Private Eye: Award for Bell privacy breach offers little clarity on future PIPEDA damages

In Chitrakar v. Bell TV, a judge of the Federal Court of Canada awarded $20,000 in damages against Bell TV for a breach of the Personal Information Protection and Electronic Documents Act. Many academic commentators and privacy lawyers suggested the decision might signal a sea change in the attitude of the courts towards damages under PIPEDA and possibly other provincial privacy statutes. This is unlikely. The unique circumstances of this case will limit the precedential value of the decision and damages for privacy breaches, to the extent the court orders them at all, will continue to be modest.

Rabi Chitrakar complained that, during the course of an application for satellite TV service, Bell had accessed his credit history without consent. He filed a complaint with the federal privacy commissioner and obtained an order that the complaint was “well founded.” Chitrakar then made an application to the Federal Court pursuant to s. 14(1) of PIPEDA. Justice Michael Phelan confirmed the finding of the privacy commissioner and ordered the respondent Bell TV to pay $10,000 in general damages, $10,000 in exemplary damages, plus an additional $1,000 in legal fees pursuant to s. 16(c) of PIPEDA.

The facts of the case were somewhat odd. Bell argued before the privacy commissioner that Chitrakar had consented to the credit check. At the time of the installation of his satellite TV service, the company required him to provide his signature on a proof of delivery device machine. The signature provided was then embedded onto a Bell TV rental agreement that included consent to obtaining a credit check. But there were a number of problems with Bell’s position.

Chitrakar was under the impression his signature was only confirming delivery of the satellite system, an assertion supported by the fact he didn’t receive a copy of the rental agreement until after the installation was complete. More importantly, the investigation by the privacy commissioner revealed that Bell had accessed Chitrakar’s credit history a month before he signed using the machine. As a result, both the privacy commissioner and Phelan had no difficulty determining the company hadn’t obtained valid consent from Chitrakar.

But if Bell hadn’t handled its attempt to get consent from Chitrakar very well, things really went off the rails when he complained. Chitrakar first received an apology by voicemail from a Bell customer service representative. Perhaps not surprisingly, Chitrakar wasn’t happy with the voicemail apology and contacted various employees and managers at Bell seeking satisfaction. Only after three months of what Phelan characterized as the “royal runaround,” Bell agreed to release Chitrakar from his contract but didn’t address his privacy concerns.

The privacy commissioner’s investigation disclosed that what happened to Chitrakar was contrary to Bell’s corporate policy, but the company claimed it couldn’t locate any relevant records, nor could it confirm the identity of the representative who took his order. Additionally, although the privacy commissioner made several remedial recommendations, Bell couldn’t advise whether it had taken any remedial steps.

In his decision, a clearly frustrated Phelan noted Bell hadn’t even bothered to appear in the proceedings at the Federal Court and there was no indication it had implemented any of the privacy commissioner’s recommendations. This led Phelan to find Bell’s conduct had been “reprehensible in respect to Chitrakar’s privacy rights.”

In determining that $10,000 was an appropriate amount to award in general damages for Bell’s privacy breach, Phelan said the court should recognize violations of privacy rights as properly compensable even in the absence of any evidence of financial loss. Phelan found that the amount of damages had to be more than symbolic due to the size of Bell’s corporate structure since a small award would have little material impact. Nevertheless, the precise amount of $10,000 appears to be little more than an arbitrary figure. The additional amount of $10,000 in exemplary damages was directly attributable to Bell’s questionable and outrageous conduct throughout its interactions with Chitrakar, the privacy commissioner, and the Federal Court.

As noted above, some commentators have opined that the Chitrakar case will open the door to higher damages for privacy breaches even in the absence of evidence of actual damage. It’s doubtful Chitrakar will have much precedential value because of the unique circumstances and the questionable judgment shown by Bell in ignoring the Federal Court proceedings. But even if other cases consider Chitrakar, it’s likely to act as a ceiling for setting the quantum of such damages rather than a floor. Bell is a large company that, in this case, seems to have violated both the law and its own policies and then showed poor judgment in both its initial response to the consumer and subsequently in how it dealt with the investigation of the privacy commissioner and the application before the Federal Court. It’s likely that most organizations faced with a complaint about their privacy practices will be able to point to the Chitrakar case as a worst-case scenario and argue that any damages awarded against them should be significantly less than the $10,000 ordered by Phelan.

Although it is heartening to see that the Federal Court will take privacy violations seriously, Chitrakar does little to clear the murky waters of PIPEDA damage awards. We’ll probably have to wait for a case in which there’s actual damage caused by a privacy breach — and in circumstances not coloured by the misconduct of the respondent — before there’s a more detailed and nuanced analysis of how the courts will calculate privacy damages.

Technology, copyright, and privacy lawyer Mark Hayes is managing director at Heydary Hayes Professional Corp. in Toronto. He’s available at [email protected].