In Insurance Corporation of British Columbia v Ari, the British Columbia Court of Appeal (the Court) upheld a summary trial decision that awarded damages for breach of privacy without proof of consequential loss.1 The Insurance Corporation of British Columbia (ICBC) was found vicariously liable for a statutory tort under the Privacy Act for a former employee's fraudulent use of customer data.2 The proceeding was brought as a class action by the affected individuals.
In this appeal, the Court considered the aggregate damages stage of the class action, where damages reflecting the harms or losses experienced by all class members are considered – individual losses were not at issue.3
In dismissing the appeal, the Court held that more than nominal damages are available for a breach under Section 1 of the Privacy Act without proof of consequential harm. In doing so, the Court clarified:
- The availability of damages where there is no proof of harm; and
- Appropriately assessing the quantum of damages for Privacy Act breaches.
Background
In a previous decision in this proceeding, ICBC was found vicariously liable for its former employee's serious breaches of privacy.4 The former employee improperly accessed the personal information of customers who had insurance policies with ICBC and later sold this information to criminals, some of which were targeted in "arson and shooting attacks."5
The class includes all ICBC customers whose information was accessed by the former employee, as well as individuals who reside with these customers (the Class Members).6 In a previous decision, ICBC was found vicariously liable for the former employee's privacy breach.7
This is an appeal of a summary trial determination of aggregate damages for the Class Members.8 The representative plaintiff did not provide evidence of individual harms suffered by the Class Members – this is considered at a later stage in class proceedings. However, ICBC claimed that non-pecuniary damages9 could not exceed a nominal value because the representative plaintiff provided no evidence of loss or harm.10
ICBC's submissions were rejected by the summary trial judge, who awarded $15,000 per class member in aggregate damages.11 The appeal considered the correctness of the award. In particular, the Court assessed whether the Privacy Act supports an aggregate damages award beyond a nominal amount if there is no evidence of consequential loss or harm.12
Availability of Damages Without Proof of Loss or Harm
The Court clarified that other types of damages can still apply if nominal damages are available.13 Nominal damages are awarded when there is a breach but no evidence of loss.14 This is only available where proof of loss is not required, including a breach under Section 1 of the Privacy Act.15 However, general damages can also recognize a rights breach, even without proof of loss or harm.16 In other words, if no loss is suffered, nominal damages are available alongside other applicable forms of damages.
General damages can be awarded in response to the breach of a right. In the Charter context, general damages can be awarded to reflect intangible harms suffered, such as distress and humiliation, as well as to deter future breaches of the infringed right.17 The Court held that the "recognized quasi-constitutional nature of privacy rights under the Privacy Act and at common law" support a similar approach where an individual's privacy is breached.18
Where there has been a serious violation of a right, general damages may be awarded without proof of harm. This is because general damages are available where the violation calls for "vindication, deterrence, and compensation for harm to the claimant's intangible interests."19 The need to recognize these impacts is "particularly clear" for privacy breaches because the violation itself is a form of loss, even where the plaintiff is unaware that the breach occurred.20
Assessing Damages for a Breach Under the Privacy Act
While finding of injury is not needed to award Privacy Act breach-related damages, it may be a factor in determining the damages quantum.21 The Court found that individual harms are a factor to be considered but ultimately held that compensatory damages can still be awarded for intangible harms if proof of injury is not present.22 Beyond compensatory damages, general damages can be awarded to deter wrongdoing and vindicate the breach of a right.23
The Court accepted that the quantum of damages is assessed on a scale based on the severity of the privacy breach. Nominal damages may be appropriate where the breach is "inadvertent, superficial, transient, or otherwise trivial," however, more significant damages may be available where the breach is "serious, deliberate, and for an improper purpose."24 Essentially, damages must be "reasonably responsive to the actual harm done" to the privacy interests.25
Since the legislature made a breach of privacy actionable without proof of loss, the Court held that limiting damages to a nominal amount would "trivialize" the quasi-constitutional protection of privacy rights.26 It was on this basis that the Court found that ICBC is vicariously liable for the former employee's breaches, since entities would not be motivated to protect privacy interests if an adequate remedy is not available.27
The Court held that the summary trial judge properly found that "more than nominal damages" were warranted and accepted the previous damages quantum, which is entitled to significant deference.28 The Court noted, however, that the $15,000 award per class member "is likely towards the upper end of the appropriate range for damages."29 This value reflects the injury to the Class Members' privacy interests, while responding to the seriousness of the breach.30
Takeaways
This decision clarifies both the availability and assessment of damages for a breach under Section 1 of the Privacy Act. In summary, the Court provided the following notable guidance:
- Privacy rights have a quasi-constitutional status, so remedies for a breach should be more than trivial;
- The availability of nominal damages does not mean other relief cannot apply;
- Damages for breach of privacy should reflect the severity of the breach, not necessarily the loss suffered;
- Breaches of the Privacy Act can result in sizeable damages assessments, even where there is no proof of consequential loss; and,
- General damages can be awarded to reflect injury to the right to privacy itself.
Footnotes
1 2025 BCCA 131 [Decision].
2 Privacy Act, RSBC 1996, c 373 [Privacy Act].
3 Decision at para 28.
4 See Ari v Insurance Corporation of British Columbia, 2022 BCSC 1475 aff'd 2023 BCCA 331.
5 Decision at para 2.
6 Decision at para 3.
7 See 2022 BCSC 1475 aff'd 2023 BCCA 331.
8 Decision at para 4; Ari v Insurance Corporation of British Columbia, 2024 BCSC 964 [BCSC Decision] (Aggregate damages can be awarded in class proceedings for all or part of a defendant's liability to all class members; see Class Proceedings Act, RSBC 1996, c 50, s 29(1). ).
9 Non-pecuniary damages compensate impacts that cannot easily be quantified (e.g., pain and suffering).
10 Decision at para 5.
11 BCSC Decision at para 35.
12 Decision at para 18; Privacy Act, s 1.
13 Decision at para 40.
14 Decision at para 35.
15 Decision at paras 37-38.
16 Decision at paras 40, 46.
17 Decision at paras 41-44, referencing Ward v Vancouver (City), 2010 SCC 27.
18 Decision at para 46, referencing Douez v Facebook, Inc, 2017 SCC 33 at para 59 and Jones v Tsige, 2012 ONCA 32 at para 75.
19 Decision at para 48.
20 Decision at para 49.
21 Decision at para 54.
22 Decision at paras 50-54.
23 Decision at para 55.
24 Decision at para 60.
25 Decision at para 66.
26 Decision at para 61.
27 Decision at paras 62-63.
28 Decision at paras 66, 69.
29 Decision at para 69.
30 Decision at para 70.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
