Executive Summary: Key Legal and Evidentiary Issues

• The B.C. Court of Appeal confirmed that damages under the Privacy Act can exceed nominal amounts without proof of consequential harm.

• ICBC's argument that only nominal damages were legally permissible in the absence of individual loss was firmly rejected.

• The court found general damages may be awarded to compensate for the infringement of privacy itself, regardless of awareness or impact.

• The $15,000 per person aggregate damages award was upheld based on the seriousness, intent, and risk involved in the privacy breach.

• The court emphasized that privacy rights have quasi-constitutional status, supporting damages that also serve vindication and deterrence.

• Limiting damages to trivial sums would undermine the purpose of the legislation and disincentivize class action remedies for privacy violations.

Background and factual context
This appeal stems from a class action lawsuit filed after a former employee of the Insurance Corporation of British Columbia (ICBC), Candy Elaine Rheaume, accessed the personal data of 78 individuals for non-business purposes. Of those, she sold the private information of at least 45 people to criminals. Between 2011 and 2012, 13 of those individuals were directly affected, experiencing incidents of arson and shootings.

The class was certified to include all individuals whose data was accessed by Ms. Rheaume without a valid purpose, as well as their family members and co-residents. A sub-class was created for those whose homes sustained property damage. The litigation focused on ICBC's vicarious liability under section 1(1) of the Privacy Act, R.S.B.C. 1996, c. 373, which states it is a tort, actionable without proof of damage, to willfully and without claim of right violate the privacy of another.

ICBC was previously found liable for the breach in a 2022 trial decision, affirmed on appeal in 2023. The present case concerns the subsequent assessment of aggregate damages at the class-wide level.

Legal issue and trial decision
At the damages stage, the trial judge considered what amount of aggregate damages could be awarded in the absence of individual harm evidence. The plaintiffs sought general damages of $25,000 per class member, while ICBC argued that without specific proof of loss or harm, damages must be restricted to nominal amounts—proposing $500 per person.

The trial judge rejected ICBC’s position, emphasizing that even a "modest or nominal" award need not be trivial. He found that a $500 award would trivialize the privacy rights at issue, particularly given the severity and deliberate nature of the breach. Drawing on legal principles from Jones v. Tsige and Ward v. Vancouver, the judge concluded that privacy infringements justify general damages not only to compensate but also to vindicate the right and deter future breaches.

Relying on the Ontario Court of Appeal’s decision in Jones, which established damages up to $20,000 for intrusion upon seclusion, the trial judge found the breach in the ICBC case even more severe due to the criminal distribution of the information and risks to personal safety. He awarded $15,000 per class member.

Appeal and decision by the B.C. Court of Appeal
ICBC appealed, raising one central legal question: whether more than nominal damages can be awarded under the Privacy Act without proof of consequential harm. The Court of Appeal dismissed the appeal, holding that the Privacy Act permits general damages to be awarded solely for the violation of the privacy right, even where no further harm is proven.

The Court confirmed that the tort created by section 1(1) of the Privacy Act is actionable without proof of damage because the invasion of privacy itself constitutes a compensable harm. It explained that general damages may be awarded to reflect the seriousness of the breach, to vindicate the right, and to deter future wrongdoing. The privacy interest, the Court noted, has quasi-constitutional status, and damage awards must reflect that.

The Court emphasized that restricting damages to nominal amounts would contradict the legislative purpose of the Privacy Act, especially in a digital era where large volumes of data are routinely collected. Such restrictions would also discourage individuals from pursuing claims and undermine the efficacy of class action mechanisms.

It concluded that the trial judge had correctly interpreted the law and exercised his discretion appropriately in assessing damages. The $15,000 per class member award was upheld as being within the proper range given the facts—specifically, the intentional nature of the breach, the resale of data to criminals, and the risks posed to all affected individuals, whether or not they were aware of the breach.

Final outcome
The appeal was dismissed. The B.C. Court of Appeal upheld the $15,000 general damages award per class member for breach of privacy under the Privacy Act, confirming that such damages can be awarded in the absence of individual proof of harm when the breach itself is serious and intentional. The Court’s decision strengthens the legal framework for protecting privacy in British Columbia and reaffirms the significance of privacy rights in Canadian law.