Authors
Partner, Disputes, Montréal
Partner, Disputes, Toronto
Partner, Disputes, Calgary
Partner, Disputes, Montréal
Partner, Disputes, Toronto
Partner, Disputes | Insolvency and Restructuring, Montréal
Table of Contents
- Tucci v. Peoples Trust Company, 2025 BCSC 816
- Harguindeguy c. Suncor Énergie inc. (Petro-Canada), 2025 QCCS 3072
Privacy Jurisprudence Review
Tucci v. Peoples Trust Company, 2025 BCSC 816
Facts
This class action, certified in August 2017, arose from allegations that Peoples Trust Company (Peoples Trust) failed to implement adequate safeguards to protect sensitive customer information collected through its online application portal.
On this application, the plaintiff, Mr. Gianluca Tucci, applied to amend the certification order to add a new common issue: whether the members of the class in British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador were entitled to damages for breach of the privacy statutes of those respective provinces.
Mr. Tucci relied on the Court of Appeal decisions, G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252 (G.D.), and Campbell v. Capital One Financial Corporation, 2024 BCCA 253 (Campbell), which held that intentional or reckless cybersecurity practices that facilitate a threat actor gaining access to a database could sustain a breach of privacy claim against a data custodian under the Privacy Act, R.S.B.C. 1996, c. 373 (the B.C. Privacy Act).
Mr. Tucci argued that the holdings in G.D. and Campbell should apply by extension to similar privacy statutes in other jurisdictions.
Peoples Trust opposed the application on several grounds, including: the application was an abuse of process; there were no facts pleaded to support the claim; the limitation period had expired; Mr. Tucci had not amended the pleadings; the claim was foreclosed by a limitation of liability clause; there were too many individual issues; and, the claim required interpretation of extra-provincial statutes.
Decision
The Court granted the plaintiff’s application, amending the certification order to include the common issue of entitlement to damages without individual proof under provincial privacy statutes and creating a subclass for class members resident in the other class jurisdictions.
The Court found no abuse of process, holding that the decisions in G.D. and Campbell clarified the scope of liability under the B.C. Privacy Act for data custodians that are victims of cyberattacks by threat actors. The Court was satisfied that the pleadings, which had alleged that Peoples Trust was wilfully reckless in its handling of class members’ personal information, were sufficient to ground a claim under the B.C. Privacy Act and the analogous privacy statutes in the other jurisdictions.
On the limitation period argument, the Court held that since the original pleadings established the facts for the statutory tort, the claim had been tolled. The Court rejected the forum non conveniens and lack of commonality arguments, noting that the earlier certification decision had allowed a Canada-wide class proceeding and that Campbell held British Columbia has jurisdiction to adjudicate all the statutory torts.
Key takeaways
The Supreme Court affirmed that jurisprudential developments that occur in the course of ongoing class proceedings can serve to broaden the scope of the proceeding, in this case, even post-certification. The decision leaves open the possibility that the timing of such an application might be precluded if there is prejudice to the defendants, but the threshold to amend a certification order remains low in B.C.
Harguindeguy c. Suncor Énergie inc. (Petro-Canada), 2025 QCCS 3072
Facts
The plaintiff, Esteben Harguindeguy (Harguindeguy), a participant in Petro-Canada’s loyalty program known as “Petro-Points” (the program), sought the authorization to institute a class action on behalf of all individuals residing in Québec whose personal information, held by the defendants Suncor Énergie Inc. and Produits Suncor Énergie, S.E.N.C. (collectively, Petro-Canada), was compromised during a data breach that occurred on or around June 21, 2023.
This incident involved an unauthorized third-party gaining access to Petro-Canada’s IT systems and extracting account holders’ personal information, including names, email addresses, phone numbers, dates of birth, and in certain cases, credit cards or banking information. Petro-Canada publicly disclosed the incident on June 24, 2023, and provided further details on July 6, 2023, describing the exposed information as “basic contact information”.
Harguindeguy alleged that Petro-Canada failed to adequately protect the personal information of program members, acted negligently in securing its IT systems and delayed notifying affected individuals about the breach. He also claimed that Petro-Canada failed to offer credit monitoring services and minimized the seriousness of the incident.
Harguindeguy’s claims were based on several grounds, including contractual liability under the Civil Code of Québec, C.Q.L.R., c. CCQ-1991 (the CCQ), alleged violations of the Act respecting the protection of personal information in the private sector, C.Q.L.R., c. P-39.1 (the Québec Private Sector Act), false or misleading representations under the Québec Consumer Protection Act, C.Q.L.R., c. P-40.1 (the Québec CPA), and unlawful interference with the right to privacy under section 5 of the Québec Charter of Human Rights and Freedoms, C.Q.L.R., c. C-12 (the Québec Charter). In addition to compensatory damages, Harguindeguy sought an injunctive order compelling Petro-Canada to provide permanent credit monitoring and fraud protection services to class members.
Decision
The Superior Court of Québec authorized the class action for all damages-related claims but denied the injunctive relief sought.
On contractual liability, the Court concluded that allegations of negligence in protecting personal information, combined with unauthorized third-party acquisition of data, appeared sufficient even without specific allegations regarding the acts or omissions that enabled the data breach.
The Court also held that claims of false or misleading representations under section 219 of the Québec CPA appeared sufficient, noting Petro-Canada’s communications appeared to downplay the severity of the incident and the existence of a non-functional telephone line.
On punitive damages, the Court found an appearance of right under section 49 of the Québec Charter, section 272 of the Québec CPA and section 93.1 of the Québec Private Sector Act.
However, the Court rejected Harguindeguy’s request for permanent injunctive relief including ongoing credit and fraud monitoring service, as well as anti-tracking equipment for their electronic devices linked to the compromised data. The Court concluded that insufficient allegations prevented Harguindeguy from meeting the burden of proof required under section 509 of the Code of Civil Procedure, C.Q.L.R., c. C-25.01 (CCP).
Key takeaways
This decision confirms that in privacy class actions arising from data breaches, vague allegations of negligence combined with evidence of compromised data can satisfy the authorization criteria.
The decision also highlights the importance of prompt responses to privacy incidents. Under the Québec CPA, claims of false or misleading representations may arise if businesses are perceived as minimizing the severity of a data breach, fail to disclose the full extent of compromised data, or fail to provide adequate support to affected individuals.
While this case has not yet been decided on these merits, this decision serves as a reminder for businesses of the importance of implementing strong data protection measures, establishing comprehensive incident response plans, and prioritizing transparent and timely communication with stakeholders following such incidents.
