Two recent BC Court of Appeal decisions revive support for Canadian data breach class actions after the viability of such proceedings was recently stifled by a trio of decisions by the Ontario Court of Appeal.
Why This Is Important
A burgeoning question in class actions that follow a data breach is whether individuals can claim damages for breach of privacy against companies that have fallen victim to a cybersecurity attack for their alleged failure to adequately protect personal information in their custody or control.
The BCCA recently answered this question with a resounding “yes” in a pair of decisions in Campbell v. Capital One Financial Corporation[1] and G.D. v. South Coast British Columbia Transportation Authority.[2] These decisions signify a marked departure from a trio of decisions by the Ontario Court of Appeal which held that organizations that collect and store personal information about individuals (commonly referred to as “database defendants”) cannot be held liable for the common law breach of privacy tort of “intrusion upon seclusion” if the data breach was caused by an unknown, malicious third party.
The Ontario trilogy materially impacted the viability of Canadian class actions because, while plaintiffs can pursue other claims against database defendants, such as negligence or breach of contract, those causes of action often require proof of actual pecuniary loss, which is difficult to establish on a class-wide basis. Accordingly, by eliminating the potential for plaintiffs to allege the privacy tort – which, crucially, allows for claims of damages without proof of loss – the Ontario trilogy weakened support for the argument that a class proceeding is a preferable procedure to pursue damages in the circumstances.
While the BCCA agreed with the Ontario trilogy that the common law tort is not viable against database defendants, it found that database defendants can still be liable for statutory breach of privacy torts established under BC’s Privacy Act and similar legislation in other provinces (which are also actionable without proof of loss).
Background of the Cases Before the BCCA
Campbell relates to a significant cyberattack that resulted in a data breach affecting millions of individuals across Canada and the United States. In this case, a hacker accessed a major credit card company’s database and downloaded personal financial information of millions of current and former cardholders and applicants. The plaintiff sought to certify a class action based on various causes of action, including statutory and common law breaches of privacy. The judge certified the statutory claim (among other causes of action) but found that it was plain and obvious that common law claim was bound to fail.
G.D. relates to a data breach at TransLink following a successful phishing attempt by third party hackers that affected approximately 39,000 employees and related individuals. The impacted information included bank information, birth dates, addresses, and social insurance numbers. Like in Campbell, the plaintiff sought to certify a class action based on various causes of action, including statutory and common law breaches of privacy. The judge refused to certify the statutory and common law breach of privacy claims on the basis that such claims were bound to fail since they can only be directed at the hacker and not the organization that was victim to the attack.
In both decisions, the BCCA found that database defendants could be held liable for the statutory privacy torts for failing to adequately safeguard personal information from a data breach.
Reconciling the BC and Ontario Decisions
In reaching its conclusion, the BCCA acknowledged the departure from the Ontario trilogy referenced above. However, in doing so, the Court emphasized that the statutory and common law torts are not mirror images of each other and, accordingly, do not apply to the same scope of conduct.
The statutory tort established under BC’s Privacy Act provides that “It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.”
In contrast, the elements of the common law tort are that:
- the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the “conduct requirement”];
- the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the “state of mind requirement”]; and
- a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish [the “consequence requirement”].
Both the BC and Ontario courts agree that the common law tort is inapplicable against database defendants because the first element of the tort requires that the defendant must invade or intrude upon a plaintiff’s private affairs or concerns. In this regard, database defendants do not do anything that could constitute an act of intrusion or invasion and, rather, such conduct is committed by the unknown third parties that act contrary to the interests of the database defendants they attack.
The BCCA found, however, that where the common law tort focuses on the active conduct of “invasion” and “intrusion”, the statutory tort is broader in that it can also apply to the failure to safeguard personal information in a manner that aligns with an individual’s reasonable expectations of privacy. As such, a party may willfully violate the privacy of another under the Privacy Act by failing to act when there is an obligation to do so[3], or by acting with reckless indifference.[4] The BCCA found that depending on the circumstances, it is not unreasonable to assert that the party entrusted to protect personal information has committed the statutory tort when they fail to safeguard personal information from attack.
Key Takeaways
The BCCA’s decisions in Campbell and G.D. mark a significant shift in data privacy law that can fairly be anticipated to encourage a significant increase in proposed data breach class actions in BC and in other provinces that have established similar statutory breach of privacy torts. The perception of British Columbia as a more favorable environment for advancing class claims will continue to drive increased filings in BC courts over Ontario.
If the unsuccessful parties in Campbell or G.D. seek leave to appeal to the Supreme Court of Canada, the legal issues seem ripe for Supreme Court of Canada review. Given the significant differences between the appellate jurisprudence in Ontario versus British Columbia, the Supreme Court may feel the need to clarify the law and provide guidance in this rapidly evolving area.
These rulings also highlight the importance of continually reviewing and improving upon safeguards to protect against foreseeable cybersecurity threats. Cybersecurity is an ongoing process that requires constant improvement and adaptation. Organizations should therefore regularly assess their security posture, identify areas for improvement, and implement measures to address emerging threats and vulnerabilities. The failure to do so will most certainly increase the risk of successful claims.
[1] Campbell v Capital One Financial Corporation, 2024 BCCA 253 [“Campbell”].
[2] G.D. v South Coast British Columbia Transportation Authority, 2024 BCCA 252 [“G.D.”].
[3] Odhavji Estate v Woodhouse, 2003 SCC 69.
[4] Peracomo Inc. v TELUS Communications Co., 2014 SCC 29.
About the authors
Joan M. Young, Mitch Koczerginski, Darlene Crimeni, and Claire Wanhella
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024
Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.