Monday, July 09, 2012

Federal Court: No damages for trivial privacy breach

Once again, the Federal Court has shown that nominal or no damages will be paid for trivial breaches of PIPEDA. In Townsend v. Sun Life Financial, 2012 FC 550, the Applicant brought an application against Sun Life Financial for having misaddressed a piece of mail (which was returned unopened) and disclosing some medical information to the financial advisor involved in underwriting the policy.

The Applicant sought

(i) Payment of $352.56 for costs associated with the closing of the Investors Group retirement plans;
(ii) Declaration that the Respondent breached the PIPEDA and the fiduciary duties owed to the Applicant;
(iii) Declaration compelling the Respondent to publish notices of measures taken to avoid contravening the PIPEDA;
(iv) An award of $25,000.00 in damages;
(v) Costs before this Court; and
(vi) Any other relief this Court deems appropriate.

Though a (relatively trivial) breach was found, the application was dismissed.

The court noted, in its discussion of damages:

[34] In fact, contrary to the Applicant’s bald assertions, I do not accept that the Respondent has acted in an intentional, callous or egregious manner or in any other way that would indicate a complete disregard for the Applicant’s privacy interests. The fact that the Respondent has never denied having committed the errors is commendable. Plus, there is no evidence that the Respondent acted in bad faith or benefited commercially from the error, as acknowledged by the Applicant. It is also duly noted that the Respondent has apologized to the Applicant on numerous occasions (Respondent’s Record, Affidavit of Rosemary Knez, Exhibit “B”, p 8; Exhibit “D”, pp 11-12; Exhibit “F”, p 14) and even informed the Applicant of the measures implemented to avoid the re-occurrence of such errors (Ibid, Exhibit “D”, p 11). In my opinion, the Respondent promptly and effectively corrected its errors. It may be, as alleged by the Applicant, that the Respondent should have put these measures in place before the error occurred. Nobody should be held to a standard of perfection, and the Respondent already had a detailed protocol before the occurrence of what can only be considered as a human error.

[35] Moreover, the amount of damages sought is greatly out of proportion to the jurisprudence of this Court. Even in cases where the Court has found evidence of bad faith on the part of a respondent, the quantum of damages has been lesser than the order sought by the applicant. ...

[38] Taking into consideration the facts of this case, I am of the view that the disclosure of personal information was minimal and the inaccuracy in the Applicant’s address caused no injury. I accept that medical information is of the utmost sensitivity and should receive the highest degree of protection. In the instant case, and without diminishing the Applicant’s grief, the extent of the disclosure was minimal and was only disclosed to Mr. Townsend’s Advisor, who appeared not to have noticed the personal information and then promptly destroyed the letter upon request. Moreover, the Respondent genuinely apologized for the breach and promptly took steps to correct its policies and procedures. For those reasons, I do not consider it necessary to order the Respondent to correct its practices or to publish a notice of any action taken or proposed to be taken to correct its practices, or to award damages to the Applicant.

[39] Moreover, the Applicant has not provided any arguments or evidence for disbursing $352.56 for costs, associated with the closing of the Investors Group retirement plans. In any event, I see no plain and obvious link between these costs and the Respondent’s conduct. Accordingly, the Court exercises its discretion not to award these costs.

[40] For all of the foregoing reasons, this application is dismissed and each party shall bear its own costs.

No comments: