Privacy is an area of growing concern for businesses and individuals across Canada. In part, this is fuelled by regular media reports of privacy incidents. Privacy breaches and poor information handling practices can have direct financial consequences for businesses, as well as posing a significant risk to an organization’s reputation and customer satisfaction. Risks associated with privacy can be broken down into four broad categories: (1) Statutory Breaches; (2) Private Law Suits; (3) Criminal Prosecution; and (4) Reputational Damage. Each of these risks is described in more detail below.
1. Statutory Breaches
There is a complex network of legislation governing privacy in Canada. It is important for every organization to understand which statute(s) apply to their activities and to become familiar with the requirements of applicable statutes, in order to limit risks associated with non-compliance. Potentially applicable legislation includes:
- The Personal Information Protection and Electronic Documents Act – Federal legislation that applies to international and interprovincial commercial activities as well as all commercial activities within provinces that do not have substantially similar privacy legislation. Also applies to employee privacy for federally-regulated employers.
- Provincial private- sector privacy legislation – Such legislation includes the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia), An Act respecting the Protection of Personal Information in the Private Sector (Quebec), and The Personal Information Protection and Identity Theft Prevention Act (Manitoba). These statutes apply to organizations that operate within the applicable province.
- Statutory Torts - British Columbia, Manitoba, Newfoundland and Saskatchewan have each enacted a Privacy Act, which creates a statutory privacy tort in these province. Generally, an individual can make a claim for a breach of privacy under such legislation without proof of damages.
- Health information legislation – Every province other than Prince Edward Island has legislation specifically governing protection of personal health information. Such legislation is generally only applicable to prescribed entities, generally referred to as “health information custodians” (or similar terminology).1
- Public sector legislation - Every province and territory has its own public-sector legislation. These statutes apply to provincial government agencies. In the federal sector, the Privacy Act applies to government bodies. Some jurisdictions also have municipal public sector privacy legislation.
- Canada’s Anti-Spam Legislation (“CASL”) – Regulates sending commercial electronic messages and installation of computer programs (esp. spyware). This legislation applies if the sender or recipient is located in Canada.
- Sector-specific legislation – Some sector-specific federal and provincial statutes include provisions dealing with the protection of personal information. For example, the Bank Act contains some provisions regulating the use and disclosure of personal financial information by federally regulated financial institutions.
Liability for breach of the above statutes can arise a number of ways, including complaints filed by groups or individuals, as well as audits or investigations initiated by the relevant privacy commissioner or other regulatory body. Penalties under the various statutes vary, but can include substantial fines in some cases, as well as prosecution of individual offenders. For example, CASL provides for fines of up to $1,000,000 per breach for individuals and up to $10,000,000 per breach for businesses.
2. Private Lawsuits
Private lawsuits related to alleged privacy breaches are on the rise. In particular, in recent years there have been a number of class action lawsuits in Canada, the United States and elsewhere. For example:
- In British Columbia a class action lawsuit (Douez v. Facebook, Inc.) was filed against Facebook for alleged breach of privacy rights in connection with its “Sponsored Stories” product, which allowed advertisers to use the names and likenesses of Facebook users in sponsored stories about their products or services.
- In Ontario, a class action lawsuit (Evans v. The Bank of Nova Scotia) was filed against the Bank of Nova Scotia after an employee allegedly accessed the confidential personal banking information of approximately 643 customers (some of whom later claimed that they were the victim of identity theft/fraud).
- In Ontario, a class action lawsuit was filed in the Federal Court (Condon v. Canada) with respect to the loss of a hard drive that contained the dates of birth, addresses, student loan balances, and Social Insurance Numbers of approximately 583,000 student loan recipients
- In Newfoundland and Labrador a class action lawsuit (Hynes v. Western Regional Integrated Health Authority) was filed in the Supreme Court against the Health Authority after an employee allegedly accessed approximately 1,043 medical records without authorization.
- In Quebec, a class action lawsuit was filed against Apple and Apple Canada, alleging that these companies violated users’ rights to privacy by transmitting or allowing Apps to transmit private data to advertisers.
These examples are just a small sampling of class action lawsuits filed in Canada over the past few years. Although few cases have been decided on their merits to-date, the costs of defending against such actions can be extremely high.
In addition to class action lawsuits, individuals can also bring civil lawsuits in response to perceived breaches of their privacy rights. In this regard, some provinces have recognized a common law tort of “intrusion upon seclusion”. Pursuant to this tort, “One who intentionally [or recklessly] intrudes, physically or otherwise, upon the seclusion of another or his [or her] private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.”2
Finally, organizations should be aware that certain statutes (such as CASL)3 also provide for a private right of action. Therefore, in addition to potential administrative penalties, organizations that violate such legislation could be held liable for damages suffered by persons whose privacy is breached.
3. Criminal Prosecution
The Criminal Code creates two privacy-related offences, as follows:
- Using a device willfully to intercept a private communication without the express or implied consent of the originators or intended recipient (s.184).
- To intercept fraudulently and without colour of right any function of a computer system (s.342.1).
In addition, the CRTC can seek criminal sanctions under the Competition Act for breaches of CASL.
4. Reputational Risk
Privacy breaches and poor information handling practices can significantly damage an organization’s reputation. The impact of such damage on a business should not be underestimated. News of privacy breaches often spreads widely, due to media interest in privacy issues and widespread use of social media by individuals and other businesses.
Clients and customers that do not trust an organization to protect their personal information may hesitate to provide such information, thereby impeding the ease of business transactions, and in many cases individuals may choose not to do business with the organization. This can lead to a significant decline in business, especially in the short term after an organization experiences a privacy breach or receives attention for insufficient privacy controls. The potential for reputational damage is often a key driver for organizations to comply with privacy laws and even exceed legal requirements to ensure a high standard of protection for their customers’ personal information.
Conversely, while inadequate privacy controls can be detrimental to some organizations’ businesses, other organizations have leveraged their exemplary privacy practices as a marketing tool to promote their business.
Failure to understand privacy obligations and implement appropriate controls can create significant risks for organizations. Therefore, every organization should take proactive steps to reduce such risks. Such steps should include: (1) privacy audits; (2) A comprehensive privacy program; and (3) a breach response program.
1 In Quebec, statutory protection of health information is not provided in a stand-alone statute, but rather, is included in provisions of the Act respecting health services and social services, the Health Insurance Act, and the Act respecting the Régie de l’assurance maladie du Québec.
2 Jones v. Tsige, 2012 ONCA 32.
3 Private right to action comes into force on July 1, 2017.