On April 23, 2025, in Insurance Corporation of British Columbia v. Ari, the British Columbia Court of Appeal affirmed a class action judgment awarding aggregate damages of C$15,000 per class member without proof of consequential loss for breach of B.C.’s Privacy Act, arising from the defendant’s employee stealing and selling customers’ personal information, which in some instances criminals used to carry out targeted shooting and arson attacks. The issue before the Court of Appeal of whether general damages can be awarded for breach of privacy without proof of consequential loss, rather than just nominal damages, was novel. In concluding that they are available, the Court of Appeal added to its own recent case law affirming the importance of privacy rights as “quasi-constitutional” and clarifying the scope of causes of action available to protect them, as described in our July 2024 bulletin: Invasion of the Data Snatchers: B.C. Court of Appeal Clarifies Possible Scope of Privacy Claims Against Data Custodians in Data Breaches.
The B.C. Supreme Court Decision
An employee of the defendant Insurance Corporation of British Columbia (ICBC), B.C.’s public automotive insurer, improperly accessed the personal information of 78 of the defendant’s customers in the defendant’s database. The employee sold the personal information of 45 of those individuals to criminals, who subsequently targeted 13 individuals in arson and shooting attacks. The plaintiff obtained certification of a class action on behalf of all individuals whose personal information was improperly accessed and those who live with them, including but not limited to those who were victimized in the attacks.
After a summary trial in which the B.C. Supreme Court held that the employee’s conduct breached the Privacy Act and that the defendant was vicariously liable, the B.C. Supreme Court moved on to an assessment of class-wide damages. The plaintiff sought non-pecuniary damages of C$25,000 per class member for breach of the Privacy Act, with any additional pecuniary or non-pecuniary damages for any individual to be proved through an individual issues phase of the proceeding. The defendant argued that “baseline” non-pecuniary damages applicable to all class members for the mere fact of a privacy violation should be limited to C$500 per class member. Based on the severity of the breach, the B.C. Supreme Court concluded that an award of C$15,000 per class member fell within the category of a “modest” or “nominal” award and assessed class-wide damages based on that amount.
The B.C. Court of Appeal Decision
The Court of Appeal, in a decision written by the Chief Justice, affirmed the damages award. It rejected the defendant’s argument that only nominal damages may be awarded for the mere breach of a right without proof of specific harm, stating that general damages may be awarded where the seriousness of the violation of the right itself calls out for vindication, deterrence and compensation for harm to the claimant’s intangible interests.
In the context of privacy rights, which are “quasi-constitutional,” the Court of Appeal stated that where there is a violation there is a loss, as the plaintiff’s privacy interest — the right to control who has access to personal information — is harmed by the intrusion in a manner independent from any mental distress or upset the breach may cause. Where a breach is serious, deliberate and for an improper purpose, it is open to a judge to conclude that more than technically nominal damages are required to compensate for the intrinsic damage to the privacy rights of the plaintiff. On the other hand, where a breach of privacy is inadvertent, superficial, transient or otherwise trivial, it may be appropriate to award no more than technically nominal damages to mark the wrong.
In this case, the Court of Appeal agreed with the trial judge that the defendant’s “proposed approach would trivialize the important, quasi-constitutional interest protected by [the Privacy Act], and would undermine the legislative intent behind the whole scheme of the Privacy Act.” It further stated that if only technically nominal damages were available no matter how egregious or flagrant the breach, “then the legislature’s choice to make the privacy tort actionable without proof of damage would be reduced to mere symbolism.” It noted that C$15,000 may be toward the upper end of the appropriate range of damages in this type of case, but that the seriousness of the breach supported an elevated baseline. It contrasted the case with others in which the breach resulted from a hack by a third party, or an innocent mistake, declining to determine what damages might be appropriate in those circumstances.
The Court of Appeal’s decision confirms that substantial damages may be available on a class-wide basis for a deliberate breach of privacy, even absent proof of loss, depending on the severity of the breach.
For more information, please contact the authors or any other member of our Litigation & Dispute Resolution or Class Actions groups.
More insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2025 Blake, Cassels & Graydon LLP
