Authors
Partner, Disputes, Montréal
Partner, Disputes, Toronto
Partner, Disputes, Calgary
Partner, Disputes, Montréal
Partner, Disputes, Toronto
Partner, Disputes | Insolvency and Restructuring, Montréal
Table of Contents
- Clearview AI Inc. v. Information and Privacy Commissioner for British Columbia, 2024 BCSC 2311
- Moon v. International Alliance of Theatrical Stage Employees (Local 891), 2024 BCSC 1560
- The Hospital for Sick Children v. Information and Privacy Commissioner of Ontario, 2025 ONSC 385
- Lamarche v. British Columbia (Securities Commission), 2025 BCCA 146
- Insurance Corporation of British Columbia v. Ari, 2025 BCCA 131
Privacy Jurisprudence Review
Clearview AI Inc. v. Information and Privacy Commissioner for British Columbia, 2024 BCSC 2311
Facts
This judicial review application concerned the application of British Columbia’s Personal Information Protection Act (PIPA) to Clearview AI Inc., a U.S.-based company providing facial recognition services. Clearview’s technology collects (“scrapes”) images of individuals from the internet, including those of British Columbians, and creates biometric identifiers for use by third-party clients, such as law enforcement agencies.
Following a joint investigation by Canadian privacy regulators, the Information and Privacy Commissioner for British Columbia (the Commissioner) found that Clearview had collected, used, and disclosed personal information of individuals in British Columbia without consent, in contravention of PIPA. The Commissioner issued an order prohibiting Clearview from offering its services in British Columbia, requiring it to cease collection, use, and disclosure of such information, and to make best efforts to delete personal information collected from individuals in the province without their consent.
Clearview sought judicial review, arguing that PIPA did not apply to its activities as a U.S.-based company, that the Commissioner’s interpretation of “publicly available” information and “reasonable purpose” was unreasonable, and that the order was unnecessary, unenforceable, or overbroad.
Decision
The Supreme Court of British Columbia dismissed the petition, upholding the Commissioner’s decision and order, making the following key findings:
- Jurisdiction and extraterritorial application of PIPA: Clearview’s collection of personal information from individuals in British Columbia and its provision of services to entities in the province established a sufficient connection for jurisdiction. The fact that Clearview had no physical presence (offices, employees, or servers) in British Columbia was not determinative, given the nature of internet-based data collection and the business model at issue.
- Interpretation of “publicly available” information: The Commissioner reasonably interpreted “publicly available” information under PIPA and its regulations as excluding information available on social media or general internet sources. The Commissioner’s conclusion that social media sites are not “publicly available” sources for the purposes of PIPA was supported by the statutory text, context, and purpose, as well as prior decisions and the sensitive nature of biometric information.
- Consent and reasonable purpose: The Court agreed that Clearview had not obtained the requisite consent for collection, use, or disclosure of personal information. The analysis considered (i) the sensitivity of the biometric data Clearview had scraped; (ii) the lack of connection between the purposes for which images were posted and Clearview’s use of them; and (iii) the risks of harm, including misidentification and data breaches.
- Necessity, enforceability, and breadth of the order: The Court found the order necessary, given Clearview’s refusal to commit to permanent withdrawal from the British Columbia market and its ongoing collection of personal information. Nor was the order overbroad, as PIPA regulates organizations’ activities in relation to personal information of individuals in British Columbia, regardless of residency status.
Key takeaway
Provincial privacy legislation can have extraterritorial reach in the context of internet-based data collection. Privacy regulators may issue binding orders against foreign entities whose activities have a real and substantial connection to the province. Organizations also cannot rely on the “publicly available” exception under the PIPA to justify scraping personal information from social media or the internet without consent. Exceptions to privacy protections will be interpreted narrowly, and that the risk of harm — including loss of control over personal information and potential for misidentification — will be central to the assessment of reasonable purpose under privacy statutes. This decision is under appeal.
Moon v. International Alliance of Theatrical Stage Employees (Local 891), 2024 BCSC 1560
Facts
Kelly Moon, a former Senior Steward of IATSE Local 891, filed a civil claim against the union and several individuals on its executive board, alleging damages due to the unauthorized distribution of a report detailing her credit card use, which contained disputed and serious allegations against her. The report’s release coincided with her re-election campaign in 2019, leading to significant reputational harm and her eventual electoral defeat. Moon claimed that the Executive Board, including Gary Mitch Davies, conspired to publish the report to undermine her candidacy, and she alleged breaches of various laws, including the BC Privacy Act and Personal Information Protection Act (PIPA), and negligence. The defendants sought to strike her claims, arguing that she failed to exhaust internal remedies and that her claims lacked a reasonable cause of action.
Decision
The defendants’ application to strike the claims was largely dismissed, except for the challenge to the Election Committee’s decision, which was administrative in nature. Most relevant was the Court’s analysis of the tort of public disclosure of private facts, a tort that has been recognized in Alberta and Ontario. On reviewing recent B.C. Court of Appeal decisions in respect of intrusion upon seclusion (Tucci v. Peoples Trust Company, 2020 BCCA 246) and common law privacy torts more generally (Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331), the Court found that it remained open to B.C. courts to recognize privacy torts, including public disclosure of private facts, and declined to strike the novel claim. The Court also declined to strike Moon’s related claims under PIPA and the BC Privacy Act, as the Privacy Commissioner had found IATSE Local 891 in breach of PIPA, and in negligence.
Key takeaway
The Court declined to strike a claim for the tort of public disclosure of private facts, declining to close the door to privacy torts in B.C. and paving the way for the possible recognition of that specific tort.
The Hospital for Sick Children v. Information and Privacy Commissioner of Ontario, 2025 ONSC 385
Facts
The Hospital for Sick Children (SickKids) sought a sealing order to redact specific information from the record of proceedings following a ransomware cyberattack on December 18, 2022. This attack disrupted the hospital’s clinical and corporate systems, leading to delays in prescriptions and lab results. By December 29, 2022, about 50% of the hospital’s priority systems were restored. Following the incident, SickKids reported to the Information and Privacy Commissioner of Ontario (IPCO), which initiated an investigation under the Personal Health Information Protection Act (PHIPA) to determine if there was unauthorized disclosure or loss of personal health information. SickKids cooperated with IPCO, providing information about its cybersecurity measures, which the IPCO agreed to keep confidential to protect the hospital from future attacks.
Decision
SickKids demonstrated that the publication of the requested redacted information would increase its vulnerability to future cyberattacks, thereby jeopardizing the safety and security of its information technology systems and the critical medical care it provides. The Court found that the redactions sought were minimal and necessary to protect against further cyber threats, which serves an important public interest in safeguarding patient care. The Court granted the motion, finding that the redactions were necessary to protect the hospital’s operations and public interest. Additionally, the Court ruled that SickKids was entitled to costs for the motion, as IPCO had initially opposed it but failed to file a proper factum, instead submitting a letter that did not assist the Court appropriately.
Key takeaway
The Court recognized the critical need to balance transparency with the protection of sensitive information, particularly in the context of cybersecurity. Organizations may be able to rely on this case to argue for limited redactions when they can demonstrate a credible risk of cyber threats.
Lamarche v. British Columbia (Securities Commission), 2025 BCCA 146
Facts
During an investigation, the British Columbia Securities Commission (the Commission) seized the appellant’s email records — including communications he claimed were subject to solicitor-client privilege. The appellant commenced a civil action alleging breaches of the Canadian Charter of Rights and Freedoms and the BC Privacy Act, seeking declaratory and monetary relief. The Commission applied to stay or strike the claims on the basis that there was an ongoing administrative process and/or on the grounds that the claims disclosed no reasonable cause of action.
The chambers judge stayed the constitutional claims pending completion of the Commission’s process and struck the BC Privacy Act claims. The appellant appealed, arguing that the Court should not defer to the administrative process and that his BC Privacy Act claims were improperly struck.
Decision
The Court of Appeal allowed the appeal in part. The Court affirmed the stay of the constitutional claims, holding that absent exceptional circumstances, litigants must exhaust administrative remedies before seeking judicial intervention.
However, the Court set aside the order striking the BC Privacy Act claims. While the Commission had a statutory immunity for acts done in good faith, a sufficient degree of recklessness can ground an inference of bad faith. The appellant’s pleadings, which alleged the Commission had acted recklessly in failing to implement adequate protocols, were sufficient to ground a potential finding of bad faith or lack of good faith. The Court also rejected the chambers judge’s conclusion that the BC Privacy Act could not be used to pursue claims that might also ground a Canadian Charter breach, clarifying that privacy and Canadian Charter claims are not mutually exclusive.
The Court ordered that the BC Privacy Act claims, including claims for punitive damages, be stayed (rather than struck) until the Commission’s administrative process is complete, to avoid duplication and fragmentation of proceedings.
Key takeaway
BC Privacy Act claims may survive a motion to strike, even where statutory immunity for good faith conduct is pleaded, as a sufficient degree of recklessness can ground an inference of bad faith. The decision also confirms that privacy torts and Canadian Charter claims may proceed in parallel, subject to procedural deferral to avoid duplicative litigation.
Insurance Corporation of British Columbia v. Ari, 2025 BCCA 131
Facts
The underlying class action stemmed from the actions a former employee of the appellant who had accessed the private information of 78 customers for improper purposes and sold some of that information to criminals. Thirteen individuals were subsequently targeted in arson and shooting attacks. The class was defined to include all individuals whose information was accessed, as well as residents at their addresses. The summary trial judge awarded the aggregate damages award of $15,000 per class member for breach of privacy under section 1 of the BC Privacy Act. These damages were awarded regardless of whether any individual class member had actually suffered harm. Individual harms would be addressed at a later stage of the proceeding.
Decision
The Court of Appeal upheld the damages award, affirming that the BC Privacy Act creates a tort for breach of privacy without proof of damage. General damages may be awarded to compensate, vindicate, and deter injuries to the privacy interest itself, reflecting the quasi-constitutional nature of the right to privacy.
The Court rejected the argument that, absent proof of harm, only nominal damages are available, emphasizing that the law presumes some damage flows from the mere invasion of privacy. The seriousness and deliberate nature of the breach, including the distribution of information to criminals and the resulting risks to class members, justified an award above a merely symbolic amount. The limiting damages to a trivial sum would undermine the legislative intent of the BC Privacy Act and render the statutory right to privacy protection ineffective.
Key takeaway
The decision confirms that under the BC Privacy Act, general damages for breach of privacy may be awarded without proof of consequential harm. While the decision only concerned the BC Privacy Act, other provinces have similar legislation such that the Court of Appeal’s reasoning may be applicable to parallel privacy statutes. The case also underscores that potentially significant aggregate damages awards may be granted for data breaches, even in the absence of evidence of individual harm.
