted. There are also limited number of cases where the courts have awarded damages under section 16.
From these cases, it appears that damages tend to be awarded where the breach is serious (involving sensitive information) and the respondent acted in bad faith or attempted to cover up the breach. Even in those cases where damages have been awarded, the awards have been relatively small. In situations where the respondent promptly took steps to rectify the error and put in place measures to prevent future disclosures, damages are less likely to be awarded.
|Decison||Type of Info||Allegations||Court Findings|
|Breach?||Nature of Breach/Info||Injury Suffered?||Respondent’s Conduct||Damages Awarded?|
|Randall v. Nubodys Fitness Centres||Frequency of fitness centre usage||Disclosure of personal information to applicant’s employer without consent||Yes||Minimal – Information was at the low end of sensitivity||No injury justifying an award||Respondent took steps to modify its procedures and documentation. Breach adequately remedied by implementing implement Privacy Commissioner’s recommendations||No award|
|Nammo v. TransUnion of Canada Inc.||Credit information||Disclosure of inaccurate personal information to a lending institution||Yes||Serious – Financial Information of high personal and personal importance.||Yes||Respondent failed to take responsibility for its actions and failed to take prompt, reasonable steps to investigate and correct the record||$5,000 plus $1000 for disbursements|
|Stevens v. SNF Maritime Metal Inc.||Personal Account information||Disclosure of personal information to the Applicant’s employer without consent||Yes||Minimal – Information claimed was not deeply personal or intimate. Rather it was commercial.||Loss claimed was tied to termination for cause||No evidence that the Respondent proceeded maliciously or with intent to harm the Applicant. The Respondent took the step of voluntarily implementing a confidentiality policy to ensure such circumstances did not arise again||No award|
|Landry v. Royal Bank of Canada||Personal account information||Disclosure of information to divorce counsel for the Applicant’s ex-husband, without consent||Yes||Serious – but a large part of the injury suffered was as a result of the Applicant’s own actions||Yes – humiliation||Respondent’s employee tried to cover up her wrongful conduct but there was no evidence that the Respondent acted in bad faith. Respondent held a refresher session for the employees responsible for processing requests from third parties||$4,500 with interest and costs|
|Girao v. Zarek Taylor Grossman Hanrahan LLP||Applicant’s name and information related to her claim for increased benefits||Disclosure of personal information without consent. A law firm posted the Report of Findings of the Privacy Commissioner and cover letter on their website||Yes||The information was at the low end - personal but not highly sensitive||Record did not establish that the Applicant suffered humiliation||Respondent was careless but did not act in bad faith. They deleted all references on their website to the Applicant once they became aware of the concern||$1,500 plus $500 for out of pocket expenses|