THE ADVOCATE 833
VOL. 76 PART 6 NOVEMBER 2018
Exposure of an individual’s aggregated data profile has the potential, by its
very nature, to cause greater harm than exposure of any single piece of information
about that individual. Predators of all varieties are better able to target
their prey the more that is known about them. Consider the reality of “sucker
lists” sold by data brokers; these are lists identifying the desperately ill, elderly
and generally vulnerable.9 These lists are sold to unscrupulous persons
who use the lists to scam or cheat already disadvantaged individuals.10 Not
only is it unlikely that any reasonable person would have consented to their
information being used in that way, but it is questionable whether such a use
can truly be the subject of informed consent in the first place.
DIFFICULTIES IN OBTAINING A REMEDY FOR RELEASE OF INFORMATION
Insufficient Protection in Tort
The law has historically found ways to balance individual autonomy with
the need to address inherently dangerous activities, particularly when
those risk-creating activities have economic benefit. For example, the
Supreme Court of Canada has ruled that alcohol-serving establishments
may be held liable for the damage caused by their intoxicated patrons by
virtue of their creation of risk and the economic benefit they derive from
their activities.11 This is despite the fact that those consuming the alcohol
freely consent to consumption. Unfortunately, this type of reasoning has
yet to be applied in the informational privacy context.
Insofar as it relates to the mismanagement of aggregated information,
privacy receives little tort law protection in Canada for two main reasons.
The first is the lack of recognizable harm or damage and the second is the
issue of indeterminate causation.
An example of the first problem can be found in Condon v. Canada,12
where the plaintiffs were individuals who applied for and received student
loan funding. Personal information related to this purpose had been stored
on a hard drive in a cabinet which subsequently went missing. The Federal
Court refused the plaintiffs’ motion to certify a class proceeding on the basis
of negligence, despite the relatively low evidentiary threshold for certification,
on the basis that no compensable damages could be shown.13 Although
the Federal Court of Appeal disagreed on appeal and sent the matter back
to be reconsidered, reference was made only to costs incurred in preventing
identity theft, not to any harm the individuals may have experienced simply
by virtue of the increased risk to them from potential misuse of the
exposed information.14 Although this case does not pertain to aggregated
data within the meaning given above, it illustrates how a lack of recognizable
harm or damage can bar or at least impede a claim.