Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • BC Court confirms general damages may be awarded for breach of Privacy Act
29 May 20255 minute read

BCCA confirms general damages available without proof of harm for breach of Privacy Act

Written by:Rebecca von RütiKeri BennettSwetha PopuriSajan Dhindsa (Articling Student)

In Insurance Corporation of British Columbia v. Ari, 2025 BCCA 131 (“Ari”), the British Columbia Court of Appeal (“BCCA”) released a significant decision on the assessment of damages for breach of privacy under section 1 of the British Columbia Privacy Act. This section expressly states that willfully “violating the privacy of another” is an actionable tort even without proof of damage. But until recently, it remained an open question whether, in the absence of such proof, a court is limited to awarding only nominal damages.

The BCCA answered that question decisively in Ari. In upholding the lower court’s aggregate damages award of $15,000 per class member, the BCCA confirmed that general damages may be awarded even without proof of consequential loss or harm where the privacy breach itself calls for compensation, vindication, and deterrence. The BCCA held that limiting damages to nominal amounts in these circumstances would undermine both the legislative intent of section 1 of the Privacy Act and the quasi-constitutional status of privacy rights – particularly where, as here, the breach was serious, intentional, and improper.

The facts and decision below

A former employee of the defendant insurance company accessed the private information of a number of the defendant’s policy holders, and then sold some of that information to criminals. Between 2011 and 2012, certain of those policy holders were subject to targeted attacks. A class action was commenced and ultimately certified. The certified class included all natural persons whose personal information was accessed and their family members, as well as a sub-class consisting of members who resided at premises that suffered property damage by third-party attacks. Following certification, liability and damages were to be determined separately.

At the liability trial, the defendant was found vicariously liable for its former employee’s breach of privacy. In the damages trial that followed, the plaintiffs chose not to present evidence of individual harm, stating that such evidence would be reserved for the individual issues phase. The defendant argued that, in the absence of proof of specific loss or injury, the court was limited to awarding nominal damages only – proposing a cap of $500 per class member. The trial judge rejected the defendant’s submissions and made an aggregate award of $15,000 per class member.

The BCCA’s analysis

The sole issue on appeal was whether an aggregate award of damages for breach of privacy under section 1 of the Privacy Act could be more than nominal in the absence of proof of consequential harm. The BCCA determined that – yes – general damages could have and should have been awarded, emphasizing the following key points:

  • General damages may be awarded to vindicate rights: While nominal, non-compensatory damages are typically awarded where a right has been breached but no loss or harm has been proven, the BCCA confirmed that general damages may also be awarded in such circumstances. This is particularly true where the seriousness of the violation warrants vindication, deterrence, and compensation for the plaintiff’s intangible interests.
  • The right to privacy holds quasi-constitutional status: The Court reaffirmed that the right to privacy is a fundamental value in Canadian law, possessing quasi-constitutional significance. The BCCA further explained that proof of damage is not required under section 1 of the Privacy Act, as a violation of the right to privacy constitutes harm in itself, independent of any resulting loss or injury.
  • General damages were appropriate in this case: The BCCA held that an award of technically nominal damages may be appropriate in circumstances where a breach of privacy is inadvertent, superficial, transient, or otherwise trivial. But here, where the breach is serious, deliberate, and for an improper purpose, the BCCA concluded that the defendant’s proposed nominal award would trivialize the important, quasi-constitutional right to privacy, and would undermine the legislative intent behind section 1 of the Privacy Act.

The future impact

The BCCA stopped short of providing a clear framework for assessing the quantum of damages for breach of section 1 of the Privacy Act. Rather, the lower court’s aggregate award of $15,000 per class member was upheld based on deference. However, the BCCA did comment that this was likely towards the “upper end of the appropriate range for damages in cases of this sort.”

The BCCA also clearly stated that this case did not arise from a hack or innocent mistake and declined to opine on the amount of aggregate damages appropriate in such cases.

It is helpful that the BCCA expressly confirmed that the damages awarded in Ari are not automatically appropriate in the event of a cyberbreach. However, the BCCA’s decision highlights the legal risk even in the context of a rogue employee, and significant damages may be awarded even without proof of individual harm. It is essential for organizations to audit employee compliance with privacy policies and procedures but also anticipate and prevent misuse before it occurs.

Print

Related capabilities

Data, Privacy and CybersecurityLitigation, Arbitration and Investigations
Legal noticesPrivacy policyCookie policyModern slaveryFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper