What is your information worth to you?

A Landmark in Canadian Privacy Law: BC Court of Appeal Affirms $15,000 Per-Person Damages in ICBC Data Breach Class Action

As privacy lawyers, we have witnessed the gradual development of privacy damages in Canadian law. However, the British Columbia Court of Appeal’s recent decision in Ari v. Insurance Corporation of British Columbia, 2025 BCCA 131, represents a pivotal turning point in how courts assess and award damages for privacy breaches.

At the heart of this case lies a disturbing breach: a former ICBC employee accessed and sold the personal information of 78 individuals to criminal elements. The consequences were not abstract—thirteen of those affected were later targeted in violent attacks, including arson and shootings. The breach was not only a violation of statutory privacy rights but a chilling reminder of the real-world dangers that can follow the mishandling of sensitive data.

What makes this decision truly groundbreaking is the Court of Appeal’s affirmation of a $15,000 baseline general damages award for each affected individual, regardless of whether they suffered direct financial loss. This is a significant departure from the historically modest awards in privacy cases, where damages were often negligible.

The Court’s reasoning is clear: privacy has intrinsic value. The unauthorized access and dissemination of personal information is, in and of itself, a compensable harm. This decision sends a powerful message to organizations across Canada—particularly those that collect and store large volumes of personal data—that the courts will not treat privacy breaches as trivial or merely technical infractions.

Importantly, the Court also reinforced the principle of vicarious liability. ICBC, as the employer, was held responsible for the actions of its employee. This underscores the legal and ethical obligation of organizations to implement robust safeguards, monitor access to sensitive data, and foster a culture of privacy compliance.

The implications of this ruling are profound. Organizations now face the prospect of substantial financial liability in class actions arising from privacy breaches, even where no direct financial harm is proven. Further, the Court’s acknowledgment that the breach itself constitutes harm affirms privacy as a substantive legal interest, not merely a procedural concern.

In a digital age where personal data is currency, Ari v. ICBC affirms that privacy rights are not theoretical—they are enforceable, valuable, and deserving of meaningful protection.  

We thank Nathan Cheung, Summer Student for his contributions to this article.

If you have questions about this or other privacy-related matters, please get in touch with Roshni Veerapen, Daniel Reid or another member of our Privacy and Data Protection team. For more blog posts, click here.