![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
For only the second time, the Federal Court of Canada awarded damages against an organization that was found to be in non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). The court determined that an applicant had suffered humiliation that warranted compensation, and the applicant was awarded damages of $4,500 plus interest and costs.
In Landry v. Royal Bank of Canada, the court considered an application for an order for a bank to pay damages for disclosing the applicant’s personal information without her consent. In the course of divorce proceedings, the bank received a subpoena
duces tecum
from counsel for the applicant’s ex-husband, ordering an employee of the bank to appear before the court and to bring certain documents held by the bank. The bank’s internal policies and procedures required that consent be obtained from the accountholder before the bank would disclose personal and confidential information. The requested documents were forwarded to the branch, with the instructions not to disclose them before having obtained the applicant’s consent and that, if consent was not received, the person named in the subpoena would have to appear before the court and bring the required documents. In spite of the bank’s policies and the specific instructions accompanying the documents, a bank employee faxed the copies of the applicant’s itemized bank statements to her ex-husband's counsel.
In determining whether to award damages, the court considered a number of cases, among them, Randall v. Nubodys Fitness Centres (an award of damages should only be made in the most egregious situation, i.e. where the breach has been one of a very serious and violating nature); Stevens v. SNF Maritime Metals (a PIPEDA right of action is not an end run on existing rights to damages, i.e. it applies to a damages claim for breach of the right to privacy), and Nammo v. TransUnion (factors to be considered when awarding damages include if the impugned disclosure was "minimal", if there was injury to the applicant sufficient to justify an award of damages and whether the respondent had benefitted commercially from the breach or had acted in bad faith). The court found that in this case, although the bank had not benefitted from the error and had not acted in bad faith, the disclosure of personal information was not trivial but a major error (especially as the bank employee tried to cover up her wrongful conduct). While the court noted that the applicant’s injury was in large part the result of her own actions, the documents sent to the ex-husband’s counsel were used by the judge to draw conclusions from it, and these conclusions were used by the ex-husband to harm her and destroy her relationship with her family and friends.
Companies can take comfort in the fact that while the awarding of damages in this case appears to be somewhat contradictory to the court’s own ruling in Randall v. Nubodys Fitness (as it could be argued that the breach was not egregious or of a very serious nature), it is noteworthy that the damages awarded were significantly less than the $100,000 (including $25,000 in exemplary damages) that had been requested by the applicant.
