Courts in both Canada and UK are grappling with developing a principled approach to damage awards in breach of privacy cases – what types of damage ought to be recognized? Who should be compensated for such damage? By how much? Recent UK case law suggests that a company’s liability for breach of a privacy statute is not limitless.
In Halliday v Creation Consumer Finance Ltd (CCF)  EWCA Civ 333 (“Halliday”), the Court of Appeal of England and Wales held that businesses which breach data protection laws do not have to pay compensation for causing distress to consumers unless that distress is directly attributable to a breach of the statute.
Similar to Canada’s Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”), section 13 of the Data Protection Act, 1998 c. 29 (DPA) entitles a person to compensation if they suffer damage as a result of violations the DPA by organisations that hold their personal data. Individuals are also generally entitled to compensation from those data controllers if they suffer distress that causes damage.
Halliday, the complainant in this case, had previously won an order against Creation Consumer Finance Limited (CCF) requiring the company to pay £1500 in connection with breaches of Halliday’s rights under the DPA. Unfortunately, CCF paid the £1500 it owed Halliday into a closed bank account. During the resulting attempts to sort out the banking mixup, CCF entered incorrect information about Halliday in their systems that showed that he was £1500 in arrears; this information was then shared with a credit reference agency.
Halliday claimed that CCF had breached the terms of the court order and that caused him significant distress and claimed between £6,000 and £18,000 for the distress.
The Court of Appeal held that Halliday could not claim compensation for distress that was not caused by the actual data protection breach itself: “In other words, this is a remedy which is not for distress at large but only for contravention of the data processing requirements.”
As a result, the company should only have to pay £750 in substantial damages and a further £1 in nominal damages. Lady Justice Arden further noted that the breach “did not lead to a loss of creditor reputation” for Halliday and that there was “no proof of any fraudulent or malicious intent on the part of CCF”.
In Canada, PIPEDA has a framework similar to the UK’s DPA. Under section 16(c) of PIPEDA, privacy violations are clearly compensable, with the court being given a wide latitude to “award damages to the complainant, including damages for any humiliation that the complainant has suffered.” (emphasis added)
This authority has been described as “remarkably broad”(Englander v. Telus Communications Inc., 2004 FCA 387, at para. 47). However, courts have also said that “[p]ursuant to section 16 of PIPEDA, an award of damages is not to be made lightly. Such an award should only be made in the most egregious of situations…” (Randall v. Nubodys Fitness Centres, 2010 FC 681, at para. 55).
Justice Zinn in Nammo v. TransUnion of Canada Inc., 2010 FC 1284 noted that section 16 allowed for damage awards even where no financial loss had occurred (paras. 68-69). The award of $5,000, the first under PIPEDA, was founded in part on the egregious behaviour of the defendant credit rating service.
A more recent case, Landry v. Royal Bank of Canada, 2011 FC 687, was the result of the bank releasing the complainant’s account information to her ex-husband without her consent in the context of divorce proceedings. Landry had claimed $100,000 for humiliation and personal harm arising in part because the records revealed a hidden bank account she had not disclosed. The court awarded $5,000, noting that much of Landry’s humiliation and harm had resulted not from the breach itself, but her own secretive conduct.
In Townsend v Sunlife Financial, 2012 FC 550, a misaddressed piece of mail (returned unopened) containing medical information to the financial advisor underwriting an insurance policy, the complainant had claimed $25,000. In dismissing the case, the court held that the “disclosure of personal information was minimal and the inaccuracy in the Applicant’s address caused no injury”.
Canadian courts seem prepared to entertain a broader scope of damages for breach of PIPEDA but are struggling with the types of harms to be compensated. If Canadian courts adopt Halliday, it could narrow the range of compensable harm flowing from a breach of privacy rights under PIPEDA.