HomeOur Blog › Blog Input

Cyber and Privacy

If I Suspect a Tree Fell in the Forest, Did it Fall?

 Aug 13, 2018 2:00 PM
by Stas Bodrov

In Miglialo v. Royal Bank of Canada, the Federal Court considered an application where Ms. Miglialo claimed damages between $100,000 to $250,000 based on allegations that RBC, or its staff, accessed and disclosed her personal and financial information without her authorization. The Federal Court found that there was no unauthorized disclosure of Ms. Miglialo’s personal or financial information. She was not entitled to any damages as a result.

In light of the ever-increasing risk of personal information disclosure, it is worthwhile to explore Ms. Miglialo’s claim and the application of the sometimes-complicated Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA Dispute Resolution Procedure

In basic terms, PIPEDA was designed to protect individuals’ personal information when it is collected by a business. In a sense, the legislators sought to protect people’s personal data when it left their control. It does so by holding businesses accountable when they fail to adequately monitor and control the collection, use, and distribution of consumer data.

When organizations breach their statutory obligations, an individual can file a complaint with the Privacy Commissioner of Canada. The Commissioner conducts an investigation and renders a report. The Commissioner has the power to issue recommendations and attempt to settle the dispute between the parties.

Once the report is issued, an individual may apply to the Court for a hearing in respect of any matter in the report. This is exactly what Ms. Miglialo did.

The Court has three remedies available. The Court may 1) order that an organization correct its practices; 2) order that an organization publish a notice of its intention to correct its practices; or 3) award damages to the complainant. Damages may include compensation for any humiliation that the complainant suffered as a result of the organization’s failure to comply with their obligations.

Ms. Miglialo's Claim?

In this case, Ms. Miglialo lived in Calgary and did her banking with RBC. Ms. Miglialo alleged that her brother’s girlfriend, who worked at an RBC branch in Montreal, accessed her account which contained the names of her beneficiaries. According to Ms. Miglialo, this information was disclosed to her mother at some point between 2011 and 2012. Based on a lengthy investigation, the Commissioner concluded that this suspicion was based on – dramatic pause – “increasingly uncomfortable” conversations between Ms. Miglialo and her mother. These conversations occurred in 2012 and consisted of Ms. Miglialo’s mother questioning her financial plans in the event of her death. There was no specific discussion with her mother about her RBC account.

Although the court found that Ms. Maglialo’s brother’s girlfriend did access her account on one occasion, this access occurred around February 24, 2013, which was after the dates that Ms. Miglialo alleged the disclosure occurred. The “suspected” disclosure was not based on any evidence present before the Court.

The Court concluded that there was no malice on the part of RBC and there was no evidence of hardship (including humiliation) on the part of Ms. Miglialo. The court noted that PIPEDA aims to compensate, deter, and vindicate. However, one unauthorized access is unlikely to result in a need to deter. More importantly, Ms. Maglialo did not tender any evidence that she suffered any damages because of the breach, which left the court handcuffed and unable to order an award.


PIPEDA is legislation that protects individual’s information from unauthorized collection, use, and distribution. The Act also prescribes a dispute resolution system that must be engaged to receive compensation when an organization behaves contrary to the principles enunciated in PIPEDA. In Miglialo, the court reminds individuals that a single infraction may not be enough to award damages. The burden of proof remains with the complainant to prove not only that a violation occurred, but that they also suffered damages as a result of the breach. Suspicion is not enough.

See Miglialo v. Royal Bank of Canada 2018 FC 525.

Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...



Top of page