ONSC awards $15,000 in privacy damages

On December 12th of last year, Justice Fragomeni of the Ontario Superior Court of Justice ordered a man to pay $15,000 in damages to his estranged spouse for surreptitiously installing a camera in a bathroom (prior to separation) to take photos “for a couple of days.” There’s little analysis about liability. Here are the damages factors listed by the Court:

1.   the nature of the intrusion. It took place in a bedroom and bathroom, places which are very private. The privacy interests of Sheth were significant.

2.   the intrusion takes place within a domestic relationship

3.   although Sheth was embarrassed and shocked at the intrusion no medical information was filed to support and establish an evidentiary basis to find any significant effect on Sheth’s health or welfare

4.   the conduct of Patel in lying about the intrusion at his Discovery and even attempting to blame Sheth herself for the camera being installed is extremely aggravating and demonstrates a lack of any insight into what he did as being wrong.

Note also that the photos recovered and tendered in evidence by the plaintiff did not show anything explicit.

Patel v Seth, 2016 ONSC 6964 (CanLII).

SCC says PIPEDA does not constrain a court’s procedural power

The Supreme Court of Canada decided the case of RBC v Trang this week. It held that the Personal Information Protection and Electronic Documents Act does not limit the procedural powers of a court. If a court, based on analysis that is not at all governed by PIPEDA, decides that an order to disclose personal information is warranted, it may issue the order. The order may be complied with notwithstanding PIPEDA.

Here is the ratio in Trang:

As a result of s. 7(3) , PIPEDA does not diminish the powers courts have to make orders, and does not interfere with rules of court relating to the production of records. In addition, PIPEDA does not interfere with disclosure that is for the purpose of collecting a debt owed by the individual to an organization, or disclosure that is required by law. In other words, the intention behind s. 7(3) is to ensure that legally required disclosures are not affected by PIPEDA.

All is right in the world again after the Ontario courts got quite twisted up on a very fundamental question about PIPEDA’s impact on the civil justice system.

The Court also held that debtors implicitly consent to the disclosure of mortgage status information (current balance) to judgement creditors who are seeking to recover a debt. This creates an opportunity for banks to assist judgement creditors without requiring them to obtain a court order. (Might the Court have had the burden of pro forma motions in mind?)

More generally, the Court supported a very flexible, fully-contextual implicit consent standard. This arguably erodes privacy protection and invites uncertainty, but also allows for just and sensible outcomes despite a consent rule in PIPEDA that is otherwise quite strict. Of course, this will feed the current dialogue about whether consent is a meaningful principle by which to govern the protection of personal privacy.

Royal Bank of Canada v. Trang, 2016 SCC 50 (CanLII).

Court approves settlement, limits recovery of class counsel fees

On August 29th, Justice Perell of the Ontario Superior Court of Justice approved settlement of an action brought against Home Depot following a significant 2014 payment card system intrusion. The Court approved a settlement that featured a $250,000 non-reversionary settlement fund for documented claims of “compromise” and an agreement to pay up to $250,000 in credit monitoring. It also denied payment of approximately $407,000 in (docketed) legal fees to class counsel as unjustified, approving instead, payment of $120,000 in fees.

This is a good outcome for organizations exposed to potential class action claims for data security incidents. It was driven by two factors: (1) the Court found the incident was associated with a limited risk of damage; and (2) the Court was impressed by Home Depot’s incident response.

Regarding damage, the Court assessed the risk of damage flowing from a compromise to payment card information and e-mail address information as minimal:

[46] Professor Archer outlined three heads of damage to consumers from a payment card breach:  (1) the risk of a fraudulent charge on one’s credit card; (2) the risk of identity theft; and (3) the inconvenience of checking one’s credit card statements. The so-called non-reversionary Settlement Fund of $250,000 is designed to provide compensation for these heads of damages.

[47] Of the three heads of damage, practically speaking, there is little risk of fraudulent charges because of sophisticated safeguards developed by credit card companies. Moreover, when there are frauds, the losses are almost always absorbed by the credit card company or the retailer. The credit card companies are not Class Members.

[48] In the immediate case, there is no evidence that a Class Member absorbed a fraudulent charge. Neither Merchant Law Group nor McPhadden Samac Tuovi LLP have been contacted by a putative Class Member who said that he or she suffered a financial loss attributable to the data breach.

[49] There is also little risk that the data breach, including the disclosure of email addresses, increased the risk of identity theft, because the stolen data would have been inadequate to allow a criminal to fake another’s identity.

[50] Mr. Hamel’s evidence was that for identity theft, the most important information to have is a government-issued identification number such as a driver’s licence number, social insurance number or passport number and preferably all three. In the immediate case, the data stolen from Home Depot did not include this information.

[51] As for inconvenience damages, in the immediate case, there are none, because credit card holders are already obliged to check their statements for fraudulent purchases.

(Note that the Office of the Information and Privacy Commissioner of Alberta has recognized that the loss of e-mail address is associated with a risk of spear phishing – a risk that is arguably remote.)

Regarding incident response, Home Depot had offered to pay for a number of fraud protection services following the incident – including credit monitoring, identity theft insurance and credit repair services. The Court commented that this reduced the need for behavior modification:

[100] The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification. Home Depot’s voluntarily-offered package of benefits to its customers is superior to the package of benefits achieved in the class actions.

These two factors led the Court to place little value on the action or the settlement. Justice Perell (who is outspoken), commented, “I would have approved a discontinuance of Mr. Lozanski’s proposed class action with or without costs and without any benefits achieved by the putative Class Members.”

Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII).

No privacy breach for reporting what’s on the court’s record

On August 10th, the Ontario Superior Court of Justice dismissed a privacy claim brought against the publishers of The Lawyer’s Weekly for reporting on the plaintiff’s involvement in a small claims court proceeding. The Court adopted the following defendant submission:

Further, recent developments in the common law regarding invasion of privacy have fallen well short of the cause of action asserted by Bresnark. On the facts of this case, there is no ‘intrusion upon seclusion’, nor even any disclosure of ‘private facts’. Indeed, the Article is wholly based on public court proceedings and the facts and findings disclosed on the record in those cases. Therefore, the cause of action asserted in paragraph 4 of the statement of claim should be struck as disclosing no cause of action. It is plain and obvious that it has no chance of success.

The Court also dismissed a defamation claim as statute-barred.

Bresnark v Thomson Reuters Canada Limited, 2016 ONSC 5105 (CanLII).

BCSC orders voyeur to pay $85,000 in privacy damages

On May 3rd, the Supreme Court of British Columbia ordered $85,000 in damages to be paid to a young woman whose stepfather surreptitiously recorded her while she was undressed in her bathroom and bedroom.

The damages finding was driven significantly by the “thoroughly undignified and humiliating actions” of the defendant, the age of the defendant and proof that the defendant’s actions caused a significant psychological disorder that the plaintiff was still recovering from at the time of trial (which was four years after discovering the defendant’s wrong). The plaintiff was recovering, the judge also noted, as well as noting that the defendant conducted his defence with “appropriate restraint.”

The judge did not consider evidence that the plaintiff was herself provocative in his damages assessment:

The evidence establishes that the plaintiff was a confident and happy young woman. She had a strong sense of self-esteem and probably was proud of her body. She was perfectly entitled to choose what she showed of her body — and to whom, how, and when.

The Court also ordered damages to be paid for past loss of earning capacity, the cost of medication taken and health care received and the cost of future care.

T.K.L. v. T.M.P., 2016 BCSC 789 (CanLII).

IPC comments on use and disclosure of OSR in litigation

On June 15th, the Information and Privacy/Commissioner Ontario dismissed a privacy complaint that alleged a school board breached the Education Act and MFIPPA by producing a student’s OSR in response to his human rights application.

The Board produced the OSR and filed it in a brief of documents to be used at a pending Human Rights Tribunal of Ontario hearing, all pursuant to the Tribunal’s rules. The complainant objected, and in a preliminary hearing, the HRTO directed the complainant to consent or face dismissal of his application. The complainant did not consent, his application was dismissed and he subsequently filed a privacy complaint with the IPC.

The IPC held that MFIPPA prevails over the statutory privilege provision in the Education Act and that the IPC is therefore “not bound to consider section 266 of the Education Act in its deliberations.” It also held that the OSR was information “otherwise available” to the Board and therefore open to its use under the provision of MFIPPA that stipulates that MFIPPA “does not impose any limitation on the information otherwise available by law to a party to litigation.”

The IPC did recommend that, going forward, the Board refrain from unilaterally handling the OSR when its potential use and disclosure is in dispute: “… the Board should make efforts to seek direction from an administrative tribunal or court prior to disclosing the information contained within an Ontario School Record during the course of litigation.”

 York Region District School Board (Re), 2016 CanLII 37587 (ON IPC).

 

BCSC dismisses privacy claim against lawyer

On July 26th, the Supreme Court of British Columbia dismissed a claim against a lawyer based in part on his service of application materials and based in part his conveyance of information about the plaintiff in a casual conversation with another lawyer.

The application that became the subject of the claim was made in an earlier family law proceeding. It was for production of financial documentation from the plaintiff relating to seven companies in which he had an interest.

The defendant represented the plaintiff’s wife. He served the companies with application materials (a notice plus affidavit) without redaction and in an unsealed envelope. Apparently his process server left the materials with two unrelated companies in an attempt to affect service.

The Court dismissed this claim because the lawyer was at all times acting as counsel in furtherance of his client’s interest and was protected by absolute privilege. Justice Griffin commented favorably on the lawyer’s conduct in any event, declining to give effect to the plaintiff’s argument about the need for redaction and sealed envelopes and giving wide berth to counsel’s judgement. She said:

As a matter of ethics, professionalism and good practice generally, I do agree that lawyers should consider the privacy of litigants and not unnecessarily reveal the private information of the opposite party nor should they seek to embarrass the opposite party… But that does not mean that an action lies for a lawyer’s steps in the conduct of litigation if the opposite party does not like how the lawyer exercised his or her judgment in bringing and serving applications which disclose private information.

The “casual conversation claim” arose from a discussion the lawyer had with another lawyer during a break in discovery in another case. The lawyer said he represented a woman whose former husband had sold a business in Alberta for $15 million and that the couple had three young children. Another person who was present came to believe the lawyer was speaking about the plaintiff.

The Court dismissed the claim because the plaintiff had not proven the fact of the $15 million sale was private. More notable is Justice Wilson’s obiter finding that the lawyer’s disclosure was not “wilful” because he could not reasonably have expected the plaintiff to be identified. She said:

I have found the question of whether Mr. Lessing was wilful in violating Mr. Duncan’s privacy to be a difficult one. On balance, however, because the information he stated was very innocuous; he did not reveal names of the persons or the companies; and there is no evidence that he ought to have known someone in the room would know Mr. Duncan, I find that it cannot be said that he “knew or should have known” that what he said would breach Mr. Duncan’s privacy. I therefore find that if Mr. Lessing did breach Mr. Duncan’s privacy it was not a wilful violation of privacy within the meaning of the Privacy Act.

Duncan v Lessing, 2016 BCSC 1386 (CanLII).