THE ADVOCATE 835
VOL. 76 PART 6 NOVEMBER 2018
gence in the context of alcohol-serving establishments,19 as mentioned
above. Notably, the impediment that the lack of concrete damage traditionally
places on courts’ ability to award compensation to plaintiffs who suffer
privacy-related harm was mitigated against in the case of Doe 464533 v.
N.D.20 There a sex tape of the plaintiff was disseminated by her exboyfriend.
The court analyzed her claim and injuries under sexual battery
principles, despite the fact that no physical touching had occurred, and
awarded general, aggravated and punitive damages in line with the analogy
the court drew to sexual assault.21 In light of this case, it seems likely that
the courts will begin expanding torts which have not historically been
applied in an information privacy context to fill the gaps left by the present
state of the law.
Insufficient Protection by Designated Administrative Bodies
Most cases involving large breaches of aggregated information are either
settled long before they reach the courts or addressed in response to complaints
made to administrative bodies (namely, the Office of the Privacy
Commissioner in Canada and the Federal Trade Commission in the United
States) and not publicly litigated.
Though there have been small victories by way of complaints made to
administrative bodies, these have not been proven as effective in either
compensatory terms or as a deterrent.
One example is the case involving ChoicePoint, an American data broker
that sold the information of 163,000 consumers to criminals posing as legitimate
businesses.22 ChoicePoint was subsequently directed to pay $5 million
in customer redress by the Federal Trade Commission, a penalty so
inadequate that it provided a mere $30 to each victim and failed to deter
ChoicePoint from committing another data breach several years later. As
compensation for this second data breach, which resulted from Choice-
Point’s failure to implement security measures as directed after the 2005
breach, victims were awarded $18 each.23
Have Consumers Consented to Use of Their Information?
Plaintiffs who seek recourse for a breach of their aggregated data face
another potential hurdle: the claim that they have consented to its collection
Under the federal Personal Information Protection and Electronic Documents
Act (“PIPEDA”),24 consent is deemed valid if “it is reasonable to expect
that an individual to whom the organization’s activities are directed would
understand the nature, purpose and consequences of the collection, use or
disclosure of the personal information to which they are consenting”.25 In