Data Protection Enforcement in Canada

Administrative Remedies

The Canadian Privacy Commissioner has the power to investigate complaints, including compelling oral and written testimony and evidence. The Commissioner can also issue findings and recommendations; publish information about findings, and bring actions for non-compliance in Federal Court.

Civil Remedies

Individuals can file complaints with the Commissioner, and actions in Federal Court for actual and moral damages, and injunctive relief.

Criminal Remedies

Fines between $10,000 and $100,000 (Canadian Dollars).

Other Remedies

As of June 2015, Alberta is the only Canadian province to impose data breach notification requirements on organizations. However, commencing on an unspecified date in the future, all organizations in Canada except for those in the Canadian provinces of British Columbia and Québec will be subject to data breach notification requirements. The Privacy Commissioner has the power to release the names of companies that breach privacy requirements if it feels that it is in the public’s best interest to do so.

Selected Enforcement Actions / General Comments

In the 2013 case Chitrakar v Bell TV, [2013] FCJ No 1196, the Federal Court of Canada awarded an individual $10,000 in damages for breach of privacy, $10,000 in exemplary damages, and $1,000 in costs against a major telecommunications provider. In this case, the litigant was asked to sign a document upon receiving a TV box. The litigant testified that he believed he was signing only to confirm delivery, but his signature was affixed to a rental agreement that authorized the telecommunications provider to perform credit checks on him. The litigant later learned that the telecommunications provider accessed his credit history without his knowledge. The court found that the telecommunications provider’s conduct constituted a breach of the litigant’s privacy rights and had adverse consequences. The court also awarded the litigant exemplary damages and costs due to the telecommunications provider’s conduct at the time of the breach of the privacy rights and thereafter. In particular, the court rebuked the telecommunications provider for failing to appear in the proceeding, subjecting the litigant to its ineffectual bureaucratic procedure, and generally disregarding the customer’s privacy rights. In the 2012 case Biron v RBC Royal Bank, [2012] FCJ No 1183, the Federal Court awarded an individual $2,500 in damages for breach of privacy against a major Canadian bank. In this case, the litigant and her husband had a joint credit card account with the bank. At divorce proceedings between the litigant’s husband and the husband’s ex-wife, a representative of the bank disclosed credit card statements revealing the litigant’s personal information, despite her objections. The disclosures were not ordered by a court, and the litigant was neither a witness nor an interested party in the divorce proceedings. In assessing the quantum of damages, the court took into consideration the humiliation suffered by the litigant. In 2012, certain Canadian provinces also began recognizing privacy-related torts, including intrusion upon seclusion, public disclosure of embarrassing private facts, publicity which places the plaintiff in a false light in the public eye, and appropriation of the plaintiff’s name or likeness for the defendant’s advantage (Jones v Tsige, 2012 ONCA 32). Private companies may be subject to liability for committing these torts. For example, in Evans v Bank of Nova Scotia, [2014] ONSC 7294, the Ontario Superior Court of Justice confirmed the certification of a class action against a major Canadian bank for, among other things, committing the tort of intrusion upon seclusion. In this case, an employee of the bank provided private and confidential information of bank customers to his girlfriend, who then disseminated the information to third parties for fraudulent purposes. The case is ongoing as of January 2015. Efforts to comply with the findings and recommendations of the Privacy Commissioner can result in the expenditure of significant financial and human resources. In addition, the power to release names of specific companies can lead to negative publicity, as evidenced by recent focus on the privacy practices of social networking sites in Canada.