Insights Header image
Insights Header image
Insights Header image

Reviving Data Breach Class Actions: BC Court of Appeal Breathes New Life into Canadian Privacy and Cybersecurity Litigation

July 18, 2024 Privacy & Data Protection Bulletin 5 minute read

Two recent BC Court of Appeal decisions revive support for Canadian data breach class actions after the viability of such proceedings was recently stifled by a trio of decisions by the Ontario Court of Appeal.

Why This Is Important

A burgeoning question in class actions that follow a data breach is whether individuals can claim damages for breach of privacy against companies that have fallen victim to a cybersecurity attack for their alleged failure to adequately protect personal information in their custody or control.

The BCCA recently answered this question with a resounding “yes” in a pair of decisions in Campbell v. Capital One Financial Corporation[1] and G.D. v. South Coast British Columbia Transportation Authority.[2] These decisions signify a marked departure from a trio of decisions by the Ontario Court of Appeal which held that organizations that collect and store personal information about individuals (commonly referred to as “database defendants”) cannot be held liable for the common law breach of privacy tort of “intrusion upon seclusion” if the data breach was caused by an unknown, malicious third party.

The Ontario trilogy materially impacted the viability of Canadian class actions because, while plaintiffs can pursue other claims against database defendants, such as negligence or breach of contract, those causes of action often require proof of actual pecuniary loss, which is difficult to establish on a class-wide basis. Accordingly, by eliminating the potential for plaintiffs to allege the privacy tort – which, crucially, allows for claims of damages without proof of loss – the Ontario trilogy weakened support for the argument that a class proceeding is a preferable procedure to pursue damages in the circumstances.

While the BCCA agreed with the Ontario trilogy that the common law tort is not viable against database defendants, it found that database defendants can still be liable for statutory breach of privacy torts established under BC’s Privacy Act and similar legislation in other provinces (which are also actionable without proof of loss).

Background of the Cases Before the BCCA

Campbell relates to a significant cyberattack that resulted in a data breach affecting millions of individuals across Canada and the United States. In this case, a hacker accessed a major credit card company’s database and downloaded personal financial information of millions of current and former cardholders and applicants. The plaintiff sought to certify a class action based on various causes of action, including statutory and common law breaches of privacy. The judge certified the statutory claim (among other causes of action) but found that it was plain and obvious that common law claim was bound to fail.

G.D. relates to a data breach at TransLink following a successful phishing attempt by third party hackers that affected approximately 39,000 employees and related individuals. The impacted information included bank information, birth dates, addresses, and social insurance numbers. Like in Campbell, the plaintiff sought to certify a class action based on various causes of action, including statutory and common law breaches of privacy. The judge refused to certify the statutory and common law breach of privacy claims on the basis that such claims were bound to fail since they can only be directed at the hacker and not the organization that was victim to the attack.

In both decisions, the BCCA found that database defendants could be held liable for the statutory privacy torts for failing to adequately safeguard personal information from a data breach.

Reconciling the BC and Ontario Decisions

In reaching its conclusion, the BCCA acknowledged the departure from the Ontario trilogy referenced above. However, in doing so, the Court emphasized that the statutory and common law torts are not mirror images of each other and, accordingly, do not apply to the same scope of conduct.

The statutory tort established under BC’s Privacy Act provides that “It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.”

In contrast, the elements of the common law tort are that:

  1. the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the “conduct requirement”];
  2. the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the “state of mind requirement”]; and
  3. a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish [the “consequence requirement”].

Both the BC and Ontario courts agree that the common law tort is inapplicable against database defendants because the first element of the tort requires that the defendant must invade or intrude upon a plaintiff’s private affairs or concerns. In this regard, database defendants do not do anything that could constitute an act of intrusion or invasion and, rather, such conduct is committed by the unknown third parties that act contrary to the interests of the database defendants they attack.

The BCCA found, however, that where the common law tort focuses on the active conduct of “invasion” and “intrusion”, the statutory tort is broader in that it can also apply to the failure to safeguard personal information in a manner that aligns with an individual’s reasonable expectations of privacy. As such, a party may willfully violate the privacy of another under the Privacy Act by failing to act when there is an obligation to do so[3], or by acting with reckless indifference.[4] The BCCA found that depending on the circumstances, it is not unreasonable to assert that the party entrusted to protect personal information has committed the statutory tort when they fail to safeguard personal information from attack.

Key Takeaways

The BCCA’s decisions in Campbell and G.D. mark a significant shift in data privacy law that can fairly be anticipated to encourage a significant increase in proposed data breach class actions in BC and in other provinces that have established similar statutory breach of privacy torts. The perception of British Columbia as a more favorable environment for advancing class claims will continue to drive increased filings in BC courts over Ontario.

If the unsuccessful parties in Campbell or G.D. seek leave to appeal to the Supreme Court of Canada, the legal issues seem ripe for Supreme Court of Canada review. Given the significant differences between the appellate jurisprudence in Ontario versus British Columbia, the Supreme Court may feel the need to clarify the law and provide guidance in this rapidly evolving area.

These rulings also highlight the importance of continually reviewing and improving upon safeguards to protect against foreseeable cybersecurity threats. Cybersecurity is an ongoing process that requires constant improvement and adaptation. Organizations should therefore regularly assess their security posture, identify areas for improvement, and implement measures to address emerging threats and vulnerabilities. The failure to do so will most certainly increase the risk of successful claims.

[1] Campbell v Capital One Financial Corporation, 2024 BCCA 253 [“Campbell”].
[2] G.D. v South Coast British Columbia Transportation Authority, 2024 BCCA 252 [“G.D.”].
[3] Odhavji Estate v Woodhouse, 2003 SCC 69.
[4] Peracomo Inc. v TELUS Communications Co., 2014 SCC 29.

by Joan M. Young, Mitch Koczerginski, Darlene Crimeni, and Claire Wanhella

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

What’s New in the FAQs: Recent Competition Bureau Guidance on the Amendments to Canada’s Competition Act

Commenting on the Competition Bureau's FAQs describing how the Bureau will enforce the amended merger and reviewable conduct provisions of the Competition Act.

Read More
Dec 3, 2024
Featured Insight

Developer-Friendly Changes Proposed for Ontario’s Record of Site Condition Regime

Ontario is proposing to amend its Record of Site Condition legislation to streamline brownfield development and support other development projects.

Read More
Dec 3, 2024
Featured Insight

Buyer’s Remorse: Asset Purchaser Liable for Pre-Closing Employment Liabilities of Vendor

In a recent British Columbia decision, an asset purchaser was held liable for the pre-closing employment-related liabilities of the vendor.

Read More
Nov 29, 2024
Featured Insight

Reducing NSF Fees: Proposed Regulations Amending the Financial Consumer Protection Framework Regulations

The Governor in Council announced a proposal to amend regulations aimed at reducing non-sufficient funds (NSF) fees.

Read More
Nov 27, 2024
Featured Insight

Federal Court of Appeal Upholds Arrears Interest on Non-Existent Tax Debts: Bank of Nova Scotia v Canada, 2024 FCA 192

The Federal Court of Appeal upheld the charging of "arrears interest" on notional income tax liabilities that are completely offset by carry-backs.

Read More
Nov 27, 2024