Recently, the decision of the Ontario Court of Appeal in Jones v. Tsige was celebrated by privacy advocates for recognizing a new privacy tort in Ontario. The plaintiff/appellant Jones received an award of $10,000 in damages for harm suffered as a result of the defendant’s unauthorized access to her bank records over a period of time.
An even more recent dispute between Jones and her lawyer has highlighted a chronic problem with privacy law in Canada: the lack of meaningful recourse. Last week, a judge ordered Jones to pay her lawyer the balance of the legal fees she incurred in her ground-breaking lawsuit. These fees were in excess of $125,000 – more than 12 times Jones’ damage award. The judge made it clear that the lawyer had provided first rate representation for his client. The lesson here is that legal services are expensive, and frankly, the majority of Canadians cannot afford to go to court.
The new tort that resulted from Jones v. Tsige is similar to statutory torts in provinces such as British Columbia, Manitoba, Saskatchewan and Newfoundland and Labrador. They are fairly narrowly framed; these torts require a wilful violation of privacy. They are meant to apply in cases of stalking, voyeurism, and other deliberate privacy intrusions. The high cost of litigation combined with the fact that courts give relatively small damage awards for the difficult-to-quantify harms that flow from privacy invasion mean that these torts are of little practical use to most Canadians.
Arguably, the most pervasive threats to personal privacy come from routine over- collection of personal information, and poor information handling practices. The tort of invasion of privacy does not apply in such cases. Instead, private sector data protection legislation is meant to provide recourse to individuals when their personal information is inappropriately collected, used or disclosed by private sector organizations. Yet the Personal Information Protection and Electronic Documents Act (PIPEDA) has its own substantial defects. This law applies to activities in the federally regulated private sector, and to the private sector more broadly in those provinces without their own legislation (all provinces and territories except B.C., Alberta, and Quebec fall under PIPEDA),. Individuals may make complaints under PIPEDA; the outcome of any such complaint is a report by the Office of the Privacy Commissioner (OPC). This report may contain recommendations as to how an organization should correct deficiencies in its practices, but these recommendations are not binding. Once a report has been issued, an individual may choose to take the matter to Federal Court to get an order requiring the organization to change its practices. The individual may also seek compensation for any harm they have suffered. Once again, it costs money to go to court, and those few individuals who have exercised this option have had little success. Nammo v. Transunion of Canada Inc. has become the benchmark for awards of damages in such cases; Mr. Nammo was awarded a whopping $5000 after a credit reporting agency failed to collect accurate information about him, and shared the incorrect (and negative) credit information with a bank. It is no surprise that the majority (if not all) of those who have pursued their PIPEDA claims before the Federal Court have represented themselves. The cost of legal representation would far outstrip any likely award of damages.
The OPC does excellent work within the limits of its mandate, and it has no doubt had some success in improving how (receptive) businesses handle personal information. There is, however, little in the legislation to seriously motivate compliance. PIPEDA is a relatively toothless statute: the Privacy Commissioner has no order-making power, there is no mandatory breach disclosure provision, and there is little in the way of economic consequences for those who flout privacy principles. Yet PIPEDA has passed its first five-year review without much-needed legislative amendment (the Conservative government’s Bill C-12 died on the order paper and has yet to be revived), and it is now well overdue for its second five-year review. It is into this context that Charmaine Borg of the NDP has introduced a private member’s Bill C-475, which would impose a mandatory data breach disclosure requirement on organizations, would provide the Privacy Commissioner with order-making powers, and would create the potential for significant financial penalties for those who refuse to comply with orders.
Measures of this kind could provide a real incentive for organizations to take data protection more seriously. And let’s face it, for the vast majority of Canadians, it is not the right to go to court to sue for invasion of privacy or to seek damages for violations of PIPEDA that will make any kind of difference. These rights are rendered meaningless by both the cost of litigation and by the resultant lack of deterrent effect on bad behaviour. The best protection for individuals is a regime that gives organizations clear reasons to improve their practices and systems.