The recent Landry decision from the Federal Court raises the question of whether companies may soon be routinely ordered to pay damages under the Personal Information Protection and Electronic Documents Act (PIPEDA) for privacy breaches by its employees.
In Landry, a bank customer was embroiled in a contested divorce. In the course of her divorce proceeding, the customer lied under oath about the existence of personal bank accounts she held at the bank. The customer’s ex-spouse served the bank with a subpoena requiring a bank employee to appear in court and provide documentation about the customer’s secret accounts.
The bank understood its obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) and had developed policies and provided training to ensure PIPEDA compliance, including a requirement that consent be obtained before the disclosure of customers’ personal information.
A bank employee, contrary to policy, faxed the customer’s account information directly to the ex’s lawyer and then covered up her actions by denying any knowledge of the situation until the customer filed a complaint with the Privacy Commissioner’s office.
Once it learned of the situation, the bank conducted an internal investigation and re-trained its staff on handling third party requests for personal information in accordance with bank policy.
What did the lying customer do? She filed submissions with the Court stating that she had problems with family and friends once her ex used passages from the divorce judgment to harm her reputation. Based on these submissions, she sought $100,000 in damages from the bank for damage to her reputation, honour and dignity, humiliation, pain and suffering, “moral prejudice” and exemplary damages.
The bank argued that it acted in good faith, pointed out the steps it took to prevent any future breaches and argued there was no direct link between the wrongful disclosure of the customer’s account information and any injury she suffered, since the information would have been disclosed in response to the ex’s subpoena in any event. Any humiliation the customer suffered was arguably due to the customer’s own actions, the divorce judgment and the use her ex-husband made of the information, not the bank’s action of premature disclosure.
Section 16(c) of PIPEDA grants the Court a broad discretion to award damages, including damages for any “humiliation” suffered by a complainant. Previous guidance from the Federal Court regarding the interpretation of this provision indicated that damages should only be awarded in egregious cases where, among other things, a cause/effect link exists between the breach and the alleged harm suffered.
Based on the Court’s earlier statements, I would not have expected damages to be awarded in Landry.
However, the Court found that the applicant had suffered humiliation under paragraph 16(c) of PIPEDA and that the bank’s negligence warranted compensation of $4,500 with interest and costs. In reaching this decision, the Court stated that it took into account both "the contributory fault of the applicant, who was partially responsible for her own problems and the serious breach committed by the [bank's] employee and its subsequent cover-up."
Unfortunately, the Court’s reasons do not explain how the bank was “negligent”, nor do they satisfactorily address the bank’s argument that any humiliation suffered by the customer was the result of the ex’s use of information that would have been admitted in the divorce proceeding in any event, not the bank’s premature disclosure of that information. Damages appear to have been imposed based on the fact of the PIPEDA breach alone, regardless of causation or the bank’s bona fide measures to ensure PIPEDA compliance.
Despite the relatively small amount at issue, I hope the bank appeals the decision in order to give the Federal Court of Appeal an opportunity to shape the development of damage awards under PIPEDA. Without such guidance, it could be a rocky road ahead for companies who act reasonably yet face PIPEDA damage claims following employee errors.
Summaries of all PIPEDA case law and regulatory decisions are available on AccessPrivacy’s Private Sector Source.