Insights Header image
Insights Header image
Insights Header image

Privacy, Please: Firm that Breached Instagram’s Privacy Policies Loses Class Action Ruling

February 15, 2022 Litigation Bulletin 5 minute read

The B.C. Supreme Court recently certified a class action proceeding against Hyp3R Inc. (“Hyp3R”),[1]Severs v Hyp3R Inc, 2021 BCSC 2261 [Severs v Hyp3R]. a U.S.-based marketing firm that collected Canadian Instagram users’ personal information in breach of the platform’s policies. The Court also ordered Hyp3R to pay more than $24 million in damages.

Background

Instagram permits users to share posts, including texts, photos, and videos, with other members and the public. It makes available tools that allow third parties to interact with Instagram, but requires third parties to adhere to certain policies, including the prohibition of “scraping” or improper collection and retention of users’ personal information.

In April of 2018, Instagram made changes such that it would not be possible to access or collect all public posts from specific locations or collect and retain users’ Instagram stories through those tools. After these changes were made, the defendant Hyp3R carried out “scraping” of personal information from users’ profiles on Instagram up until about August 2019, at which time Instagram announced that Hyp3R’s actions were in violation of its policies and that it was removing the company from its platform.

The plaintiff sought to hold Hyp3R accountable for this conduct to Instagram users in Canada (other than Quebec). It was alleged that Hyp3R’s actions constituted a breach of the privacy statutes of four provinces as well as the tort of intrusion upon seclusion (in the remaining provinces and territories).

The Decision

The Court noted that the plaintiff had served Hyp3R with the notice of civil claim, but that Hyp3R had failed to respond, resulting in the plaintiff obtaining a default judgment for damages to be assessed. After reviewing applicable case law, the Court concluded that it was appropriate to proceed with certification and determination of the issues notwithstanding the defendant’s default. The Court went on the address the following matters:

Certification

The plaintiff argued that all of the certification requirements for a class action were met. The Court accepted this argument for the reasons set out below.

i.       The pleadings disclosed a cause of action

Statutory torts for breach of privacy are set out in provisions of the privacy statutes in B.C.,[2]Privacy Act, RSBC 1996, c 373 [Privacy Act (BC)]. Saskatchewan,[3]Privacy Act, RSS 1978, c P-24 [Privacy Act (SK)]. Manitoba,[4]Privacy Act, CCSM, c P125 [Privacy Act (MB)]. and Newfoundland and Labrador.[5]Privacy Act, RSNL 1990, c P-22 [Privacy Act (NL)]. The privacy statutes of these provinces contain a significant amount of parallel language.

In each of these provinces, it is a tort to violate a person’s privacy wilfully and without claim of right; “proof of damages” is not a required element of the tort.[6]See Privacy Act (BC) at s 1; Privacy Act (SK) at s 2; Privacy Act (MB) at s 2; and Privacy Act (NL) at s 3(1). Privacy may be violated by eavesdropping or surveillance.[7]See Privacy Act (BC) at s 1(4); Privacy Act (SK) at s 3(a); Privacy Act (MB) at s 3(a); and Privacy Act (NL) at s 4(a).

It is also a tort to use, without authorization, the name or likeness of a person for purposes of advertising or promoting the sale of, or any other trading in, any property or services.[8]See Privacy Act (BC) at s 3(2); Privacy Act (SK) at s 3(c); Privacy Act (MB) at s 3(c); and Privacy Act (NL) at s 4(c).

The plaintiff claimed that Hyp3R breached both of these torts in B.C., Saskatchewan, Manitoba, and Newfoundland and Labrador when it collected personal information without consent from the plaintiff and class members in each of these provinces and sold that information to third parties.

The remaining common law jurisdictions in Canada (i.e., Ontario, Alberta, New Brunswick, Nova Scotia, Prince Edward Island, Yukon, the Northwest Territories, and Nunavut) do not have statutes comparable to the privacy statutes described above. However, the common law tort of intrusion upon seclusion is available in these jurisdictions. The plaintiff alleged that, through its unauthorized collection, retention, and use of class members’ personal information, Hyp3R committed the tort of instruction upon seclusion against class members in these jurisdictions.

The Court found that the plaintiff had pleaded claims that demonstrated causes of action on behalf of class members both in the four provinces with privacy statutes and in the remaining common law jurisdictions.

ii.        There was an identifiable class of two or more persons

The plaintiff sought an order defining the class as all persons in Canada (excluding Quebec) who were Instagram users with profile settings set to public at any time between April 4, 2018 and the date of certification of the action at issue. The Court concluded that the class as so defined had objective criteria and appeared to be clear.

iii.      The claims of the class members raised common issues

The Court found that the common issues as proposed met the requirements for certification.

iv.       A class proceeding was the preferable procedure for the fair and efficient resolution of the common issues

The plaintiff argued that Hyp3R’s misconduct was uniform against people using its services, and that aggregating claims against Hyp3R under the Class Proceedings Act[9]Class Proceedings Act, RSBC 1996, c 50 [Class Proceedings Act]. was beneficial to class members and to the Court. The Court agreed with these submissions and concluded that a class proceeding was the preferable procedure for resolution of the common issues.

v.        There was an appropriate representative plaintiff

The plaintiff, Catherine Severs, was a class member, and an Instagram user with her privacy settings set to public at the relevant times. The Court was satisfied that Ms. Severs was an appropriate representative of the class and met the requirements for certification.

Judgment on the Common Issues and Assessment of Damages

As these were default proceedings, the plaintiff was entitled to proceed on the basis that the allegations set out in the notice of civil claim were true. Based on the deemed admission of the allegations of fact in the notice of civil claim, along with affidavit evidence filed by the plaintiff, the Court was satisfied that there had been a violation by Hyp3R of the privacy of class members in each of the four provinces with privacy statutes, through the intentional and unauthorized collection of information (which the Court characterized as surveillance) and use of names and photographs of class members for commercial purposes. With respect to the tort of intrusion upon seclusion, the Court similarly concluded based on the evidence and the deemed admissions that the conduct of Hyp3R was intentional, that it involved the invasion of class members’ privacy without lawful justification, that a reasonable person would regard that invasion as highly offensive, and that a reasonable person would be caused distress, humiliation or anguish.

The Court determined that each class member should be entitled to $10 in damages. The award applies only to Instagram users who had their accounts on a public rather than a private setting at the relevant times, which includes more than 2.4 million users.

Takeaways

The decision in Severs v Hyp3R appears at odds with the more recent decision of the court in the Chow v. Facebook, Inc[10]2022 BCSC 137. class proceedings. The B.C. Supreme Court in this case has clearly stated that the intentional and unauthorized collection and commercial use of personal data from public social media profiles constitutes a breach of the Privacy Act (in British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador) as well as the tort of intrusion upon seclusion (in the remaining Canadian common law jurisdictions). In contrast, the court’s decision in the recent Facebook case suggested that these kinds of claims were too individualized and not suitable for class proceedings.

Ultimately, the result in this case is probably more a function of the claim not being defended on its merits and the result of the default judgment, more than anything. Going forward it will prove interesting to see whether this case or the Facebook decision is the leading law in BC on these types of claims.

By Joan Young and Mala Milanese

References

References
1 Severs v Hyp3R Inc, 2021 BCSC 2261 [Severs v Hyp3R].
2 Privacy Act, RSBC 1996, c 373 [Privacy Act (BC)].
3 Privacy Act, RSS 1978, c P-24 [Privacy Act (SK)].
4 Privacy Act, CCSM, c P125 [Privacy Act (MB)].
5 Privacy Act, RSNL 1990, c P-22 [Privacy Act (NL)].
6 See Privacy Act (BC) at s 1; Privacy Act (SK) at s 2; Privacy Act (MB) at s 2; and Privacy Act (NL) at s 3(1).
7 See Privacy Act (BC) at s 1(4); Privacy Act (SK) at s 3(a); Privacy Act (MB) at s 3(a); and Privacy Act (NL) at s 4(a).
8 See Privacy Act (BC) at s 3(2); Privacy Act (SK) at s 3(c); Privacy Act (MB) at s 3(c); and Privacy Act (NL) at s 4(c).
9 Class Proceedings Act, RSBC 1996, c 50 [Class Proceedings Act].
10 2022 BCSC 137.

Insights (5 Posts)View More

Featured Insight

Ten Years Later: The Justifiable Expectations Standard and the Evolution of Public Interest Powers in Canada

In this paper, the authors revisit the standards applied under the OSC's public interest jurisdiction, their shortcomings, and the need for a new framework.

Read More
Oct 15, 2024
Featured Insight

British Columbia’s New Money Judgment Enforcement Act: An Overview

An overview of the new British Columbia Money Judgment Enforcement Act.

Read More
Oct 11, 2024
Featured Insight

Navigating the Grey (Part 2): Deciphering the Meaning of the term “Making” under Section 42 of the Canadian Patent Act.

The Federal Court of Canada provides further clarity on the meaning of the term "making" under Section 42 of the Patent Act.

Read More
Oct 10, 2024
Featured Insight

McMillan’s Annual Privacy, Data Protection and Cybersecurity Client Seminar

This program will provide an overview of recent significant decisions and regulatory guidance, along with discussions about the privacy implications of AI and how deceptive design patterns could be impacting your organization’s legal compliance.

Details
Thursday, October 24, 2024
Featured Insight

Risking More than Just a Bad Review: Employer Found Vicariously Liable for Acts of Employee in Providing Services

Are employers focused on claims of harassment or discrimination by employees against members of the public who are receiving services from the employer?

Read More
Oct 9, 2024