First merits decision dismissing privacy class action in Canada

In an ever growing landscape of data theft and privacy breaches, the Superior Court of Québec recently dismissed a privacy class action on the merits and, in so doing, clarified the circumstances that can give rise to a damages award in such cases. In Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2021 QCCS 1093, the Court sets out the guiding principles for an appropriate corporate response to the loss of personal information under Québec law. This is the first privacy class action in Canada to be determined and dismissed on the merits.

The data incident

Following the loss by an employee of the Investment Industry Regulatory Organization of Canada (IIROC) of a laptop computer containing personal information relating to individuals collected from securities brokers, two class actions were commenced:

• Paul Sofio proposed a class action that was not authorized. The Court held there was no arguable case with respect to Sofio’s right to compensation and refused to authorize the class action. The Québec Court of Appeal confirmed the decision.
• Danny Lamoureux subsequently proposed a class action that was authorized as, contrary to Sofio, Lamoureux alleged the illicit use of his personal information.

Identity theft is not required

In line with a series of recent cases relating to the loss or theft of personal information, the Superior Court in Lamoureux held that although it is not necessary for class members to have fallen victim to identity theft, injury beyond general inconveniences must be proven. Relying on the Supreme Court’s findings in Mustapha v. Culligan, the Court reiterated that normal inconveniences that anyone living in society encounters and should be obliged to accept do not constitute compensable damages. Given the lack of any documentary or medical evidence proving the extent of the damages, the Court categorized the fears, stress and worries experienced by class members, as well as delays in obtaining additional credit, as such acceptable inconveniences.

Causality not proven

Uncontradicted expert evidence was tendered by IIROC showing the absence of any connection between the loss of the computer and any illicit use of Lamoureux’s personal information. The Court concluded that Lamoureux failed to prove that the personal information contained in the lost computer had been used unlawfully. Without the evidence of wrongful use of the personal information, the Court concluded a lack of connection and an absence of causality required to trigger IIROC’s civil liability.

Diligent corporate response bars punitive damages

Based on extensive evidence, including expert evidence, the Court held that IIROC was diligent in its timely response to its employee losing his laptop, complying with standards expected in similar circumstances. There was no evidence adduced of any intentional fault by IIROC. As such, punitive damages were found to be unwarranted.

Takeaways

Lamoureux provides helpful direction in cases of loss or theft of personal information: actual damages must be established beyond mere inconvenience. Lamoureux also provides guidance to Québec corporations and an example of a satisfactory response to a data loss or incident. In its assessment, the Court considered, amongst numerous considerations, the following steps taken by IIROC: conducting internal investigations, promptly mandating a forensic analysis firm to identify the lost information, providing credit monitoring services free of charge, notifying privacy commissions, class members and stakeholders in a timely manner. Where a diligent response is proven following a data breach or incident, punitive damages are unwarranted.

The Lamoureux Court’s focus on the absence of compensable harm aligns with recent authority from the common law provinces in the certification context, and may inform the decisions of Courts in those provinces going forward.

For example, in its recent decision in Stewart v. Demme – a case centred on allegations that a nurse improperly accessed individual health records of a hospital’s patients in order to steal prescription drugs – the Ontario Superior Court declined to certify the plaintiff’s claim in negligence. The Court held that, unlike a claim in intrusion upon seclusion (a privacy tort recognized in Ontario since the decision in Jones v. Tsige) which allows for “symbolic” damages, a claim in negligence requires that “actual harm be manifest and caused by the wrong”. The Court relied on Mustapha v. Culligan in finding that the alleged invasion of privacy itself was not the type of harm compensable under the law of negligence.

In Setoguchi v. Uber B.V., the Alberta Court of Queen’s Bench adopted the reasoning from Stewart in refusing to certify a negligence claim in a proposed class action relating to an alleged data breach involving information collected by Uber. The Court not only refused to certify the claim in negligence, but denied certification of the entire action because it found there to be no evidence of any actual harm or loss to members of the proposed class. In reaching its decision, the Court took consideration of various Québec authorities, including citing the Superior Court of Québec’s decision in Bourbonnière v. Yahoo! Inc. for the proposition that there is a clear distinction between minor, transient upset and compensable injury.