Privacy Litigation. Information Privacy and Data Protection Lexpert Seminar Lisa Parliament December 9, 2013. Agenda. Legal Basis for Privacy Litigation Remedies for breach of privacy legislation Privacy torts ( Jones v. Tsige ) Privacy Class Actions – Headlines versus Outcomes
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Privacy Litigation • Information Privacy and Data Protection • Lexpert Seminar • Lisa Parliament December 9, 2013
Agenda • Legal Basis for Privacy Litigation • Remedies for breach of privacy legislation • Privacy torts (Jones v. Tsige) • Privacy Class Actions – Headlines versus Outcomes • Predicting the Future • “Lessons learned” – Practical tips for proactive planning
Privacy Legislation - Overview • Federal • Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA). • Provincial • Provinces have privacy legislation governing collection, use, and disclosure of information held by government agencies. • PIPEDA applies to private sector organizations engaged in commercial activities, except in provinces with “substantially similar” legislation (e.g. Alberta, B.C., Quebec). • Alberta’s Act was found unconstitutional (a decision that will also impact the B.C. Act), but the declaration of invalidity has been suspended for a year to allow amendments. • Sector-specific • Some sectors (e.g. financial, health care) have specific laws that also contain privacy obligations.
Remedies for Breach of Privacy Legislation • Canadian law does not recognize a free-standing cause of action for breach of statute. • A private right of action for breach of a statute may, however, be expressly provided for in the statute. • For example, PIPEDA permits a person to seek remedies, including damages, for a privacy breach.
Bringing a Claim for PIPEDA Damages • PIPEDA authorizes a private remedy for privacy breach, with recourse to the federal court. • The procedure is key - following receipt of a report or notice of discontinuance from the federal Privacy Commissioner, a complainant may then apply to federal court for a trial de novo of the issues.
PIPEDA Damages • The federal court may order corrective measures, notification of corrective measures, and/or damages, including damages for “humiliation”. • Damages awards are discretionary, and there is limited jurisprudence. Awards tend to be relatively nominal. • Non-exhaustive factors the court may consider: • whether awarding damages would further the general objects of PIPEDA and uphold the values it embodies; • whether damages should be awarded for deterring future breaches; and • the seriousness or egregiousness of the breach. • The threshold for awarding damages is very high, with damages generally reserved for “the most egregious situations”.
A Shift in Approach? Chitrakar v Bell TV • Court in Chitrakar rejected the view that damages awards should be restricted to egregious violations. • The complaint was that a Bell customer ordered satellite television service on December 1, 2010. The complainant stated that he was required to sign a proof of delivery of the device at the time of installation on December 31, and that Bell embedded that signature on its Bell TV Rental Agreement, which purports to authorize credit checks. • The customer later ordered his credit report, and learned that on December 1 Bell had conducted a “hard pull” credit check (which he argued could affect credit scores). • The customer complained. Following what he considered to be an unsatisfactory response from Bell, the customer filed a PIPEDA complaint with the Privacy Commissioner.
Chitrakar cont. • The Privacy Commissioner concluded that the customer’s complaint was well-founded, and made recommendations to Bell. • The customer proceeded with a claim for damages in federal court. • Bell did not respond to the federal court proceeding. • The court found Bell’s conduct “reprehensible”. The court noted the lack of interest shown by Bell in compensation, addressing the actions of its employee(s), or following the remedial recommendations. • The court awarded damages of $10,000, and exemplary damages of $10,000, in addition to costs. $
Contrast - Townsend v Sun Life Financial • Applicant was an insurance applicant with the Respondent. • In error, Respondent sent a copy of a letter containing sensitive medical information to the Applicant’s advisor. • Respondent also sent two letters to the Applicant at the wrong address. The first letter was still received by the Applicant and the second letter was returned to the Respondent. • Applicant brought a PIPEDA complaint, alleging unauthorized disclosure and failure to safeguard his personal information. • The Privacy Commissioner concluded that there had been contraventions of PIPEDA; however, “both the safeguards and use and disclosure complaints are resolved”. Return to Sender
Townsend v. Sun Life Financial cont. • Applicant applied to federal court for various relief, including $25,000 in damages, and costs. • Federal court declined to award damages, costs, or any other remedy to the applicant. Relevant considerations included: • Respondent did not act in an “intentional, callous or egregious manner, or in any other way that would indicate a complete disregard” for privacy interests. • Respondent had detailed protocol in place, and the event was a human error. • No evidence of bad faith or that the Respondent received a commercial benefit. • Respondent apologized.
Jones v. Tsige, 2012 ONCA 32 • Leading Ontario case on intentional breach of privacy in tort. • Intentional violation of the privacy of the plaintiff (a bank employee) by the defendant (another bank employee). • Plaintiff was the ex-wife of the defendant’s boyfriend. Defendant improperly accessed the plaintiff’s sensitive banking information at least 174 times, allegedly for purpose of determining whether plaintiff was receiving support payments from her ex-husband. • There was no proof the defendant published, distributed or recorded the information.
Jones v. Tsige cont. • Ontario Court of Appeal recognized a right of action for intrusion upon seclusion. • Elements of the tort include: • Intentional (or reckless) conduct by the defendant; • Defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; • A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. • The Court emphasized that the tort only arises for “deliberate and significant invasions of personal privacy”.
Jones v. Tsige cont. • Damages awards (where there is no pecuniary loss) are modest, with the range fixed at up to $20,000. Factors include: • the nature, incidence and occasion of the defendant’s wrongful act; • the effect of the wrong on the plaintiff’s health, welfare, social, business or financial position; • any relationship (domestic or otherwise) between the parties; • any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and • conduct of the parties (before and after the wrong) including any apology or offer of amends by the defendant. • Punitive damage awards are discouraged. • The Court awarded the plaintiff only $10,000 in damages.
No Common Law Tort of Invasion of Privacy in BC • Recent B.C. court decisions state that it is clear that no common law tort of invasion or breach of privacy exists in British Columbia. • “Invasion of privacy” claims have been struck: • Example: Ari v. Insurance Corp of British Columbia, 2013 CarswellBC 2220 • Accordingly, in B.C. the breach of privacy must be otherwise actionable or have a statutory basis.
Other Common Privacy Causes of Action • The ability to assert a specific “privacy” tort is limited in Canada. • Even in Ontario, the elements of the new privacy tort will only be met in limited, egregious circumstances. • In the context of alleged privacy breaches, claimants frequently try to assert causes of action in negligence, breach of contract, breach of fiduciary duty, and waiver of tort. • In practice, the greatest single legal (and practical) obstacle to pursuing successful civil litigation for privacy breach continues to be an inability to establish the existence of any legally compensable harm or loss.
Privacy Class Actions – Headlines versus Outcomes ABC Co. Reports Data Breach...Class Actions Commenced Across Canada Seeking Billions of Dollars
Shift in the Privacy Class Action Landscape • World altering advances in information technology, communications and digital data have fundamentally changed the privacy landscape. • Vast quantities of personal information are collected, stored, analyzed, used, and disclosed each day. • While some have embraced the ability to share personal information (from joining social media networks to posting “selfies”), there is also an increasing focus on privacy as a right. • Every week, new privacy breaches are reported in the media - usually followed shortly thereafter by reports of privacy class actions.
Mazzonna v. DaimlerChrysler Financial Services Canada Inc. • Defendant lost a data tape with names and financial information associated with 240,000 customers. • The representative plaintiff sought to recover compensation for anxiety, inconvenience, pain, suffering, and/or fear that she could be the target of fraud and/or identity theft. • On behalf of the class, the plaintiff sought recovery if class members chose to sign up for monitoring services, take precautionary steps, or fell victim to fraud. CONFIDENTIAL
Mazzonna cont. • The Quebec court denied certification. • The court concluded the defendant was prima facie negligent; however, the plaintiff failed to establish legally compensable damages. • At the time of the hearing, there was no evidence of abuse of the lost information or of financial loss. • Alleged damages for potential harm were "unverified hypotheses” that could not be considered as damages. • The plaintiff’s anxiety and similar complaints were found to be “minor and transient upsets” the SCC has held are not legally compensable (Mustapha v. Culligan of Canada Ltd).
Rowlands v. Durham Region Health et al. • An employee of the defendant lost a USB key that held the unencrypted personal and confidential information of 83,524 patients. • The plaintiff sought leave to bring a class action for alleged damages arising out of the loss of the USB key, including damages related to the alleged risk the lost information could facilitate identity theft. • The $40 million case was certified as a class action.
Rowlands v. Durham Region cont. • The Ontario court approved settlement of the class action. • The approved settlement did not require that any financial payments be made to the class or to class members. Instead, the settlement only established a claims process for class members whose information was lost and who can prove that they consequently suffered economic harm. • The settlement did provide for a minimum $500,000 to class counsel.
Rowlands v. Durham Region cont. • In granting approval to the settlement agreement, the court noted that at the time of the hearing, no class member had claimed that information on the key was used to financially damage his or her interests. • The Court acknowledged the plaintiff’s fear of a successful summary judgment motion by the defendant, and noted that there was a reasonable basis for that fear. • In the Court’s view, as a matter of law, the chances of success were quite low.
Maksimovic v. Sony of Canada Ltd. • In April 2011, third parties launched a cyber-attack to gain access to the accountholder information of consumers of the Sony device online services. • In response to the attacks, the Sony defendants temporarily shut down their networks, and later offered additional benefits to “welcome back” accountholders. • Class proceedings were commenced in Canada (Ontario and Québec) and in the U.S. • The Canadian claimants alleged, inter alia, breach of their privacy rights and breach of contract. • The claimants sought in excess of a billion dollars.
Maksimovic v. Sony of Canada Ltd. (cont.) • A settlement was approved this year. • While various remedies were made available (e.g. cash credit for unused accounts, online game and service benefits, and reimbursement if there was proven loss arising from any identify theft), the agreed remedies did not approach the quantum and relief claimed in the action. • In Ontario, class counsel sought, and received, approval of a fee of $265,000 inclusive of fees, disbursements, and applicable taxes - this was less than the value of the docketed time for the matter.
The Future of Privacy Litigation? • Litigation of privacy complaints is becoming commonplace. • While dire predictions relating to privacy litigation abound, jurisprudence is emerging that provides helpful insight regarding litigation risk and appropriate approaches to privacy dispute resolution. • Litigation outcomes bear little resemblance to the remedies claimed; however, there remains significant risk in disregarding or minimizing privacy concerns. • Privacy legislation is likely to undergo further transformation in the next few years, and potential changes to privacy obligations and reporting will necessarily impact on associated litigation risks.
“Lessons Learned” – Some Practical Tips • Learn from the lessons in the case law – an organization’s risk may be significantly mitigated through proactive steps and good faith efforts to minimize risk to other affected persons. • Focus on a considered and appropriate response to privacy issues. Consider, for example: • Proactive and timely notifications (to potentially affected persons and any relevant regulators); • Proper investigation of privacy concerns; • Offers of assistance to mitigate possible third party losses from privacy breach; • Apologies.
“Lessons Learned” – Practical Tips (cont.) • Take it seriously. Disregarding privacy complaints can result in sanctions, litigation, and damage to reputation and relationships. • Privacy Program establishment and enforcement are key considerations. Organizations should have a well-established, regularly reviewed and tailored privacy management program: • “Culture of privacy”; • Designated organization privacy officers, and appropriate and role specific training for employees; • Establishing and enforcing privacy programs with third party service providers; • Clear records and tracking of the nature and volume of personal information collected, stored, and used.
McMillan LLP Brookfield Place 181 Bay Street, Suite 4400 Toronto, Ontario M5J 2T3 For further information please contact: Lisa ParliamentDirect: email@example.com