Skip To Content

AccessPrivacy Podcast: Data Litigation Expert Roundtable – Privacy Class Actions Update

Sep 20, 2021

September 2021 AccessPrivacy Call

September’s Monthly Call centered on the growing number of data privacy-related class actions in courts across Canada. The roundtable includes a discussion of current trends in the filing and certification of claims, what actually constitutes private information and compensable harm, developing legislation and case law in different jurisdictions, lessons for companies responding to data breaches and more, featuring perspectives and insight from an experienced group of litigators:

Listen to the privacy roundtable now

Transcript


Register for future AccessPrivacy Calls

Already registered as a member with AccessPrivacy?

Register for Upcoming AccessPrivacy Calls

Not registered as a member with AccessPrivacy?

Create a free AccessPrivacy account to register for events and our free e-newsletters. Once you are registered, click on the Events Tab to sign up for Upcoming AccessPrivacy Calls.


Transcript

ADAM KARDASH: Hello, everyone, and welcome to our end of summer monthly privacy call. As mentioned on past calls over the years, one of the most remarkable themes in our privacy practice relates to the steadily increasing litigation risk companies across all sectors are facing as they collect, create, process, and store significantly and increasing large amounts of data, especially personal information.

Beyond the litigation risk associated with security incidents, we are regularly in discussions with clients and mandates about potential litigation risk associated with alleged data misuse. And the risks associated with privacy regulatory investigations are exacerbated by the prospect of litigation that may commence and has commenced in a number of contexts after the posting of an adverse investigation finding by a privacy regulatory authority.

And there are also examples of litigation proceedings being commenced upon even just the announcement by a privacy regulatory authority or several privacy regulatory authorities together announcing that they're about to launch an investigation against a particular company. So given the focus of client concern, and the concerns we discussed are fairly recent. Monthly call about the likely prospect of even more litigation arising in the wake of privacy legislative reform that is before us.

We're going to focus our thought leader roundtable discussion today specifically on privacy class actions. Now, I'm privileged to be joined by a group of superb litigators from our firm, all of whom have significant expertise in privacy and data-related litigation matters, specifically from our Toronto office-- Mark Gelowitz, Chris Naudie and Lauren Tomasich, Emily MacKinnon from our Vancouver office, and last but not least, of course, Celine Legendre from our office in Montreal.

Thank you all so much for joining us for this conversation, and let's begin. So Chris, I'm going to turn to you to begin. And given that there's a fair number of folks who regularly attend our call, and this call in particular as well that aren't lawyers, it could be helpful just to level set for all of us on what this concept of privacy class actions is, and why are plaintiffs able to bring these types of proceedings?

CHRIS NAUDIE: Sure. Thanks, Adam. It's great to be here. As most of this audience knows, the predominant model for the enforcement and protection of privacy rights in Canada is really a public enforcement model. Namely, we have an independent regulator that has primary responsibility for protecting the privacy rights of Canadians. And for instance at the federal level, the OBC has the exclusive responsibility for enforcing PIPEDA and there's no private right of action for damages under that federal legislation.

However, at the provincial level, an individual that has suffered a violation of his or her privacy rights has a number of potential remedies at statute in a common law. And the mix of remedies will depend on an individual's particular province. For instance, in certain provinces, an individual may have a statutory right of action under provincial laws, such as the right of action under the BC Privacy Act.

Second, an individual may be able to shoehorn a privacy claim into an action for breach of contract or negligence. For instance, it's common for an individual to argue that when I bought a product or service, I understood that the company's privacy was part of our contract. And in the face of a breach, the company has violated the contract.

Third, since 2012, the courts in a number of provinces have recognized novel tort for intrusion upon seclusion. And that's a unique remedy that permits a party to seek relief for a privacy breach without any proof of loss. And by invoking this patchwork of remedies, a private plaintiff can bring an action against a company that failed to protect an individual's privacy and failed to prevent the release of personally identifiable information in response to a data breach.

And if the plaintiff or individual can prove liability, he or she can seek damages for monetary loss and inconvenience, and in certain cases, for moral damages for embarrassment or humiliation caused by the data breach. Now, in a traditional claim, an individual would just sue a company directly. However, thanks to class proceedings legislation that exists in every province in Canada, an individual also has the option of seeking collective relief through a class action. More specifically, an individual can sue a company for a data breach and seek to recover damages on behalf of himself or herself, as well as all other affected individuals across Canada who were impacted by the breach.

Now, in most cases, the driving force behind these class actions is an enterprising plaintiff class action firm. Since under class proceedings legislation across Canada, a plaintiff's firm can bring a claim on behalf of class members and in the event of success, can seek a percentage contingency fee based on the total amount of a settlement or a trial judgment.

However, plaintiff class actions firms do have to prove that their case is suitable for class certification and for a class proceeding. And in particular, these firms must first meet a test for class certification. And in general terms, they have to persuade the court that there is a sufficient commonality among the claims of class members to merit class proceedings.

So, through this regime, over the past decade or so, we have seen a significant increase in the number of class actions that have been filed for privacy breaches including claims for data breaches, unintentional loss of data, employees snooping, and now, corporate misuse of data namely-- companies use of data for purposes that were not originally contemplated by a consumer’s or customer’s original consent.

And while there's ongoing debate as to whether or not these types of claims should be certified, the general trend over the past few years has been in favor of class certification. Namely-- the courts have ruled on certification motions that these claims can proceed as a form of collective relief. However, as we'll hear from a number of my colleagues today, there have been a recent correction in the case law and some interesting developments in terms of the types of claims that can be brought forward as a class proceeding.

ADAM KARDASH: So, Chris, with that level setting, let's turn now to themes. What are the current trends that you're seeing in the filing and certification of claims?

CHRIS NAUDIE: Sure. Thanks, Adam. So, as you mentioned at the outset of this, we have many clients who have businesses that depend on collecting, managing, and using large amounts of sensitive personally identifiable information. These clients include retail companies, financial institutions telecommunications companies, health care providers, and social media companies.

And given the developments of private relief and class actions in this area of law, our clients are continually asking us about the risks associated with collecting, maintaining, and using these large reservoirs of data. And to respond to those inquiries, our firm is undertaking a significant class action tracking project. In short, over the past five, six years, we've tried to collect data on all of the publicly reported class actions that have been filed in every jurisdiction across Canada. And by leveraging that data, we believe we've got a unique insight into the direction of privacy class action litigation in Canada.

And we can share some of the key trends that we've observed from this class action tracking. First, by our measure, there have been over 140 privacy class actions commenced across Canada since the Plaintiff started bringing collective relief for privacy violations or intrusions. The majority of these cases have been traditional data breaches. Namely-- cases involving a malicious third party that has hacked into a company's database or stolen a company's data.

However, there have been a significant number of cases relating to employee snooping, loss of data, as well as corporate misuse of data. And the number of filings has spiked sharply in recent years. Today, there have been as many class actions commenced in 2021 as in all of 2020.

Now, the majority of these cases have been commenced in Ontario-- roughly 40%. What we're seeing an increasing number of cases that are being filed in Quebec and BC. And this trend is being accelerated in part because of recent amendments to the Ontario Court Proceedings Act that have made those other jurisdictions more plaintiff friendly.

In terms of breakdown of these actions, the recent filings in 2021, this year, have been roughly equally divided between data breach and data misuse class actions. In the case of data breach class actions, almost all of the class actions that we've seen this year were commenced after a public disclosure of an incident or the issuance of a data breach notification on a PIPEDA.

It's also some data relating to the industry breakdown of these filings. A majority of these filings involve retail companies, health care providers, and social media companies, and in the most recent [INAUDIBLE] almost half of new actions relating to health care providers. And roughly 40% relate to technology and social media companies. That data may be that skewed because of some of the high-profile incidents that many of us have seen in recent years.

Now, there's been a significant number of cases in the past that have been certified. There's also been a significant number of settlements that have been resolved based on the payments of very large all-in settlement payments. But in spite of these trends, there has been some pushback from the courts as to whether these types of cases are really suited for class certification. After all, the impact of a data breach can be diffused across class members in terms of the nature and segments of data released and the personal reaction and experience of individual class members. And as a result, in the past two years, there have been a number of significant cases where the courts have denied class certification. The courts have also questioned whether or not a class proceeding should be certified if there's no immediate evidence of identity theft or personal harm to class members. But to talk about those cases, I'm going to turn it over to my partners starting with Lauren.

ADAM KARDASH: Thanks, Chris. Lauren, Chris just mentioned recent successes the defendants have enjoyed and defeating privacy class actions. And we've chatted about how this has been brought about in large part by defendants taking a run at the merits of an early stage. Can you explain what this looks like?

LAUREN TOMASICH: Absolutely. Thanks, Adam. And thanks so much for the introduction, Chris. As many of the folks on the line will know are very high level, whether a class action can be certified is a procedural question. As Chris said, the court is looking at whether there are common claims that can be tried in a class wide basis. So the court theoretically doesn't really look at the merits of the proposed class proceeding other. Than to consider whether the claim discloses a cause of action.

And the thing about privacy cases, which Chris touched upon, is they almost universally involve a large number of individuals because they implicate the collection, storage, or access of these individuals' personal information. So, it's pretty obvious as to why privacy class actions are a favorite of the plaintiffs class action bar.

So, while a privacy class action might look common, what we're really seeing is the trick from a defense perspective is to use every tool in your toolbox to show the courts that the merits of the claim do not warrant certification even if there might be a common issue on the face of the claim.

This is something we've had some recent success with, which you're going to hear about from Mark who has had a hand in a number of recent successful defenses. And you'll also hear from Emily about some recent cases that reflect procedural tools that are unique to BC that are being used by defendants to get at the merits at a very early stage and the BC courts have been very receptive to this approach.

And really, the bottom line is we're really seeing courts take a good hard look at privacy class actions and performing the gatekeeping role that the Supreme Court of Canada recently called for in the class action context-- this is in a case called Atlantic lottery. And our tracking in terms of a data perspective is really seeing this play out with success. Really, really starting to occur in the last two years or so. And obviously, we're thrilled to be a part of this trend.

ADAM KARDASH: So I understand that part of this trend is because the courts have been giving consideration to what actually constitutes private information. Can you talk a bit about that?

LAUREN TOMASICH: For sure. And this is something Chris touched upon as well. And it's a positive and perhaps relatively obvious recognition of the courts that just because there's a data breach or certain ostensible personal information was disclosed, this does not necessarily mean that there should be liability from a privacy perspective. And doesn't mean that the individual or individuals affected suffer damage.

So, this is in the case of certain things like names, phone numbers, ages. Disclosure of this information does not mean that there is compensable harm. And the best way to think about this-- and this is in fact a direct analogy that was drawn in an Alberta case involving Uber-- is that for those old enough on the line to remember when on a yearly basis, you used to get a big yellow phone book delivered to your door with the names and phone numbers of people in your city.

People can look up your name and phone number and maybe one doesn't love it if telemarketers or [INAUDIBLE] people call you up, but the court has held that mere upset, inconvenience, or anxiety are not compensable unless they really rise to the level of serious or prolonged injury. And this in fact, was the basis of the dismissal of the first privacy class action that was heard on its merits which Celine will be addressing in more detail.

So really ensure-- this is sort of a prime area of attack on a privacy class action basis. And courts are showing that they really want actual evidence that the disclosure caused harm. They want real admissible evidence of what the harm was, and they're not willing to rubber stamp their allegations that someone somewhere may have suffered harm as a result of a data breach.

ADAM KARDASH: So Chris mentioned the tort of intrusion upon seclusion as a common pleading in privacy class actions. We, of course, have talked about over the years in several different contexts this on our calls. How has recent case law made this tort a lot less useful to plaintiffs?

LAUREN TOMASICH: Great question. So as Chris mentioned, intrusion upon seclusion claims are very popular amongst plaintiffs counsel. In our data tracking intrusion upon seclusion claims are pled in the majority of cases. And it's because the particular attraction for this tort is because the court does not even require proof of loss. So it's very attractive from a class action perspective.

But at its core, this came from a decision of the Court of Appeal and Jones and [INAUDIBLE] and it really-- courts are holding in recent decisions and it really wasn't intended to capture any type of privacy breach. The elements of the tort require that the defendant acted first, intentionally or recklessly, second, that the defendant invaded the plaintiff's private affairs or concerns, and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation, or anguish.

Now, this tort has recently been applied to the question of whether it can apply to what's been termed database defendants. And this is incidents where third parties access data that was allegedly improperly guarded by the defendants. So in other words, did a defendant that was subject to a data breach intentionally invade the privacy of the plaintiffs in an offensive way?

And the courts have recently said that the answer is no. Ontario courts in particular. One decision of the Divisional Court involving Equifax and one recent certification decision involving Capital One. These were two relatively public data breaches where hackers infiltrated the systems of these defendants. And intrusion of seclusion was found not to apply with the underpinning of these holdings being that when a database defendant is hacked, they could not have intentionally acted intentionally or recklessly and they could not have invaded the plaintiff's privacy in a defensive manner because the database themselves were the victim of intrusion.

ADAM KARDASH: Thanks, Lauren. Let's shift over to British Columbia. And Emily, turn it over to you. Perhaps you can just begin by giving us some insight into why British Columbia has become so popular as a forum for plaintiffs and privacy class actions.

EMILY MACKINNON: Thanks, Adam. We've certainly seen a lot of increased activity in BC for privacy class actions. Even though Ontario is the most populous province and historically, according to those numbers, the most common jurisdiction for class actions period. We've been tracking in our database that so far in 2021, more privacy class actions have, in fact, been commenced in BC and not in Ontario.

That trend is also picking up. So far in 2021, there's been more class actions commenced in BC than there were in all of 2020 in this province. So there are a couple of factors that make BC so popular. The first is what we call the no-costs rule. In BC, the legislation pertaining to class actions actually prohibits the court from awarding any costs on a certification application. And that's no matter the outcome.

And then if the action is certified, there can be no cost at any point after that. So that means the risks for plaintiffs counsel are very low. If they can get a certification application heard, even if they lose, then they won't have to pay for the defendant's costs. And by contrast, in Ontario, a plaintiff that's unsuccessful on a certification motion could then be liable to the defendants for a significant cost award, which makes it a lot more risky to bring an action in BC than it does the other way around. It's a lot more risky to bring an action in Ontario than in BC.

The second factor is that there were amendments to the Ontario Class Proceedings Act. Those came into force in October 2020. And that made that jurisdiction a lot less plaintiff-friendly. That's contrasted with the opposite trend in BC where changes to the legislation over the last five years or so have actually made it more plaintiff-friendly.

So the impact of all of those amendments is still playing out, but we've noticed that Ontario firms have started to begin class actions in BC. Sometimes they're opening outposts in BC, and sometimes they're partnering with BC firms, but either way we're seeing a lot more Ontario lawyers in the BC courts.

And the third factor is that much like Manitoba Saskatchewan and Newfoundland and Labrador, the BC statutory right of action under the Privacy Act gives plaintiffs a particular hook under the legislation to bring privacy class actions in BC. Much like intrusion on seclusion, which Lauren was just talking about, these statutory torts can be brought without any proof of damages. So that means it's very attractive to class action plaintiffs. Without these kinds of statutory torts, it could be hard for a class action plaintiff to prove damages for the entire class because often privacy damages are a very individual thing. But the statutory tort in BC does away with that requirement.

And then finally, there's a very practical point, and that is that as we know, class actions are very much driven by plaintiff's side lawyers. In BC, the provincial government recently implemented a no-fault auto insurance scheme. And so that means that those injured in automobile accidents here will in general not be able to sue, and instead, they'll automatically receive benefits regardless of who is at fault.

This has a serious impact on the workflow and the future of plaintiff's personal injury firms. And so a lot of those former personal injury firms have now started moving into the class action space. This has resulted in some really interesting tactics. Though these new firms don't always want to just do things the way that they've always been done. So, they're taking new unusual procedural steps and trying out a few new strategies, not all of which have been successful.

So, this trend of the plaintiff injury firms moving into class action has also resulted in a lot of these firms filing a ton of new class actions as they figure out what works and what doesn't. They're really exploring the space. And a lot of those class actions have been privacy claims based just on news articles or even sometimes only social media posts about data incidents or technology glitches. So those, Adam, are the dominant reasons I would say for the growth in privacy class actions in BC.

ADAM KARDASH: Thank you for that. And given the increasing prominence of BC for privacy class actions, what trends have you observed there in the space?

EMILY MACKINNON: Yeah, so one of the biggest changes has been this increasing willingness of BC courts to allow motions that would dismiss class actions either in advance of or at the same time as certification, as my colleagues mentioned earlier. And our experience has been that seeking this early resolution has a number of benefits for defendants. What is it tends to be way more efficient in terms of legal costs and time and that you can deal with an action at an early stage.

We've also seen plaintiffs side firms discontinue their proposed class actions in the face of this kind of an aggressive defense strategy. These firms are rational economic actors. And if they're persuaded that a claim is meritless, then they're not going to pursue it. Where we have good facts or a good argument for the defendant, we also tend to find it beneficial to educate the court early and often as to the weaknesses in the plaintiff's case.

When we raise these issues at an early stage, it gives us an opportunity to gauge the judge's reaction, and we can also adjust our strategy accordingly. And then finally, because there are no cost awards after certification, bringing a pre-certification motion really puts special pressure on the plaintiffs in terms of that economic analysis they're doing because it can expose them to cost consequences. The no costs rule doesn't kick in until you get to certification.

And this was actually quite difficult in BC until very recently as courts in BC used to hold the certification application was presumptively the first step in a class proceeding. It was very difficult to get an exception to this rule. It was very rare, and you had to get an order permitting any applications to proceed in advance of certification. And judges were reluctant to do that.

So, we often saw that even straightforward applications like motions to strike pleadings because they were defective on their face, those kinds of applications were often required to proceed together with certification. And this actually had another soft effect, which was that it reduced the likelihood that such a straightforward application would succeed.

So, while a judge might have been willing to punt a claim at an early stage because it appeared defective, when they're faced with a complete certification application and a low bar to be met by the plaintiff in certification we saw that some judges were more reluctant than they might have been otherwise to punt that claim.

But all of this has recently changed. In April, the BC Court of Appeal reversed all of that case law and held that the certification application is no longer the presumptive first step. So this has really important ramifications for all class actions, including of course, privacy claims. And that decision of the BC Court of Appeal came at the same time as we were finding that BC judges were more open to hearing applications pre certification. So it really reflected this changing trend.

And to that end, defendants have been successful in a number of recent cases in having summary trials scheduled before certification or at the same time the certification. So there were two recent decisions concerning a social networking site in which the BC Court allowed summary trials to be heard in one case in advance of certification and in the other case together with certification. And reflecting all of the benefits of this strategy that I mentioned earlier, one of those actions was in fact subsequently dismissed by consent.

And there's also been another recent class action decision in which a stay motion under the Arbitration Act in BC was scheduled to be heard prior to certification and then jurisdiction and summary trial applications were scheduled to be heard concurrently with certification. So all of this would have been very unusual under the previous case law, but we're really seeing this increasing willingness of the BC Court to deal with actions at an early stage.

And then the other trend I want to mention, Adam, is this result of all of this increasing activity in privacy class actions in BC is that there's a concordant development of the privacy law in BC. So the case law in BC on privacy claims is not as developed as the law in Ontario. That's not unusual. Ontario is three times the population of BC, so logically, three times the cases and three times the case law.

But as these class actions raise increasingly novel and unusual claims, then we're starting to see the development of that case law in BC. And that will be particularly as more class actions go to those hearings on their merits prior to certification. Like summary trials and motions to strike, all of which really engage the judge in the merits consideration of the arguments.

So some of those novel questions will start to be considered and analyzed by BC courts, and we'll see a development to the law here, which will provide the defendants with some certainty as to the projected success of their defenses. So the takeaway is watch this space.

ADAM KARDASH: We will do. And we'll now take that and turn to Quebec, Céline. What are you seeing in the province of Quebec as being the biggest recent developments in the privacy class actions there?

CÉLINE LEGENDRE: Well, thanks, Adam. Maybe just to chime in on Emily's last point, Quebec is also a jurisdiction where case law is developing. Like BC, we don't have the population of Ontario just yet.

And in terms of recent developments, the biggest trend for the moment is still the fact that in Quebec, compensable damages in data breach cases are still the biggest hurdle for plaintiff claims who don't have the benefit of being able to argue the tort of intrusion upon seclusion with or without some success. So in Quebec, the debate and data breach certification cases often centers around whether the applicant has set out an arguable case for compensable damages.

In recent case law in this area, the courts have confirmed the principle in Quebec that the alleged fault of the defendant for having lost or failed to protect personal information of its clients does not automatically demonstrate a compensable injury. What that means in the data class action context, Quebec courts often refer to Supreme Court case-- Mustafa versus Culligan of Canada Limited, which is not a data breach case but rather a case involving the discovery of dead flies in a water bottle.

Essentially, in the Mustafa case, the Supreme Court set out a test and provided guidance on the distinction between what they deemed minor and transient upsets and compensable injury. Compensable injury must be-- and the court termed it serious and prolonged and rise above the ordinary annoyances, anxieties, and fears that a person living in society may experience.

So, while the absence of actual identity theft and/or fraud stemming from the loss of personal information is not required to prove a claim for compensable harm, Quebec courts generally state that applicants must demonstrate a serious and prolonged harm. And that minimal inconveniences do not constitute compensable injuries. The two key cases in this arena are still the 2019 cases of Yahoo and Equifax.

And essentially, the superior court uses the terminology of the Mustafa test and reiterates the fact that, for instance, transient embarrassments and inconveniences stemming from the loss of personal information are not sufficient to constitute compensable injury. In the Equifax case, the court reminds us that allegations of mental distress and general inconveniences were considered to fall short of the compensable injury threshold given that the applicant had not been a victim of identity theft nor had he incurred expenses or experienced inconveniences related to credit monitoring and cancelation of credit cards for instance.

Finally, allegations to potential harm are either fear of being exposed to identity theft was not recognized as sufficient to justify certification.

ADAM KARDASH: So Celine, thank you for that. And recently, as you and I have discussed, a Quebec court heard the first privacy action to be decided on the merits in Canada. What should call attendees know about that case?

CÉLINE LEGENDRE: Yeah. Thanks, Adam. That's indeed a key case. One of the rare cases tried on the merits and the first one in privacy class actions to be heard on the merits. I think in Canada it's the Organisme canadien de réglementation du commerce des valeurs mobilières. In English it's IIROC, the Investment Industry Regulatory Organization of Canada.

And essentially, in that case, the facts involved an investigator who left the laptop on a train. The laptop had password protection, but it was unencrypted. And this is the first privacy class action to be determined and dismissed on the merits. And the key takeaways here, Adam, are really that [INAUDIBLE] clarified the circumstances that can give rise to a damages award in such cases. That is to say actual damages must be established beyond mere inconvenience that we discussed a bit earlier.

And again, this is an application of the Mustafa's test. The damages alleged in this case were relating to fears and inconvenience stemming from being impacted by the data breach and that did not amount to compensable harm. Here, the personal information of investors was potentially exposed.

So, in dismissing the claim for punitive damages, the court comments provided guidance to the Quebec defendants also as a satisfactory response to a data loss or incident where a diligent response-- and Adam, something that you reiterate all the time is proven following a data breach. Punitive damages are unwarranted. The court in this case considered the following steps taken by the defendant in Iraq-- conducting internal investigations, properly mandating a forensics analysis firm to identify the lost information, providing credit monitoring services free of charge, notifying privacy commissions, class members, and stakeholders in a timely manner.

So, all of that said, this case is to be continued as a notice of Appeal has been filed in [INAUDIBLE]

ADAM KARDASH: And [INAUDIBLE] yet more justification for putting in place robust incident response protocols for various steps. Are there any other trends to keep an eye on in Quebec?

CÉLINE LEGENDRE: Absolutely. And speaking of robust responses, just one last trend to talk about is in the area of punitive damages. I would say, Adam, Quebec courts treatment of punitive damages claims in this context is less predictable sadly than their approach to compensable damages. It's certainly an area to keep an eye on as it continues to develop.

Just a reminder for our audience, in the essence to succeed in the claim in punitive damages under the Quebec charter, an applicant must demonstrate that the alleged interference with his or her rights was both intentional and unlawful. And that it's well established in Quebec that punitive damages can be granted on a standalone basis even in the absence of compensatory damages.

A class action in other words can be certified purely on the basis of a claim for punitive damages. And Adam, it's important also to note that for now, generally the courts appear reluctant to dismiss a claim for punitive damages at the certification stage unless there is a clear insufficiency of allegations or of a legal basis. And in that referring to Equifax, for example, and the Yahoo case.

One recent example from the Quebec Court of Appeal in 2021 involves a case against Nissan, which was a data breach case in which they reversed the trial judgment in part which had certified the class action but denied for the purposes of the applicant's claim for punitive damages. Although the allegations in support of the punitive damages were considered by the Court of Appeal as perfunctory, they were nevertheless considered sufficient at the certification stage.

And it's important-- the Court of Appeal in this case reminds us in their decision that intentional interference can arise not only when the author of negligence wishes to cause the consequence of wrongful interference, but also when-- and, Adam, this is important in our sphere-- a person acts with full knowledge of the immediate and natural or at least extremely probable consequences that his or her conduct will cause.

The Court of Appeal considered that the approximately one-month delay in that case-- the Nissan case-- between the data breach and the defendant's notification of the breach that affected customers could potentially be sufficient to ground a claim in punitive damages. This notwithstanding, the defendant's explanation that there was an investigation of the incident ongoing during that time. So in short, the threshold to defeat punitive damages claims at the certification level is high. It's an important area to be on the lookout for as it can give guidance to companies on how to react to data incidents. Again, the actions taken following a data breach, Adam, will be closely examined by the courts. Certainly, the Quebec courts.

ADAM KARDASH: Thanks, Celine. Very helpful. And we will monitor that closely. And of course share any developments on future calls. We're going to conclude. Last but definitely not least turn over the conversation to Mark Gelowitz. And Mark, maybe we could begin. If you could provide a snapshot for what was alluded to a couple of times on this call of your recent experience in the privacy class action arena.

MARK GELOWITZ: Yeah, I think we have we've had a lot of recent success in this area. And I think two of the notable or perhaps most notable cases were on behalf of our client, Facebook. In Ontario, we have the Simpson case, which was the class action commenced really based upon the public media reporting about the Cambridge Analytica incident that everyone on this call would be familiar with. And as we all know from the media reports, Cambridge Analytica obtained a quantity of Facebook user data from what was really a rogue third party app developer without the knowledge of Facebook.

And that data was then used by Cambridge Analytica in relation to the US presidential election back in 2016. And this case really followed a pattern that is typical of in my experience, a lot of privacy class actions. In which the case really has two characteristics-- one is it's a copycat action based on American litigation. And the material filed in court by the plaintiff seeking certification is mostly just made up of reams and reams of material downloaded from the internet-- media reports, articles, and the like. And that's what we had in this case.

And what was missing from all of this material was any evidence at all that the personal data of any Facebook user in Canada had ever been acquired by Cambridge Analytica. And our argument in a nutshell was there's nothing to see here. There was no Canadian who was even in the vicinity of this issue.

So, the judge in our case took a hard look at that record evidence that we filed, the media reports that the plaintiff had filed, and he made the pragmatic decision that in the absence of any evidence that a Canadian had been harmed, the claim should not proceed. As a class action in Ontario, one of the fundamental substratum of that case was just missing. And so he dismissed the certification motion. And not surprisingly, the plaintiff has appealed that decision, and that will be heard later this year.

A similar case called Kish out in Saskatchewan that was also commenced around the same time also very largely based on the Cambridge Analytica issues, but it bundled together a number of other issues, including data partnerships that Facebook had with device makers and the like. But again, this was a case where the plaintiff's best attempt at putting evidence forward was literally-- and I'm not making this up-- thousands and thousands of pages of material downloaded from the internet.

And the judge in that case in Saskatchewan also decided that in the case before him, all of that material was just found to be inadmissible. And the plaintiff, like the Ontario plaintiff, had presented no evidence that anyone in Canada was harmed by the matters that she was complaining about. And so in that case, again, certification was dismissed and will be dealing with an application for leave to appeal in the very near future. So Adam, those are the kinds of cases we're seeing now where a robust defense can lead to can lead to the right result.

ADAM KARDASH: So, taking a few steps back, after hearing our colleagues over the last 35 minutes or so, and based on your experience just as senior litigator, where do you feel we are in what we might recall the life cycle of the privacy class action or the development of privacy class actions in Canada?

MARK GELOWITZ: Yeah, I think that's a good question. I think what you're seeing in the courts across the country-- and this has really been illustrated by our colleagues discussion with you today. What we're seeing across Canada is that the tide is turning in these class actions. And for a change, it's turning in favor of defendants.

What we've seen in not just the two cases that I just referred to, and I think some of the cases that Lauren referred to all across the country. We're seeing judges being very realistic about a couple of things. And what they're being realistic about are-- first of all, whether the plaintiff's lawyers have any actual evidence to back up their claims.

And they make these claims in a very hyperbolic moralistic way like these alleged privacy breaches are crimes against humanity, but when they're called upon to back up those claims with evidence, they're just not able to do it. And they fall back on the media reports and other-- for lack of a better word-- garbage that they've downloaded from the internet. And judges are taking a good hard look at that and they're saying, not good enough.

The other thing that judges are looking at, which I think is a very welcome change, is whether it appears that anyone was actually harmed in any real way by the facts that are alleged or whether the case is just another elaborate trumped up claim in which the only winners are going to be the plaintiff's lawyers, who are fundamentally angling for a big ticket settlement that will benefit the lawyers but not benefit the class members in any tangible way. And I think judges are running out of patience with that kind of claim. And we're seeing that very clearly.

So, I think, Adam, the takeaway is that what we're seeing is what's required in the face of one of these claims is an aggressive defense that puts all the cards on the table and says to the plaintiff, what have you got? Because the reality is usually they've got nothing. And that becomes very clear very quickly.

ADAM KARDASH: Mark, thank you so much for that, and thank you to all of my litigation colleagues for taking the time and participating in this call and offering their comments and insights. And thank you for attending the call. We hope you found it helpful. This is, again, part of a continuing series of data litigation expert roundtable sessions, and we'll be sending around a reminder in the coming months for our next session.

Please also stay tuned for more details about our next access privacy session, which is going to be held on Friday, September 17th, where we're going to be providing a deep dive insights and key takeaways from-- and actionable takeaways from recent Canadian privacy regulatory authority decisions that the wave of guidance, blog posts, and annual reports. And also a status update on legislative reform activity and even some updates with respect to the election platforms, as well as-- you may have seen from our recent blast-- brief, but at least some reference to undertakings and platforms by the conservatives and the NDP to bring forward privacy legislation.

This event will be free, of course, for access privacy knowledge portal subscribers. And we hope you will join us. Until then, please enjoy the upcoming Labor Day weekend, and we'll speak to you all soon. Thank you very much.