Reviving Data Breach Class Actions: BC Court of Appeal Breathes New Life into Canadian Privacy and Cybersecurity Litigation

  • 29 juillet 2024
  • Joan M. Young, Mitch Koczerginski, Darlene Crimeni, Claire Wanhella, McMillan LLP

Two recent BC Court of Appeal decisions revive support for Canadian data breach class actions after the viability of such proceedings was recently stifled by a trio of decisions by the Ontario Court of Appeal.

Why This Is Important

A burgeoning question in class actions that follow a data breach is whether individuals can claim damages for breach of privacy against companies that have fallen victim to a cybersecurity attack for their alleged failure to adequately protect personal information in their custody or control.

The BCCA recently answered this question with a resounding “yes” in a pair of decisions in Campbell v. Capital One Financial Corporation[1] and G.D. v. South Coast British Columbia Transportation Authority.[2] These decisions signify a marked departure from a trio of decisions by the Ontario Court of Appeal which held that organizations that collect and store personal information about individuals (commonly referred to as “database defendants”) cannot be held liable for the common law breach of privacy tort of “intrusion upon seclusion” if the data breach was caused by an unknown, malicious third party.

The Ontario trilogy materially impacted the viability of Canadian class actions because, while plaintiffs can pursue other claims against database defendants, such as negligence or breach of contract, those causes of action often require proof of actual pecuniary loss, which is difficult to establish on a class-wide basis. Accordingly, by eliminating the potential for plaintiffs to allege the privacy tort – which, crucially, allows for claims of damages without proof of loss – the Ontario trilogy weakened support for the argument that a class proceeding is a preferable procedure to pursue damages in the circumstances.

While the BCCA agreed with the Ontario trilogy that the common law tort is not viable against database defendants, it found that database defendants can still be liable for statutory breach of privacy torts established under BC’s Privacy Act and similar legislation in other provinces (which are also actionable without proof of loss).