British Columbia Court Of Appeal Upholds Decision Finding That An Employer Is Vicariously Liable For Its Employee’s Breach Of Privacy

On August 15, 2023, the British Columbia Court of Appeal (BCCA) in Insurance Corporation of British Columbia v Ari, 2023 BCCA 331, upheld the Supreme Court of British Columbia’s finding that the Insurance Corporation of British Columbia (ICBC) was liable for its employee’s violation of its customers’ privacy under the British Columbia Privacy Act.

The appellant, ICBC, provides a universal, compulsory insurance plan for vehicles in British Columbia and is authorized to acquire and retain personal information about almost everyone who owns or drives a vehicle in British Columbia.  An ICBC employee wrongfully accessed the personal information of several ICBC’s customers, linking their motor vehicle license plates to their names and home addresses, and sold the information to persons who then targeted several of the same customers in arson and shooting attacks.  A class action was initiated against ICBC, and the Supreme Court of British Columbia ruled that ICBC was vicariously liable for its employee’s statutory tort of violation of privacy under the Privacy Act, as previously reported by the E-TIPS® Newsletter here.

On appeal, the BCCA found that ICBC had not established that the judge made a palpable and overriding error in his finding that customers had a reasonable expectation of privacy in the personal information they gave ICBC.  The BCCA disagreed with ICBC’s argument that the type of information in issue was simple “contact information” that was publicly available and not the type of “highly sensitive” information protected by the Privacy Act.  The BCCA determined that there is no authority to conclude that the statutory tort is limited to “highly sensitive” information at the biographical core of individuals.  The BCCA also clarified that to analyze whether a right to privacy has been breached pursuant to the Privacy Act requires consideration of the context, including the nature, incidence, and occasion of the act, the relationship of the parties, and degree of privacy to which a person is entitled. 

The BCCA also found that the judge did not err in imposing vicarious liability. The BCCA noted that since the ICBC employee worked with ICBC’s computer database to access personal information that customers had provided ICBC, the employee could access private information for an improper purpose.  Further, the BCCA noted that ICBC knew that the information at issue was vulnerable to abuse.  As a result, the BCCA found that ICBC materially created the risk and provided the opportunity for its employee to commit the wrong and the employee’s conduct was sufficiently related to her authorized duties to justify the imposition of vicarious liability. 

Lastly, the BCCA ruled that the Privacy Act does not require proof of actual damage.  Therefore, the judge’s determination that baseline general damages could be awarded on a class basis, without requiring individualized proof, was not in error.

Summary By: Victoria Di Felice