Written by: Myles Brown, Nathan Jones, and Sara Sebti

In Insurance Corporation of British Columbia v. Ari, 2025 BCCA 131, the British Columbia Court of Appeal set an important precedent regarding damages for privacy breaches under the Privacy Act. The Court confirmed that when someone’s privacy is seriously and deliberately violated, they can receive more than nominal damages or “non-compensatory damages”.[1] The Court held that this was to be the case even in situations where a claimant cannot prove individual harm beyond the breach itself. The Court’s decision makes it clear that privacy breaches inherently cause real harm and warrant meaningful compensation.

Background

An employee at the Insurance Corporation of British Columbia (“ICBC”) accessed the private information of 78 ICBC policy holders without authorization and sold the information of at least 45 policy holders to certain criminal enterprises. As a result, several ICBC policy holders became targets of violent crimes, including arson and shooting attacks.

This incident became the subject of a class action lawsuit against ICBC.  Following a summary trial, the lower court found that the individual class members were entitled to general, non-pecuniary damages on a class-wide basis.  Importantly, the lower court held that individual class members were not required to prove they suffered a specific harm because of the breach.

The lower court found ICBC vicariously liable for the employees’ actions under s.1 of the Privacy Act.[2] The plaintiffs sought $25,000 per class member, based solely on the breach of privacy itself. In response, ICBC argued that damages should be limited to $500 per class member, unless the individuals provide further evidence of loss or harm.[3] Relying on the severity of the breach, the lower court awarded $15,000 per class member.[4]

ICBC appealed the decision.

The Appeal

The central question before the Court on appeal was how much compensation each class member should receive. ICBC took the same position it took in the lower court, arguing that the individual class members should have to prove loss or harm, and that absent such evidence the plaintiffs should only be awarded nominal damages.  

Nominal damages are generally “damages in name only,” and do not compensate the plaintiff for actual loss.[5] They are awarded when a legal wrong is found, but no actual loss or injury can be shown. They recognize the violation of a right but do not compensate for the harm experienced.

Writing for the Court, Chief Justice Marchand rejected ICBC’s position. He held that general damages can be awarded for the breach of privacy itself, even without proof of individual harm. The Chief Justice explained that nominal damages are only appropriate for “trivial” violations.[6] General damages may be awarded to recognize the violation itself, particularly when the breach is “serious, intentional, and carried out for an improper purpose”.[7]

General damages compensate for intangible losses, such as the impact on the claimant’s dignity or privacy interest itself. The Chief Justice referred to the Supreme Court of Canada’s decision in Ward v. Vancouver (City), 2010 SCC 27, which established that general damages may be awarded for breaches of privacy rights, even in the absence of physical or psychological injury.

The Chief Justice reasoned that harm in this case arises from the invasion of privacy itself.  While he opined that damages should be modest, he found that they must reflect the seriousness of the violation.[8] The Chief Justice described the employee’s conduct as “flagrant and deliberate,” since it showed a clear disregard for the privacy and safety of those affected.[9] It was not an accidental or minor mistake. The employee’s actions were a willful breach of privacy that caused real fear and distress.

The Chief Justice found that ICBC’s proposed $500 per person was too low because it downplayed the severity of the privacy breach. Given the nature of the violation, the Chief Justice upheld the lower court’s decision to award $15,000 per class member. This amount aims to compensate victims, vindicate their privacy rights, and deter future breaches of privacy.

The Upshot

This ruling marks a shift away from the traditional approach of limiting privacy breach damages to nominal amounts.  While the breach in Ari involved a relatively small group, the Court’s willingness to award significant general damages without proof of individual harm means corporations, especially larger corporations holding vast amounts of personal data, may face increased financial exposure if they fail to protect privacy rights. This is a good reminder for corporations to take their privacy obligations seriously. Failing to do so could result in costly class action claims and substantial damages awards. Proactive measures aimed at protecting privacy interests are essential in a rapidly evolving digital age, where a breach of privacy can, in and of itself, lead to serious harm. For more information, please contact our Litigation + Dispute Resolution Group.

---

[1] Insurance Corporation of British Columbia v Ari, 2025 BCCA 131 at para 36 [Ari].

[2] Ari at para 63.

[3] Ari at para 6.

[4] Ari at para 6.

[5] Ari at paras 35-36.

[6] Ari at para 60.

[7] Ari at para 11.

[8] Ari at para 16.

[9] Ari at para 63.