report

Privacy class actions: data breaches

Nov 5, 2024 9 MIN READ
Download PDF

Table of contents


Privacy Jurisprudence Review

Option Consommateurs c. Home Depot of Canada Inc., 2024 QCCS 1305

Read the case details

Facts

Plaintiff sought the authorization to institute a class action against Home Depot alleging it breached its legal and statutory obligations by sharing with third parties, including Facebook, the personal information of class members without their consent, thereby violating their right to privacy. The sharing of such information was the subject of an investigation by the Office of the Privacy Commissioner of Canada (OPC), who concluded that the respondent had failed to obtain valid consent for the disclosure of personal information.

Decision

The Court partially authorized the class action against Home Depot, allowing the petitioner to seek recovery of $10,000,000 in punitive damages, but rejected the claims based on extracontractual liability and false representations. The Court also modified the description of the group, to restrict it to members who have a Facebook account.

According to the Court, the allegations deemed to be true suggested that Home Depot may have shared members’ personal information without their implicit or explicit consent, thus violating articles 35 and 37 of the Civil Code of Québec (CCQ) as well as section 13 of the Act respecting the protection of personal information in the private sector, and sections 5 and 6.1 of the Personal Information Protection and Electronic Documents Act. There was therefore an arguable case that Home Depot may have committed a fault under article 1457 of the CCQ.

However, the Court found that the petitioner did not demonstrate the existence of a prejudice. The mere fact that personal information is in the unauthorized possession of third parties does not constitute a prejudice, and thus does not give rise to compensatory damages. For these reasons, the Court concluded that the petitioner had not demonstrated an arguable case based on extracontractual liability.

The Court also rejected the plaintiff’s arguments based on false representations, since it found that the relevant sections of the Consumer Protection Act, were inapplicable.

With regard to punitive damages based on unlawful and intentional violation of the right to privacy, the Court found that the allegations allowed to draw the inference that the respondent must have known the consequences of the alleged wrongful conduct.


Key Takeaway

The Court reiterates the importance of obtaining a consumer’s express consent to the use of their personal information. The mere fact that personal information is in the unauthorized possession of third parties is not sufficient to constitute prejudice. This case serves as a reminder that a class action can be authorized solely on the basis of a claim for punitive damages.


Del Giudice v. Thompson, 2024 ONCA 70, leave to appeal to the SCC dismissed 2024 CanLII 88330

Read the case details

Facts

This appeal followed a decision dismissing a certification motion for a proposed class action based on a data breach of personal and confidential information collected from individuals applying for credit cards. The separate causes of action pleaded were categorized into two groups: (1) data misuse claims and (2) data breach claims. The motion judge found that the pleadings did not support any valid cause of action and “egregiously” contravened the rules of pleading. The appellants argued the motion judge erred in (1) determining that none of the causes of action pleaded were viable; (2) by relying on unsworn documents; and (3) striking out portions of the statement of claim without leave to amend.

Decision

The Ontario Court of Appeal dismissed the appeal, finding that the pleadings were defective as the claims advanced could not succeed. The Court also found that the motion judge was entitled to rely on unsworn documents to reach that determination on the basis of the settled principle that a pleading is deemed to include any document to which it refers. In this case, the documents in question (which included the defendant’s privacy policy, the plaintiff’s application for credit, and a credit card agreement) were all expressly referenced in the Statement of Claim. The Court therefore concluded that the motion judge was entitled to rely on these documents is dismissing the claim that the defendants had used the plaintiffs’ information for unauthorized purposes. The Court also deferred to the motion judge’s decision not to grant leave to amend, acknowledging that the appellants had been given multiple opportunities to amend their statement of claim but failed to do so.


Key Takeaway

This case reaffirms that certification continues to be a powerful screening device to prevent meritless claims from moving forward, and also illustrates how defendants can challenge pleadings at an early stage. It is also a helpful reminder of the scope of pleadings, which are deemed to include any document(s) to which they refer.


Ari v. Insurance Corporation of British Columbia, 2024 BCSC 964

Read the case details

Facts

The Supreme Court of British Columbia assessed class-wide damages for a privacy breach by an employee of the Insurance Corporation of British Columbia (ICBC) who improperly accessed and sold the personal information of certain ICBC customers. Some of that information was used to carry out arson and shooting attacks on houses and vehicles belonging to some of these customers.

Decision

At an earlier stage of the proceedings, ICBC was held vicariously liable for its employee’s breach of the Privacy Act (BC Privacy Act). The class included all individuals residing at a home impacted by the privacy breach.

The Court awarded each class member nominal damages of $15,000, regardless of the actual harm individual class members had suffered. The Court found that this amount fell within the category of a modest or nominal award, based on the severity of the breach, the public purpose of the legislation, and the need for accountability. The Court rejected ICBC’s proposed $500 damages award on the basis that it would trivialize the privacy interest that was violated, and render the cause of action under the Privacy Act effectively meaningless. Individual damages will be assessed at a later stage.


Key Takeaway

Nominal damages for breaches of privacy legislation may be awarded, and the amount of such damages may — in appropriate circumstances — rise to a material amount in order ensure the protection of vulnerable information and clarify the consequences for any failure to do so.  A defendant’s motives in breaching an individual’s privacy, including personal financial gain, and the fact that information was deliberately shared with criminals, increases the severity of the breach of privacy and the potential sanctions.


G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252

Read the case details

Facts

The Court of Appeal of British Columbia provided clarity on the liability of data custodians in the event of a data breach. This case involved a data breach by malicious third-party hackers who accessed employee’s sensitive personal information, including social insurance numbers, banking information, birth dates, and addresses. The proposed class proceeding was filed on behalf of affected individuals against TransLink, the database custodian, alleging it had acted recklessly in failing to prevent the data breach.

Decision

The BC Privacy Act creates a cause of action for willful breaches of privacy. At certification, the chambers judge struck the plaintiff’s BC Privacy Act claims on the basis that the defendant, even if reckless, did not willfully breach the class member’s privacy by failing to prevent a third party from accessing their information without authorization. The B.C. Court of Appeal overturned this decision, holding that it is at least arguable that a data custodian who fails to adequately safeguard personal information, could be liable for a wilful violation of privacy.

The chambers judge also struck the plaintiff’s claim in negligence on the basis that it was premised on a breach of the Freedom of Information and Protection of Privacy Act (BCFIPPA), as the BCFIPPA does not create a cause of action. The Court found that the negligence claim was not bound to fail, holding that the alleged breaches of BCFIPPA were relevant context and did not preclude TransLink from owing a common law duty of care to its employees and customers regarding the protection of their personal information.

The Court of Appeal remitted the question of whether to certify the proceedings to the chambers judge.


Key Takeaway

Database custodians may be liable under privacy legislation for recklessly failing to prevent unauthorized access to sensitive personal information, even if there is no intentionality or involvement in the underlying breach. This arguably stands in contrast to the common law tort of intrusion upon seclusion, which Ontario courts have held does not apply to database custodians.

The case also clarifies that breaches of legislative or privacy regimes which do not themselves provide for a free-standing cause of action may nonetheless be relevant to whether a defendant’s failure to prevent a data breach was “willful” conduct for the purposes of claims under the applicable privacy legislation.


Campbell v. Capital One Financial Corporation, 2024 BCCA 253

Read the case details

Facts

The British Columbia Court of Appeal recently provided guidance regarding breach of confidence and negligence claims in a class action arising from a data breach affecting individuals who had applied for or held credit cards issued by Capital One.

Decision

The decision addressed which causes of action were viable in the context of a data breach class action. The plaintiff appealed the certification judge’s decision to strike his claims for breach of confidence and the common law tort of intrusion upon seclusion. The defendants cross-appealed the certification of the provincial statutory privacy torts, negligence, breach of contract, and breach of consumer protection claims.

The plaintiff had alleged that the hacker was liable for the tort of intrusion upon seclusion and provincial privacy legislation, and that Capital One was jointly liable for any moral damages caused by the hacker by virtue of British Columbia’s Negligence Act (BC Negligence Act). The Court of Appeal disagreed, holding that the BC Negligence Act cannot be used to make a negligent party jointly liable for damages that they could never have been responsible for if they had acted alone. As the moral damages recoverable under the common law tort or under privacy legislation are different in kind from the damages that are recoverable in negligence, Capital One could not be held jointly liable for the moral damages caused by the hacker. The Court of Appeal declined to answer whether the tort of intrusion upon seclusion is recognized in British Columbia.

The Court of Appeal further struck the plaintiff’s claim for breach of confidence on the basis that the defendant had wrongfully retained customer information. The tort of breach of confidence requires the plaintiff to establish a detriment resulting from the broken confidence. However, the plaintiff had only alleged harm resulting from the hacker’s actions, not from any misuse of information by Capital One. This was not sufficient to maintain a claim for breach of confidence.

The Court of Appeal however upheld the remaining causes of action, including claims under provincial privacy legislation, negligence, breach of contract, and breach of consumer protection legislation.


Key Takeaway

A plaintiff may not use the BC Negligence Actto recover moral damages that a hacker may be liable to pay under provincial privacy legislation or the tort of intrusion upon seclusion from a database defendant who negligently failed to prevent the same data breach.

A breach of confidence claim against a database defendant premised on the defendant having wrongfully retained information may be struck where there is a failure to plead a distinct detriment resulting from the alleged misuse.

The case also highlights the uncertainty that remains around the viability of statutory claims advanced against a database defendant in the context of a breach caused by a third-party intrusion. At the very least, such claims are likely to survive preliminary challenges.