The Common Law
The common law is the system of legal precedents – court decisions – developed over time. Until about 40 years ago, the common law was the only source of legal protection for privacy rights in Canada. An individual’s property and reputation were protected because the common law established well-understood rules, which were enforced by giving people a right to sue for damages if their privacy was “invaded.” Grounds for such lawsuits include:
Trespass to land – available when someone comes onto your land without permission;
- Trespass to chattels – available when someone interferes with your possessions without permission;
- Defamation – when someone makes a false statement about you that damages your reputation;
- Injurious falsehood – when someone knowingly makes a false statement with the purpose of causing you a monetary loss.
These types of claims are still available, but except for defamation they are not frequently used.
The law in British Columbia does not recognize a common law claim for invasion of privacy (1), but there is a statute, called the Privacy Act (BC), which makes it a “tort” (a wrongful act) for a person to “wilfully and without claim of right” violate the privacy of another person.
This has been interpreted by judges to mean that if a person intentionally violates another person’s privacy, and they do not have a legitimate defence (a “claim of right”), they can be sued and will be liable for all the harm flowing from the privacy invasion, not just those that are reasonably foreseeable, and depending on the seriousness of the invasion, could also be liable for punitive damages to reflect society’s abhorrence of their actions. (2)
Although it is not common, people have sued under the Privacy Act (BC) and have won.
Today, if your personal information privacy is breached, you have a number of possible remedies:
- You can sue under the BC Privacy Act, which gives people in BC the right to sue for an invasion of privacy;
- You can complain directly to the government agency or private organization that you feel breached your privacy;
- You can complain to a Privacy Commissioner under PIPA or FOIPPA or PIPEDA or the Privacy Act, depending on which law applies to the situation and follow the processes from there to the courts if you are not satisfied, or
- You could sue in court for negligence.
The Possibilities of Making a Claim for Negligence
You may have grounds to sue in civil court for negligence. This is a common law remedy.
In the past, people have sued for negligence and invasion of privacy, but have not been successful. In circumstances involving privacy invasions, it appears that people have had more success suing under the Privacy Act (BC).
More recently, some lawsuits and class actions for negligent failure to protect personal information have been started but have not reached their conclusion. Typically these cases arise when credit card, health or similarly sensitive information of a large number of people is stolen from a business or other large organization. (3)
There is a general principle that organizations and government entities have legal duties not to be negligent or careless when protecting your personal information if they can reasonably foresee that harm could result from the negligence or carelessness.
Because of this general principle, it is arguable that if an organization fails to exercise due care to prevent the loss or theft of your personal information in circumstances they should have foreseen, and you can prove that the harm you suffered was caused by that failure to protect your information, you could have a claim for damages.
Although no such case has yet been decided in Canada, many privacy breaches have occurred both in Canada and the U.S. Many class action lawsuits have been started in the U.S., and some have been started in Canada, but most have settled before trial or are still in the early stages of the case. When a case goes all the way to trial and is decided by a judge, we will then have a legal pronouncement as to whether the law recognizes a claim for negligent breach of privacy.
(1) Hung v. Gardiner, [2002] B.C.J. No. 1918 (S.C.), aff’d [2003] BCJ. No. 1048 (C.A.); Bracken v. Vancouver Police Board, 2006 BCSC 189
(2) See Watts v. Klaemt, 2007 BCSC 662, in which punitive damages were awarded. See Getejanc v. Brentwood College Ass’n, 2001 BCSC 822, in which punitive damages were not awarded.
(3) For example, in 2007 Winners and its parent company TJX Company Inc. were sued in a large class action for failing to use adequate security measures to protect customer information. According to TJX Company, over 45 million credit and debit account numbers were stolen, in addition to other types of sensitive personal information.