Panning for gold in the mud: the availability of privacy damages under PIPEDA

Posted on December 22, 2011

More than 10 years after the introduction of federal private sector privacy legislation in Canada, damage awards for breaches of the law have been few and far between -- and where such awards have been made, the dollar amounts awarded have been modest.

In light of the sometimes confusing, and even contradictory judgments to date, there is also considerable uncertainty as to when such damages might be awarded, and what evidentiary test a complainant might have to meet.

In Panning for gold in the mud: the availability of privacy damages under PIPEDA, in the December 2011 edition of the Canadian Privacy Law Review, David Elder of our Privacy and Data Protection Group, attempts to knit together the existing case law into a coherent analytic framework for the availability of privacy damages in Canada.

Article reproduced with permission of the publisher from Canadian Privacy Law Review, Vol. 9, No. 1, December 2011.

Tags: , , ,

Nothing up in the air about privacy: foreign airline must comply with Canadian law

Posted on September 26, 2011

David Elder -

When in Rome, do as the Romans do.  Similarly, when doing business in Canada, do as Canadian privacy law requires.

That is the lesson learned by a foreign-based airline following a finding by the Office of the Privacy Commissioner (OPC) of Canada that the carrier had violated Canadian privacy law, even though the company operates in compliance with European privacy requirements.  The decision further confirms the fact that foreign businesses that operate or provide services in Canada will be subject to all requirements of Canadian privacy law, regardless of the scope of the privacy regimes in their home countries.

In a Report of Findings recently posted by the OPC, Netherlands-based KLM Royal Dutch Airlines (KLM) was found to have breached several provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), including failing to respond in a timely way to a request by a customer for access to records containing personal information; failing to implement practices to ensure that the requirements of the Act; and failure to make available to the public its policies respecting the management of personal information.

In a preliminary report of findings, the OPC had recommended that KLM develop a clear and simple access to information request procedure and ensure that the privacy policy posted on the Canadian version of its website comply with PIPEDA.

KLM took the position that the Dutch Data Protection Authority supervises KLM in the security of personal data under the Dutch Personal Data Protection Act, including requirements respecting transparency and the manner in which access to information requests must be processed.  The airline further noted that Dutch law does not require further transparency of policies and practices, and only allows individuals to view their personal information, not to access it.  KLM questioned the OPC’s jurisdiction over KLM.

Relying on the Federal Court’s decision in Lawson v. Accusearch Inc., which had earlier found that the OPC had jurisdiction to investigate complaints respecting the collection by foreign organizations of personal information about Canadian residents, the OPC confirmed that it had jurisdiction in the complaint against KLM because there was a real and substantial connection to Canada.  In this regard, the OPC noted that:

  • The complainant seeking access to his personal information was a Canadian resident
  • KLM offers services in Canada, and has employees at several Canadian airports
  • KLM operates a Canadian version of its website, which actively targets Canadians, and through which Canadians may reserve flights
  • KLM operates scheduled non-stop flights to and from Canadian cities (and in fact, the complainant originally booked a KLM flight departing from Toronto);
  • KLM needs to collect personal information from Canadian passengers to offer air travel to those passengers.

In the circumstances, and in view of judgement in the Accusearch case, the finding of Canadian jurisdiction over the handling of the personal information in question may not be particularly surprising: it was collected from Canadians, in Canada, with respect to a service provided - at least in part - in Canada. 

However, many businesses may be surprised that compliance with a European data protection law will not guarantee compliance with Canadian law – despite the fact that the European Data Protection Directive (on which member state privacy laws are based) and PIPEDA were derived from the same set of essential privacy principles, and even though European data protection laws tend to be viewed in some jurisdictions as being particularly stringent.

Although Canadian privacy laws are in broad accord with many international data protection regimes, there are often subtle differences between these foreign laws and Canadian privacy requirements.  Accordingly, foreign organization doing business in Canada should not assume that practices and policies that comply with the law of their home country will necessarily suffice when collecting, using and disclosing information in Canada.
Tags: , , ,

PIPEDA for the Practice of Law

Posted on September 8, 2011

The Canadian Privacy Commissioner released guidelines for lawyers seeking to understand  the Personal Information Protection and Electronic Documents Act (PIPEDA) at the Canadian Bar Association convention on August 16, 2011. Entitled “PIPEDA and Your Practice: A Privacy Handbook for Lawyers”, it provides an overview of PIPEDA requirements as they apply to lawyers and law firms in private practice as well as corporate counsel.

Whereas lawyers already must keep client information confidential, PIPEDA introduced additional requirements that are highlighted in the handbook. For example, conducting a credit check on a potential client requires prior informed consent, and the Commissioner recommends similarly obtaining informed consent for all information collected for litigation purposes (despite this latter point still not clear in the case law). Also, at a client’s request, information about the client must be provided within 30 days at no charge, and irrespective of whether or not a solicitor’s lien exists.

The Commissioner can make non-binding recommendations either following a complaint or on its own initiative, and the complainant or Commissioner may subsequently proceed to Federal Court for enforcement. The Commissioner’s website offers lawyers a Self-Assessment Tool to promote compliance with PIPEDA.

Tags: , , ,

Federal Court muddies the waters on privacy damages

Posted on August 26, 2011

David Elder -

In a problematic judgement, the Federal Court of Canada has awarded damages against a bank for the wrongful disclosure by one of its employees of account information in response to a subpoena.

This is only the second case in which the Court has awarded damages for non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA); and like the first damage award under the statute, the amount awarded was minimal. The case is also perplexing, because it seems to contradict the reasoning in an earlier decision by the same court, which established that to be eligible for an award of damages, the alleged injury must result directly from a breach of the Act.

In the case of Landry v. Royal Bank of Canada, the husband in a divorce proceeding sent a subpoena duces tecum1 to the bank, ordering one of the bank’s employees to appear before the court and bring certain records concerning the account records of his wife. In violation of the bank’s own policy, which requires the consent of the account holder before account information can be released to a third party, an employee of the bank disclosed the records in question directly to counsel for the husband.

Not surprisingly, the Court readily found that the disclosure was in breach of the bank’s obligations under PIPEDA. What was surprising was that any damages at all were awarded on the facts of the case.

In this regard, the record revealed that the applicant wife had, in the last years of her marriage, opened a bank account without her husband’s knowledge and built a nest egg. In the divorce proceeding, she concealed the existence of the account in question from both her husband and the court, despite a clear legal obligation to make a full and honest disclosure of assets and despite being asked repeatedly under oath about the existence of such an account. As a result of the subpoena, the account records were properly provided by the bank to the divorce court, which later placed the information on the public record and took it into account in rendering judgement. The divorce judgement itself made pointed reference to the applicant’s secretive behaviour and denials under oath.

In her pleadings, the applicant had claimed that the bank’s disclosure had done great harm to her personal life, and that she now had problems with her family and friends “as a result of the conduct of her ex-husband, who was using certain passages of the divorce judgement to harm her reputation.”

In earlier cases, the Court seemed to have established the principles that damage awards under PIPEDA should only be made “in the most egregious situations” and that to be eligible for an award from the court, the applicant would have to establish damages flowing directly from the privacy breach itself, rather than from some concealed behaviour that only came to light through the privacy breach.

For example, in the case of Stevens v. SNF Maritime Metal Inc., the Court found that the applicant’s claim for damages flowed from the loss of his employment, and implicitly, that the employment had been lost due to a fraud he committed against his employer. Although the Court found that, although the fraud may not have come to light except through the privacy breach of a third party, it was the fraud itself, and not the disclosure thereof, that gave rise to the damages.

By contrast, in Landry, the Court seems to have taken the opposite approach. Despite the Court’s explicit acknowledgement that the bank had acted properly in filing the applicant’s account information with the divorce court pursuant to the subpoena, and its implicit finding that the alleged damages stemmed from public dissemination of the resulting divorce judgement by the husband, the Court nevertheless awarded damages – albeit minimal damages -- to the Applicant, noting that the bank’s error remained serious, even when these factors were taken into account.

Although the applicant sought damages totalling $100,000, including $25,000 in exemplary damages, she was awarded only a token $ 4,500. Although she was also awarded her costs, plus interest, the resulting damage award likely pales in comparison to the amount that the applicant would have incurred in legal fees, which would not be covered by the cost award.

While the Landry decision shows that the court may not been entirely consistent in its approach to damage awards under PIPEDA, one thing seems certain: litigants are unlikely to receive any substantial damage awards under the statute unless they can demonstrate significant, tangible losses.


[1]  A subpoena duces tecum is a court summons ordering a named party to appear before the court and bring with them specified documents or other tangible evidence for use by the court; however, it does not require that the evidentiary material in question be provided at that time to the party requesting the subpoena; rather, it contemplates that during the proceedings, the court will determine whether the material in question should be disclosed, weighing such factors as the right to privacy and the existence of privilege. 
Tags: , , ,

Privacy Commissioner can now be choosier about complaints she investigates

Posted on April 4, 2011

David Elder -

Legislative amendments proclaimed in force last week mean that the Privacy Commissioner of Canada may now be more selective about the complaints her office decides to investigate.

The amendments in question, made to the Personal Information Protection and Electronic Documents Act (PIPEDA), were actually contained in Bill C-28, Canada’s Anti-Spam Legislation, which received Royal Assent last December.  Although most of that statute is not yet in force (and, as we noted on our Canadian Communications Law blog, may be delayed in coming into force by the federal election call), last week the Governor in Council proclaimed in force some of the consequential amendments in that bill that affect PIPEDA, leaving for proclamation at a later date those PIPEDA amendments that coordinate with new obligations in the Anti-Spam law itself.

Previously, PIPEDA required the Privacy Commissioner to investigate all complaints submitted to her office, regardless of their nature or seriousness, although she had some discretion in not having to prepare a report in all cases.

With these new amendments, the Commissioner is no longer required in all circumstances to conduct an investigation in respect of a complaint received.  Complaints need not be investigated if the complainant has not exhausted other grievance or review procedures that may be available, if the complaint could be more appropriately dealt with under another Federal or Provincial law, or if the complaint was not filed within a reasonable time after subject matter of the complaint arose. 
 
In all cases, complainants must be notified that their complaint will not be investigated.  The Commissioner retains the right to reconsider a decision not to investigate a particular complaint, if the complainant is able to provide compelling reasons to investigate.

The new powers have long been sought by the Commissioner as a way to better manage the workload of the Office of the Privacy Commissioner, by weeding out complaints whose resolution would be of little public interest or significance, thereby allowing for the focus of resources on issues of a broader systemic nature.  The authority to manage the processing of complaints in this way is already afforded to some degree to other tribunals, including the Canadian Human Rights Commission and the Privacy Commissioner for Alberta.

Once the investigation of a compliant commences, the new amendments also give the Privacy Commissioner the power to discontinue investigation in certain circumstances.  Investigations may be discontinued where:

  • there is insufficient evidence to pursue the complaint
  • the complaint is trivial, frivolous or vexatious or is made in bad faith
  • the organization that was the subject of the complaint has provided a fair and reasonable response
  • the subject matter is already the subject of a report by the Commissioner
  • the complainant has not exhausted other grievance or review procedures that may be available
  • the complaint could be more appropriately dealt with under another Federal or Provincial law
  • the complaint was not filed within a reasonable time after subject matter of the complaint arose
  • the matter is being or has already been addressed via another grievance or review process, or pursuant to a procedure under another Canadian law

As with a case of declining to investigate, the Commissioner must notify a complainant and organization of the discontinuance of a complaint, giving reasons for the discontinuance.

With other tribunals that have the power to decline to investigate complaints, there has understandably been a reluctance to exercise this authority, since doing so denies a complainant a full consideration on the merits of the complaint.  As a result, the bar for refusing a complaint has tended to have been set fairly high, with complaints being declined or discontinued only in the clearest and most egregious of circumstances.
 
One suspects that this will also be the approach of the Privacy Commissioner; however, the new powers should nevertheless afford her office a great deal more control in managing its caseload, focusing strained resources on matters of the greatest public interest and systemic benefit.

UPDATE: The Order Fixing April 1, 2011 as the day on which the provisions in question come into force was published in the Canada Gazette on April 13, 2011, along with an Explanatory Note.
 
Tags: ,