Introduction
The recent Court of Appeal decision, ICBC v. Ari, has generated widespread interest and debate amongst the privacy and class action community. This significant decision reinforces the importance of stringent data protection, the heavy onus on employers to prevent their employees from wrongly accessing and using confidential information of their customers and the potential for employer vicarious liability, even in cases where employees have acted criminally.
Background
In ICBC v. Ari, an employee unlawfully accessed personal information of ICBC customers, which was then provided to a criminal organization. This resulted in a series of crimes targeting the affected customers. Despite having workplace privacy policies in place, ICBC was found vicariously liable for its employee's actions.
At its core, the case posed questions about the nature of privacy, the extent of vicarious liability and the potential for aggregate damages in a class action setting.
Privacy Act liability
Central to this case is the BC Privacy Act, which establishes that violating another person's privacy, intentionally and without rightful claim, is an offence regardless of whether actual damage occurs. The court found that:
- The Act requires a nuanced examination of the situation, looking at the context, relationships, and the degree of expected privacy.
- Customers had a valid expectation that their information would be used only for legitimate ICBC purposes.
- The information accessed in this case was deemed private under the Privacy Act.
Furthermore, the case examined the common law tort of intrusion upon seclusion, an Ontario-based precedent. To establish liability under this tort, intentional or reckless actions leading to a deliberate invasion of privacy must be proven. Despite ICBC's assertion that this precedent should apply, the court did not deem it determinative in this particular case.
Vicarious liability
An important consideration in the case was ICBC's vicarious liability. It is a well-established principle that employers can be held liable if there's a sufficient connection between the employee's wrongful act and the conduct authorized by the employer. This holds true even where the employee's wrongful conduct is criminal and is in specific defiance of the employer's policies.
The court confirmed that a policy rationale behind vicarious liability is explicitly based on shifting losses to employers where the injured party would most likely otherwise not be able to collect on a remedy. This is considered "fair" because "it is the employer who put the enterprise into the community, and it is the employer who is best positioned to absorb any losses, whether through insurance, higher prices or otherwise."
The reality of this policy is also considered to be a deterrent to the employer because its harshness encourages employers to exercise "imaginative and efficient administration and supervision" to "reduce the risk that the employer has introduced." Even in cases where "it may be difficult to guard against a determined employee's deliberate and secretive abuse...vicarious liability serves as an important social purpose in encouraging employers to guard against" such actions.
Here, inherent to the nature of ICBC's business is collecting and storing personal data. By giving the employee unrestricted access to this data, ICBC provided the means for potential abuse. It was determined in this case that ICBC was vicariously liable for the employee's actions.
Class action and general damages
The court's decision to award general damages on a class-wide aggregate basis was a contentious point. ICBC took issue with this, asserting that damages should and could only be proven on an individual basis.
Aggregate damages are available in class proceedings only where class-wide damages can be reasonably determined without proof by individual class members. Additionally, section 1 of the Privacy Act requires the context in which the act or conduct occurs to be considered along with the individual circumstances of the person claiming the breach.
However, the court found it was acceptable to pursue damages from the perspective of the "lowest common denominator," meaning a value could be determined for the whole of the class based on the class member who experienced the least amount of damage due to the privacy breach. This amount would be available to all class members. Those who experienced more significant damages could also seek further damages during the individual issues phase that follows the common issues trial.
Implications for employers
Employers should be alert to the broader implications of this judgment. With strict rules in place, an organization can still face vicarious liability if an employee's unlawful actions are linked to their job duties.
For companies looking to strengthen their defenses:
- Limit data accessibility: Ensure only essential staff members have access to sensitive information.
- Maintain transparency: Employ an "access register" that records all instances of data access.
- Stay up to date: Regularly refresh and revise privacy guidelines to ensure they're in line with provincial standards.
By understanding the nuances of both vicarious liability and class action implications, employers can position themselves more securely in an ever-evolving legal landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.