Date: 20050329
Docket: T-1180-04
Citation: 2005 FC 420
Ottawa, Ontario, this 29th day of March, 2005
Present: The Honourable Mr. Justice Simon Noël
BETWEEN:
BRIAN MURDOCH
Applicant
and
THE ROYAL CANADIAN MOUNTED POLICE
Respondent
and
THE PRIVACY COMMISSIONER OF CANADA
Intervenor
REASONS FOR ORDER AND ORDER
[1] This is an application for judicial review of a decision of the Office of the Privacy Commissioner of Canada (the "Privacy Commissioner"), dated May 25, 2004, advising Brian Murdoch (Mr. Murdoch, or the "Applicant") that no penalty was available under the Privacy Act, R.S.C. 1985, c. P-21 (the Privacy Act, or the "Act"), to further remedy a breach of privacy committed against him by the Respondent, the Royal Canadian Mounted Police (the "RCMP"). The Applicant seeks :
- An Order quashing the decision of the Privacy Commissioner that no penalty existed to remedy the breach of the Applicant's privacy;
- A Declaration that the Privacy Commissioner has implied power to impose relief such as a penalty;
- An Order remitting the matter back to the Privacy Commissioner for redetermination as to an appropriate remedy;
- His costs in the matter; and,
- Such further and other Order or relief as this Court might direct.
ISSUE
[2] The issue before me is whether or not the Privacy Commissioner has the power, either explicit or implied, to fashion remedies for unauthorized breaches of the Privacy Act beyond those specified in the Act. The answer to this question will in turn help answer that of whether or not the Privacy Commissioner in this case erred in advising the Applicant that no penalty could be imposed by it.
CONCLUSION
[3] For the reasons outlined below, the answer to this first question is that the Privacy Commissioner only has limited power to remedy breaches of the Privacy Act, as outlined in ss. 35 and 37 of the Act. In the circumstances, therefore, the Privacy Commissioner did not err in denying the award of a penalty to the Applicant.
BACKGROUND & DECISION UNDER REVIEW
[4] In September 2002, Mr. Murdoch's son was involved in an altercation with police following which Mr. Murdoch was called to give him assistance. Because of Mr. Murdoch's behaviour upon his arrival at the scene, the RCMP considered filing charges of obstruction. No charges were ever laid against any party in relation to this incident, but the RCMP detachment file concerning the incident was provided by the RCMP to Mr. Murdoch's employer (the Edmonton Police Service).
[5] In March 2003, Mr. Murdoch filed a complaint with the Privacy Commissioner that, in addition to other wrongful conduct, the RCMP breached the Privacy Act when it disclosed personal information to his employer, the Edmonton Police Force, without either his consent or a lawful reason for such disclosure.
[6] Upon concluding the investigation into the complaint, the Privacy Commissioner determined, in a decision dated May 25, 2004, that Mr. Murdoch's complaint of wrongful disclosure was well-founded. The report also indicated that the RCMP had been informed of this finding and that it was in agreement. The report then went on to state that since there was no penalty under the Privacy Act for such a violation, the Privacy Commissioner was not able to remedy the situation further :
Our review of the file the RCMP provided to your employer confirmed that it contains personal information about you as defined in section 3 of the Privacy Act. As that is the case, the information could properly be disclosed only with your consent or in accordance with one of the permissible disclosure provisions outlined in section 8(2) of the Act. In this case, it is clear that you did not provide your consent and I am satisfied that none of the provisions of section 8(2) of the Act is [sic] applicable. Under the circumstances, I am of the view that the confidentiality rights afforded you under the Privacy Act were violated by the RCMP.
I consider this disclosure of your information to constitute a serious violation of your privacy rights and my views in this regard have been made known to officials of the RCMP, who readily agree. While this finding does not mitigate the damage done, we nevertheless hope that this incident has served to remind the RCMP of its responsibilities under the Privacy Act. Unfortunately, there is no penalty under the Act for this breach of your privacy, and there is really nothing more that our Office can do to assist you further.
This completes our investigation of these matters on your behalf. Please note that the RCMP has been informed of the results. [...] (My emphasis.)
[7] Notice of this Application for judicial review was filed with the Federal Court on June 18, 2004. On August 11, 2004, the Privacy Commissioner filed a Motion to have the Application struck out or dismissed, which was rejected by Prothonotary Tabib on September 3, 2004.
SUBMISSIONS
The Applicant
[8] The Applicant submits that the Privacy Commissioner committed a reviewable error in determining it was unable to provide a remedy to the Applicant for what it admitted was a breach of the Applicant's rights under the Privacy Act. The Applicant states that where there is a statutory right (in this case, to privacy) with no expressed sanction for a breach of such right, there is prima facie an implied right to be compensated for any breach of this right.
[9] The Applicant further states that since the Privacy Commissioner is charged with investigating and making findings on complaints under the Privacy Act, the only way in which the Privacy Commissioner can fully comply with its statutory duties is by exercising its authority in a manner that gives effect to such an implied right. To do otherwise, in the view of the Applicant, is to countenance a right without a remedy, which runs counter to legal precedent. Therefore, the Applicant submits that a remedy such as the granting of a penalty against a party who discloses personal information without the consent of the individual concerned should be read in to s. 35 of the Act.
The Respondents
[10] On March 9, 2005, a few days before the hearing, the Privacy Commissioner, who along with the RCMP had been named as a Respondent to the Applicant's Application, filed a Motion pursuant to Rule 303(1) of the Federal Court Rules (1998), SOR/98-106, with the Applicant's consent, whereby it requested to be removed as Respondent and added as Intervenor. It had already filed a Memorandum of Fact and Law as Respondent (which was limited to arguments on jurisdiction), upon which it wished to rely as Intervenor. This Motion was granted at the beginning of the hearing, so I shall refer to the Privacy Commissioner in these reasons accordingly, and the following Order also reflects this.
[11] The Privacy Commissioner submits that it is beyond doubt that, as a statutory ombudsperson, it does not have the legal authority to adjudicate complaints, or to otherwise enforce the Privacy Act by means of awarding remedial relief to complainants. In the Privacy Commissioner's opinion, allowing the Applicant's application for judicial review would amount to transforming it into an adjudicative body with broad powers of enforcement, thus extending far beyond its legislatively-intended role. A clear and unambiguous reading of the Privacy Act shows that Parliament intended the Privacy Commissioner to be a body with the statutory authority to investigate complaints of alleged breaches of the Privacy Act and to report non-binding findings and recommendations (if any) to the parties involved. No further powers should be imputed.
[12] In making its finding that Mr. Murdoch's complaint was well-founded, and in further communicating this finding to both Mr. Murdoch and the RCMP, the Privacy Commissioner carried out its statutory obligations under s. 35 of the Privacy Act. The Privacy Commissioner claims that not only does it have no further obligations, it in fact has no further authority under the Privacy Act to make binding determinations or to award remedial relief such as that requested by the Applicant.
[13] The RCMP did not file a separate Memorandum of Fact and Law, but instead indicated its intention to rely on the submissions filed by the Privacy Commissioner.
ANALYSIS
Standard of Review
[14] The question before me is necessarily one dealing with the scope of the Privacy Commissioner's jurisdiction. Such questions of jurisdiction are normally dealt with according to the standard of review of correctness : Boucher v. Canada (Attorney General) (2000), 252 N.R. 186 (F.C.A.) at 188. The parties were in agreement that the applicable standard of review is that of correctness.
Analysis of the Privacy Commissioner's Jurisdiction and Its Final Decision
[15] I have carefully reviewed the arguments of the Applicant. The following paragraphs respond to these as a whole, but it should be kept in mind that each has been carefully studied in order to come to my final analysis and conclusions.
[16] The jurisdiction of the Privacy Commissioner to hear Mr. Murdoch's complaint of improper disclosure is set out in s. 29(1)(a) of the Privacy Act, which states :
| 29. (1) Subject to this Act, the Privacy Commissioner shall receive and investigate complaints
(a) from individuals who allege that personal information about themselves held by a government institution has been used or disclosed otherwise than in accordance with section 7 or 8; |
|
29. (1) Sous réserve des autres dispositions de la présente loi, le Commissaire à la protection de la vie privée reçoit les plaintes et fait enquête sur les plaintes : a) déposées par des individus qui prétendent que des renseignements personnels les concernant et détenus par une institution fédérale ont été utilisés ou communiqués contrairement aux articles 7 ou 8; |
|
|
|
|
[17] Under subsections 35(1) and (2) of the Privacy Act, where the Privacy Commissioner finds, as the result of an investigation, that a complaint is well-founded, it is obligated to provide the head of the appropriate government institution with a report containing its findings, as well as any appropriate recommendations. It is also required to report these findings and recommendations (where any are made) to the complainant :
| 35. (1) If, on investigating a complaint under this Act in respect of personal information, the Privacy Commissioner finds that the complaint is well-founded, the Commissioner shall provide the head of the government institution that has control of the personal information with a report containing (a) the findings of the investigation and any recommendations that the Commissioner considers appropriate; and (b) where appropriate, a request that, within a time specified therein, notice be given to the Commissioner of any action taken or proposed to be taken to implement the recommendations contained in the report or reasons why no such action has been or is proposed to be taken. (2) The Privacy Commissioner shall, after investigating a complaint under this Act, report to the complainant the results of the investigation, but where a notice has been requested under paragraph (1)(b) no report shall be made under this subsection until the expiration of the time within which the notice is to be given to the Commissioner. |
|
35. (1) Dans les cas où il conclut au bien-fondé d'une plainte portant sur des renseignements personnels, le Commissaire à la protection de la vie privée adresse au responsable de l'institution fédérale de qui relèvent les renseignements personnels un rapport où :
a) il présente les conclusions de son enquête ainsi que les recommandations qu'il juge indiquées; b) il demande, s'il le juge à propos, au responsable de lui donner avis, dans un délai déterminé, soit des mesures prises ou envisagées pour la mise en oeuvre de ses recommandations, soit des motifs invoqués pour ne pas y donner suite.
(2) Le Commissaire à la protection de la vie privée rend compte au plaignant des conclusions de son enquête; toutefois, dans les cas prévus à l'alinéa (1)b), le Commissaire à la protection de la vie privée ne peut faire son compte rendu qu'après l'expiration du délai imparti au responsable de l'institution fédérale.
|
|
|
|
|
[18] Section 41 of the Privacy Act outlines the circumstances in which a decision may be referred for judicial review before the Federal court. This is largely confined to reviews of decisions where access to personal information has been refused. Section 41 reads as follows:
| Any individual who has been refused access to personal information requested under subsection 12(1) may, if a complaint has been made to the Privacy Commissioner in respect of the refusal, apply to the Court for a review of the matter within forty-five days after the time the results of an investigation of the complaint by the Privacy Commissioner are reported to the complainant under subsection 35(2) or within such further time as the Court may, either before or after the expiration of those forty-five days, fix or allow. [My emphasis.] |
|
L'individu qui s'est vu refuser communication de renseignements personnels demandés en vertu du paragraphe 12(1) et qui a déposé ou fait déposer une plainte à ce sujet devant le Commissaire à la protection de la vie privée peut, dans un délai de quarante-cinq jours suivant le compte rendu du Commissaire prévu au paragraphe 35(2), exercer un recours en révision de la décision de refus devant la Cour. La Cour peut, avant ou après l'expiration du délai, le proroger ou en autoriser la prorogation. [Mes soulignés.] |
|
|
|
|
Under a strict reading of the Privacy Act, then, the Federal Court does not even seem to have the jurisdiction to review a decision such as the present one, where personal information has not been withheld, but instead disclosed without authorization. However, s. 18.1 of the Federal Courts Act, R.S.C. 1985, C. F-7, grants the Federal Court a broader jurisdiction to hear reviews of federal board, commission or many other administrative tribunal decisions. Its powers under such a judicial review, however, are not absolute :
| 18.1 (3) On an application for judicial review, the Federal Court may (a) order a federal board, commission or other tribunal to do any act or thing it has unlawfully failed or refused to do or has unreasonably delayed in doing; or (b) declare invalid or unlawful, or quash, set aside or set aside and refer back for determination in accordance with such directions as it considers to be appropriate, prohibit or restrain, a decision, order, act or proceeding of a federal board, commission or other tribunal. (4) The Federal Court may grant relief under subsection (3) if it is satisfied that the federal board, commission or other tribunal (a) acted without jurisdiction, acted beyond its jurisdiction or refused to exercise its jurisdiction; (b) failed to observe a principle of natural justice, procedural fairness or other procedure that it was required by law to observe; (c) erred in law in making a decision or an order, whether or not the error appears on the face of the record; (d) based its decision or order on an erroneous finding of fact that it made in a perverse or capricious manner or without regard for the material before it; (e) acted, or failed to act, by reason of fraud or perjured evidence; or (f) acted in any other way that was contrary to law. |
|
18.1 (3) Sur présentation d'une demande de contrôle judiciaire, la Cour fédérale peut : a) ordonner à l'office fédéral en cause d'accomplir tout acte qu'il a illégalement omis ou refusé d'accomplir ou dont il a retardé l'exécution de manière déraisonnable; b) déclarer nul ou illégal, ou annuler, ou infirmer et renvoyer pour jugement conformément aux instructions qu'elle estime appropriées, ou prohiber ou encore restreindre toute décision, ordonnance, procédure ou tout autre acte de l'office fédéral. (4) Les mesures prévues au paragraphe (3) sont prises si la Cour fédérale est convaincue que l'office fédéral, selon le cas : a) a agi sans compétence, outrepassé celle-ci ou refusé de l'exercer; b) n'a pas observé un principe de justice naturelle ou d'équité procédurale ou toute autre procédure qu'il était légalement tenu de respecter; c) a rendu une décision ou une ordonnance entachée d'une erreur de droit, que celle-ci soit manifeste ou non au vu du dossier; d) a rendu une décision ou une ordonnance fondée sur une conclusion de fait erronée, tirée de façon abusive ou arbitraire ou sans tenir compte des éléments dont il dispose; e) a agi ou omis d'agir en raison d'une fraude ou de faux témoignages; f) a agi de toute autre façon contraire à la loi.
|
|
|
|
|
[19] The powers of the Federal Court to remedy a situation, then, are more or less limited to the powers conferred on the initial deciding body. As we have already seen, the Privacy Commissioner has very limited powers to remedy breaches of privacy under the Act. While it is able to investigate many different types of complaints regarding breaches of privacy and the collection, use and disclosure of personal information by government bodies under the Privacy Act, its "remedial powers", as such, are restricted to making findings and recommendations which are non-binding on the subject organization. As the Respondent aptly states, the Privacy Commissioner has no authority, implicit or otherwise, to act as an adjudicator by making binding determinations on the parties to a complaint, nor does the Privacy Act allow the Privacy Commissioner to award any such remedial relief.
[20] The Privacy Commissioner has the right to ask for the disclosure of personal information under certain circumstances where a breach of access is claimed under s. 12 of the Privacy Act. However, as mentioned above, the only "remedy" it may accord in relation to these breaches is statutorily limited to the making of non-binding findings and recommendations. This power is found in s. 35 of the Privacy Act. The only other section of the Act to grant any form of remedy for non-compliance with the Act is s. 37, where the Privacy Commissioner determines a government institution is in violation of certain of its on-going commitments regarding the collection, use and disclosure of personal information. Again, however, this is restricted to the issuance of non-binding findings and recommendations. No wider scope of remedies is available to the Privacy Commissioner.
[21] It is trite law that the jurisdiction of a statutory body (such as the Privacy Commissioner) is limited to what the legislator decided it should be. A proper reading of the Act and especially s. 35 make it clear that the legislator wanted the Privacy Commissioner to be limited to a power of recommendation and no more. The term "recommendation" should be given its ordinary meaning. The Supreme Court of Canada has made it clear that where nothing in an Act suggests that the power of recommendation includes anything further than what we normally consider "recommendations" to be - that is, the offering of advice that is not binding - then the Court should take this power no further : Thomson v. Canada (Deputy Minister of Agriculture), [1992] 1 S.C.R. 385 at paras. 24-25. I believe this is the case here. Furthermore, general principles of statutory interpretation suggest that a Court should not add powers to the jurisdiction of a statutory body when the legislative provisions creating this body are clear and not subject to interpretation : see R. Sullivan, Sullivan and Dreidger on the Construction of Statutes (Markham (Ont.) : Butterworths, 2002) at p. 19 et seq. ("Sullivan").
[22] Nor is the Federal Court able to award any further remedies in a case such as the one at bar. As noted above, the Federal Court's jurisdiction to review decisions of the Privacy Commissioner is found in s. 41 of the Privacy Act for those cases where access to personal information requested under s. 12 has been refused) and s. 18.1(3) of the Federal Courts Act. In addition to this, the power of the Federal Court to grant a remedy in such a situation is largely restricted to those which the Privacy Commissioner itself could order; i.e., the ordered disclosure of non-disclosed documents (see ss. 48-50 of the Privacy Act and 18.1(4) of the Federal Courts Act). Here, no such information has remained undisclosed, and so this remedy would not be appropriate.
[23] Relying on The Queen in Right of Canada v. The Queen in Right of the Province of Prince Edward Island, [1998] 1 F.C. 533 (F.C.A.) at paragraph 37, the Applicant argues that where there is a statutory right (such as privacy as per ss. 7 and 8 of the Privacy Act), yet no sanction is provided for the breach of this right, there is, prima facie, an implied right to be compensated for any breach. In this case, it is true that Chief Justice Jackett, for the majority, in interpreting one of the statutory terms upon which Prince Edward Island was admitted into Confederation, s. 146 of the British North America Act, 1867, 30 & 31 Victoria, c. 3 (U.K.), came to the following conclusion :
[36] In my view, the result of conferring such statutory rights on the provinces in question, in the absence of any other sanction, was to confer a right on them to be compensated in respect of damages arising from breach thereof (the breach being an interruption of the ferry service between the Island and the Mainland, a service of the Government of Canada) ...
[37] In my view, when there is a statutory right to have something done with no express sanction for breach, there is, prima facie, an implied right to be compensated for a breach of such a right; ...
In order to come to this conclusion, Chief Justice Jackett reviewed the statute in question and gave it the interpretation that he saw fit under the circumstances.
[24] The same approach has to be followed in the present case. A reading of the Privacy Act makes it clear that the legislator intended for the Privacy Commissioner to be an ombudsperson, not an adjudicative body. The process by which the Privacy Commissioner conducts its investigations is indicative of this conclusion : the investigation is to be conducted in private (s. 33(1)); an opportunity to be heard is given to the parties, and no person has the right to be present, or to have access to or comment on the representations made by another person (see s. 33(2)); the power to conduct investigations are such that they are not comparable to an adjudicative body (see s. 34); and the Privacy Commissioner's tool of remedy is solely that of making findings on the complaint, as well as recommendations (see s. 35(1)).
[25] The Applicant argues that the purpose of the Privacy Act is helpful in reading the Act as including an implicit remedy of compensation. Section 2 reads as follows :
| The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information. |
|
La présente loi a pour objet de compléter la législation canadienne en matière de protection des renseignements personnels relevant des institutions fédérales et de droit d'accès des individus aux renseignements personnels qui les concernent. |
|
|
|
|
The Applicant interprets "is to extend" or "a pour objet de compléter" (in the French version) as recognizing the implicit remedy of compensation given to the Privacy Commissioner when interpreting s. 35 of the Act.
[26] I disagree. The Purpose section of an Act is there to help in interpreting sections of an Act : see Sullivan, supra, at p. 210. It should not be used, as the Applicant is attempting to do here, to justify the creation of a remedy. A reading of the Privacy Act, and specifically s. 35, makes it clear that the legislator wanted the powers of remedy of the Privacy Commissioner to be limited to findings made with regard to a specific complaint and, if necessary, recommendations. To read in the existence of a remedy of compensation would be going against what has been clearly written, contrary to the end-solution prepared and specified by the legislator. Making recommendations and granting damages are two totally different functions. The act of making recommendations is one closely associated with ombudspersons, while granting damages is more in the realm of an adjudicative body's powers. The legislator clearly wanted the Privacy Commissioner to assume and perform duties belonging to an ombudsperson, not an adjudicative body. I have read the 1987 report of the Standing Committee on Justice and Solicitor General, on the review of the Access to Information Act and the Privacy Act, called "Open and Shut" : Enhancing the Right to Know and the Right to Privacy (the "Report"). At pages 50 and 51 of the Report, it is noted that no civil remedies are provided for in the Privacy Act and recommended that such remedies be inserted. As of today, no such amendments have been made. This is not to imply that civil remedies for breach of privacy can never exist, but that, under the Act as it is currently structured, no such remedies are available.
[27] The only possible "remedy" available from the Privacy Commissioner is that outlined in ss. 35(1) and (2); i.e., that both the head of the institution involved and the complainant be provided with a report outlining the findings of the Privacy Commissioner's investigation and any recommendations, if appropriate, as well as that (again, if appropriate) notice be given to the Privacy Commissioner of any action taken or proposed in order to implement any recommendations contained in this report or reasons why no such action has been or is proposed to be taken. In the present case, this was done : both the RCMP and Mr. Murdoch were advised that the RCMP's actions violated the Privacy Act. No recommendations were made; therefore, the RCMP did not have to respond in kind. The Privacy Commissioner committed no error in not acting further on Mr. Murdoch's complaint.
[28] Having said that, I note that the Privacy Commissioner does have the ability to comment on the situation in an annual or special report to Parliament. The Privacy Commissioner has sole discretion to decide whether such an action would be appropriate. I also note the availability of other remedies to the Applicant. To this end, it is important to mention that s. 74 of the Privacy Act only prohibits civil or criminal actions against a government institution for the wrongful disclosure of personal information where this disclosure is done in good faith. Therefore, if Mr. Murdoch can show bad faith on the part of the RCMP, it is possible he may have an action against them under the common law. In fact, the Court has been informed that the Applicant has filed a Statement of Claim with the Queen's Bench of Alberta against certain members of the RCMP, including the Officer who forwarded the RCMP file to his employer, the Edmonton Police Service.
CONCLUSION
[29] While it is understandable that Mr. Murdoch seeks a wider, larger remedy, ultimately in the form of a monetary penalty, there is no jurisdiction by which either the Privacy Commissioner or the Federal Court upon review may award such a remedy. Mr. Murdoch believes he has suffered "considerable embarrassment, humiliation and emotional distress" from the R.C.M.P.'s unauthorized disclosure (see his Notice of Application). This indeed may be the case, and there may be other avenues open to Mr. Murdoch in which he may pursue further redress; in the circumstances, however, the Privacy Commissioner has fulfilled its obligations under the Privacy Act, and no further reward may be obtained in this Court by the Applicant for the breach of his privacy.
COSTS
[30] At the hearing, the subject of costs was raised, and it was both the Intervenor's and the Respondent's position that costs were not being sought.
ORDER
THIS COURT ORDERS THAT :
- The Respondent the Privacy Commissioner of Canada be removed as a party Respondent;
- The Privacy Commissioner of Canada be granted leave to intervene in this Application with all of the rights normally associated with party status; and,
- This application for judicial review be denied without costs.
"Simon Noël" Judge
FEDERAL COURT
NAME OF COUNSEL AND SOLICITORS OF RECORD
STYLE OF CAUSE: BRIAN MURDOCH v. THE ROYAL
CANADIAN MOUNTED POLICE AND THE
PRIVACY COMMISSIONER
PLACE OF HEARING: Edmonton, Alberta
DATE OF HEARING: March 15 2005
REASONS FOR ORDER: Mr. Justice Simon Noël
APPEARANCES:
Barry Benkendorf
(Royal Canadian Mounted
Police)
Steven Welchner
Patricia Kosseim FOR RESPONDENT
(Privacy Commissioner
Of Canada)
SOLICITORS OF RECORD:
G. Brent Gawne Barrister & Solicitor FOR APPLICANT
Edmonton, Alberta
Zalapski & Pahl FOR RESPONDENT
Leduc, Alberta (Royal Canadian Mounted
Police)
Welchner Law Office
Ottawa, Ontario
Office of the Privacy Commissioner of Canada
Ottawa, Ontario FOR RESPONDENT
(Privacy Commissioner
Of Canada)