Overview
On January 31, 2024, the Ontario Court of Appeal (“ONCA”) upheld Justice Perell’s decision in Del Giudice v. Thompson, 2024 ONCA 70, maintaining the stringent approach established in recent years for “hacker” data breach cases.
Plaintiffs who intend to pursue these types of class actions against institutional defendants are reminded by the ONCA that they must state their facts in support of the typical causes of action pleaded, such as misappropriation of personality and statutory causes of action.
In addition, plaintiffs who intend to plead intrusion upon seclusion must plead facts which show that the conduct of institutional defendants is of a “highly offensive nature causing distress, humiliation or anguish to a reasonable person” (at para. 35) as set out in Jones v. Tsige, 2012 ONCA 32, and as confirmed by the trilogy judgements by the ONCA in Owsianik v. Equifax Canada Co., 2022 ONCA 813, Obodo v. Trans Union of Canada Inc., 2022 ONCA 814, and Winder v. Marriott International Inc., 2022 ONCA 815.
Lastly, in refusing to interfere with the motion judge’s decision to strike the claims without granting leave to amend, the ONCA is clear that when parties are provided with repeated opportunities to amend their claim and still fail to plead their cases appropriately, they may be “out of runway” by the time they reach their appeal.
This article will focus on the three different heads of privacy law causes of action analyzed in Del Giudice v. Thompson: intrusion upon seclusion, misappropriation of personality, and statutory causes of action.
Background
The Defendant Capital One collected data from people applying for Capital One credit cards. Capital One stored its data on the co-Defendant’s servers, Amazon Web Services. Amazon Web Services was subsequently hacked by one of its employees (Thompson), and consequently the personal and confidential information provided to Capital One was exposed or became vulnerable to exposure to the public. The putative representative Plaintiffs (the “Plaintiffs”) alleged that the hack exposed the information of 106 million applicants, including six million Canadians.
The Plaintiffs, Ms. Del Giudice and Mr. Wood, sought to certify a class action against Capital One and Amazon Web for various torts related to data breach and misuse. The parties agreed to have the cause of action criterion under s.5(1)(a) of the Class Proceedings Act, 1992, S.O. 1992, c. 6, heard as a preliminary motion.
The Plaintiffs’ causes of action included two categories of claims: data misuse and data breach. The claims for data misuse involved (i) intrusion upon seclusion; (ii) misappropriation of personality; (iii) conversion; and (iv) breach of confidence, trust, and fiduciary duty. The claims for data breach involved (i) negligence and failure of a duty to warn; (ii) strict liability; (iii) negligent breach of contract; and (iv) breach of statutory causes of action.
Despite several amendments to the Plaintiffs’ statement of claim, the motion judge concluded that the Plaintiffs failed to plead viable causes of action against Capital One and Amazon Web.[1] The motion judge dismissed the motion to certify, ruling that their case was "doomed to fail" and struck their pleadings without leave to amend.
On appeal, three main issues were advanced. The Plaintiffs argued that the motion judge erred in (1) determining that the pleadings did not support any valid cause of action; (2) relying on unsworn and unauthenticated documents; and (3) striking out 78 paragraphs of the statement of claim without leave to amend. The following summary will address the first and last issues on appeal.
Please log in to read the full article.