report

Privacy class action: data breaches Privacy class action: data breaches

June 18, 2025 9 MIN READ
Download PDF
Osler Privacy Jurisprudence Review – Privacy class action: data breaches

Home Insights Reports Osler Privacy Jurisprudence Review – Fourth Edition – Summer 2025

Authors
Kristian Brabander

Partner, Disputes, Montréal

Robert Carson

Partner, Disputes, Toronto

Tommy Gelbman

Partner, Disputes, Calgary

Jessica Harding

Partner, Disputes, Montréal

Craig Lockwood

Partner, Disputes, Toronto

Julien Morissette

Partner, Disputes | Insolvency and Restructuring, Montréal

Authors
Kristian Brabander

Partner, Disputes, Montréal

Robert Carson

Partner, Disputes, Toronto

Tommy Gelbman

Partner, Disputes, Calgary

Jessica Harding

Partner, Disputes, Montréal

Craig Lockwood

Partner, Disputes, Toronto

Julien Morissette

Partner, Disputes | Insolvency and Restructuring, Montréal

Authors:
Kristian Brabander, Robert Carson, Tommy Gelbman, Jessica Harding, Craig Lockwood, Julien Morissette

Table of Contents

Privacy Jurisprudence Review

Read the full edition

Royer c. Capital One Bank (Canada Branch) et al., 2025 QCCA 217

Read the case details

Facts

A security breach allowed a former employee to illegally access the confidential credit card application data of approximately 100 million Americans and 6 million Canadians collected over a 14-year period by the respondents Capital One Bank et al. (Capital One) and hosted on servers of the respondents Amazon Web Services Inc. et al. (Amazon). When informed of the security breach, the appellant, Michael Royer (Royer), sought the authorization to institute a class action.

The authorization (first instance) judge concluded that there was sufficient evidence of contractual fault on the part of Capital One, notably for failing to adequately protect personal information, for unreasonable delay in discovering the leak and informing its customers, and for keeping the data of certain individuals for an unreasonable length of time, particularly those whose credit card applications had been refused.

The authorization judge also concluded that there was sufficient evidence of civil liability on the part of Amazon, notably on the basis of sections 3 and 10 of the Act respecting the protection of personal information in the private sector, C.Q.L.R. c. P-39.1.

The authorization judge noted the absence of any allegations of identity theft and dismissed most of the proposed damages claims relating to value of the leaked data and to harm caused by the delay in notifying class members. However, he held that the credit monitoring required as a result of the breach constitutes a compensable harm and the sufficiency of such credit monitoring already offered by Capital One (2 years) was a question for the trial judge. The judge also held that there were sufficient allegations to allow a claim for punitive damages to proceed as against Capital One, but not as against Amazon.

All parties appealed. Royer criticized the authorization judge for having excluded other damages claims from the class action (the Principal Appeal). Capital One and Amazon argued that the authorization judge should not have allowed claims for damages that the class representative himself did not incur (the Incidental Appeal). Capital one also challenged the authorization of the claim for punitive damages.

Decision

The Québec Court of Appeal allowed the Principal Appeal and dismissed the Incidental Appeal.

The Court held that the class representative’s personal case does not need to be a typical example of that of all or a majority of the class members, but must rather demonstrate that they have suffered at least one head of damages. The authorization must not be limited and may cover damages potentially suffered by at least one member of the class.

Moreover, the Court stated that harms suffered by class members as a result of the breach are not necessarily all identical. Some members of the class may have paid credit monitoring costs, while others may have taken other steps and incurred other costs for the same purpose.

Finally, the Court held that it is not necessary to determine, at the authorization stage, the existence of compensable non-pecuniary losses. As long as there are allegations that sufficiently establish the possibility of wrongful infringement leading to compensable consequences, it is up to the trial judge to decide these. The Court therefore authorized the class action for all heads of compensatory damages.

As for punitive damages, the Court held that there were no grounds for review in appeal.

Key takeaway

This decision reinforces the relatively low bar for authorizing class actions in Québec, particularly in cases involving privacy breaches. While the class representative may not have suffered all heads of damages, the class action may include other damages potentially suffered by at least one class member. Although different class members may have experienced different types of losses, these variations do not preclude the authorization of a class action.

This decision also highlights the reality that the threat of financial harm following certain types of data breach can sometimes be sufficient to ground a class action in Québec, even where some form of credit monitoring is offered by the defendant.

InvestorCOM Inc. v. L’Anton, 2025 BCCA 40

Read the case details

Facts

This action relates to an alleged data breach involving data stored on servers operated by InvestorCOM Inc. A proposed class action was filed in British Columbia. A parallel proposed class action had already been commenced in Ontario by different plaintiffs and counsel, seeking certification of a national class action in respect of the same subject matter. The Ontario action was proceeding to a certification hearing.

InvestorCOM and Mackenzie Financial Corporation applied to dismiss the B.C. action for abuse of process, arguing that the existence of the Ontario action rendered the B.C. proceeding duplicative and unnecessary. The chambers judge dismissed the application. InvestorCOM and Mackenzie appealed.

Decision

The Court of Appeal dismissed the appeals, holding that the mere existence of similar or parallel class actions in different provinces does not, without more, amount to an abuse of process. However, that does not mean that the B.C. action will be allowed to proceed. The Court of Appeal emphasized that duplication concerns are properly addressed at the certification stage under paragraph 4.1(1)(b) of the B.C. Class Proceedings Act, with the benefit of a complete certification record. That provision allows the court to refuse certification if it is preferable for the proceeding to be conducted in another jurisdiction.

The Court distinguished this case from situations where a placeholder action is commenced solely as a procedural tactic. The Court also recognized that differences in provincial law, the costs regime, and the plaintiff’s residence provided reasons for pursuing the action in B.C.

Key takeaway

It is common for class actions to be started in multiple provinces after a data breach. In B.C., the courts appear to prefer to address the overlap as part of the certification motion. This will typically increase the time and cost required to address the overlap.

Hvitved v. Home Depot of Canada Inc., 2025 BCSC 18

Read the case details

Facts

In his application to certify a proposed class proceeding, the plaintiff alleged that Home Depot violated the privacy rights of customers by collecting their email addresses and purchase information — provided for the purpose of receiving electronic receipts — and disclosing this information to Meta Platforms.

The plaintiff advanced claims under provincial privacy statutes (British Columbia, Saskatchewan, Newfoundland and Labrador, and Manitoba), as well as claims for intrusion upon seclusion, breach of contract, and unjust enrichment. Home Depot opposed certification, arguing that the claims lacked merit and that a class proceeding was not appropriate.

Decision

The Court certified the class action solely in respect of the statutory claims, and struck the claims for intrusion upon seclusion, breach of contract, and unjust enrichment.

Key findings included:

  • Breach of privacy legislation: The plaintiff’s statutory claim was sufficiently pleaded to establish a cause of action for certification purposes. The Court rejected Home Depot’s argument that there was no reasonable expectation of privacy in the data shared, relying on Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331 to emphasize that privacy must be assessed contextually and not on a piecemeal basis.
  • Intrusion upon seclusion: The Court held that the pleadings did not meet the higher threshold required for the common law tort of intrusion upon seclusion, as the information shared was less sensitive than that considered in analogous Ontario cases and did not amount to a highly offensive intrusion. In applying the Ontario law, the Court determined that the tort of inclusion upon seclusion has not been made out on the pleadings. The Court declined to adjudicate the question of whether the tort is available in British Columbia.
  • Breach of contract and unjust enrichment: The Court found the pleadings to be deficient, noting the absence of material facts regarding the existence of express contractual terms, and insufficient allegations to support a claim for unjust enrichment, particularly regarding lost opportunity to sell personal information.

Key takeaway

This decision imposed discipline on the plaintiff’s counsel to focus and properly plead causes of action relating to alleged privacy violations, with an apparent preference for statutory claims, which appear more likely to survive certification applications. The Court signalled — but did not determine — doubt as to whether the tort of intrusion upon seclusion is available in British Columbia, continuing the B.C. courts’ years-long reluctance to adjudicate the issue. Finally, unlike many other B.C. decisions, the Court did not permit the plaintiff to amend the pleadings that were struck, again, imposing discipline on how class proceedings are framed.

Shriqui v. Blackbaud Canada Inc., et al., 2024 ONSC 6957

Read the case details

Facts

The plaintiff sought certification of a class proceeding following a ransomware attack that compromised personal data from various organizations and individuals utilizing the defendants’ services. The attack occurred between February and May 2020, during which data was extracted from Blackbaud, prompting them to pay a ransom. Despite the breach, neither the plaintiff nor any other affected individuals reported any negative consequences from the incident. The class proposed in the action included Canadian residents whose personal information was accessed during the breach.

Decision

The Court found that the action met the criteria for certification under the Class Proceedings Act, 1992, including the existence of a common issue regarding the defendants’ duty of care. However, the Court found that the likelihood of success in litigation was low as no harm had been demonstrated. The parties reached a settlement of $340,000 which was to be distributed on a cy-près basis to two educational institutions focused on internet policy and data security. The Court certified the action for settlement and approved a limited notification plan given the impracticality of identifying class members.

Key takeaway

When a plaintiff cannot demonstrate genuine harm originating from the acts of the defendant, the likelihood of ultimate success on the merits may be low. Cy-près settlements may be advisable for data breach cases in which identifying class members is impracticable.

Donegani v. Facebook, Inc., 2024 ONSC 7153

Read the case details

Facts

The plaintiffs alleged that Facebook had misused their data by making it available to certain third-party applications. The plaintiffs sought certification of a national class proceeding, alleging, among other things, intrusion upon seclusion and breach of provincial privacy statutes.

Decision

Justice Akbarali made a variety of findings in respect of the cause of action and common issues criteria of the certification test, but did not ultimately decide the certification motion. The findings included, among others:

  • Ontario courts do not have jurisdiction to hear and decide claims under the privacy statutes of B.C., Manitoba and Newfoundland and Labrador.
  • The proposed common issues relating to intrusion upon seclusion were not capable of certification in these circumstances.
  • Certain of the proposed common issues relating to the contracts between Facebook and its users, and consent, were capable of certification. However, none of the proposed common issues relating to damages could be certified.

Justice Akbarali did not decide the preferable procedure criterion. She ordered the plaintiffs to propose a new class definition and litigation plan, following which the parties will return for further argument.

Key takeaway

The certification motion remains to be decided.

SUBSCRIBE

Stay Informed

Subscribe to Osler Insights to stay informed on issues impacting your business

Subscribe

Osler is a leading business law firm practising internationally from offices across Canada and in New York. Our clients include industry and business leaders in all segments of the market and at various stages in the growth of their businesses. We have built our reputation on our commitment to our clients' success and the experience, expertise and collaborative approach for which we are recognized. We believe that our success is a reflection of our clients' success.