Recent trends in Canadian privacy litigation

  • November 19, 2020
  • Chloe Snider

There has been an increase in privacy litigation across Canada in recent years, concurrent with (or perhaps resulting from) the increasing importance of privacy to Canadians, the development of the common law privacy torts and the new federal requirement to report data breaches that give rise to a real risk of significant harm.[1] This article addresses the trends that have emerged as litigation has increased: (1) class actions; (2) the development of the common law privacy torts; and (3) privilege issues relating to expert reports prepared following data breaches.

Privacy class action trends

Certification

One of the most important privacy litigation trends is the certification of many proposed privacy class actions in Canada. The British Columbia Court of Appeal’s decision upholding the certification of the class action in Tucci v Peoples Trust Company[2] is the most recent example in a long list of certified privacy class actions.

The only exception to this trend has been the few cases where there are no common issues among proposed class members or no provable losses.[3]

Recent privacy class actions can be grouped into three categories:

  1. Cases involving third-party hackers: Recent cases have involved: an anonymous hacker accessing a defendant’s computer system, taking personal information of customers, employees and suppliers and, when ransom demands were not met, posting the information on the internet;[4] and cybercriminals gaining unauthorized access to a defendant’s databases, taking website users’ personal information, and using it to attempt to solicit money and information.[5]
  2. Cases involving employees: These cases involve either innocent conduct, for example the loss of a storage device containing personal information;[6] or intentional misconduct, for example, where a “rogue” employee intentionally takes personal information collected by his or her employer in an effort to seek retribution or otherwise harm their employer. Ari v Insurance Corporation of British Columbia involved an alleged privacy breach by an employee who sold private information to a criminal organization. The action was certified as the court found that the vicarious liability claims were not bound to fail. Most recently, the BC Supreme Court rejected the defendant’s motion to deliver a third-party notice in the class action against the wrongdoer and to consolidate the class action with the existing action against the third party.
  3. Cases involving use without consent: These cases do not involve data breaches, but rather a use without consent of personal information collected by the defendant, for example: use of class members’ names and images without their knowledge or consent in an advertising program,[7] and use of personal information of customers for a marketing initiative.[8]

It is possible that Ontario’s new Bill 161[9], which came into force on Oct. 1, 2020, will affect if and when privacy (and other) class actions are certified in Ontario, as the changes to Ontario’s class action regime are expected to make certification more challenging.

Vicarious liability

An important theme that emerges from the privacy class action landscape is the possibility of vicarious liability for the misuse of personal information by a company employee. Although there has not yet been a merits decision in Canada on vicarious liability in the privacy context, as set out above, privacy class actions involving claims of vicarious liability have been certified. Accordingly, companies should be aware of the significant risk posted by internal actors and should take steps to protect against such risks.

In April 2020, the United Kingdom’s Supreme Court released an important decision on vicarious liability, declining to find that a defendant was vicariously liable for a rogue employee’s theft of payroll data of nearly 100,000 employees, which he posted on the internet in a deliberate attempt to harm the company.[10] The court held that the employee was acting distinctly from his employer’s interests, not furthering them. This case may be informative to Canadian courts as they continue to consider this issue.

Carriage fights

The last class action litigation trend is carriage fights, where different counsel have started class actions relating to the same underlying alleged privacy breach. In 2020, the Ontario Superior Court of Justice decided carriage issues in two different sets of class actions that involved data breaches.[11] This may be a sign of the importance and prevalence of privacy class actions among the class actions bar.

Development of the common law privacy tort

The fourth privacy tort

The common law privacy torts recognized in Canada were developed from Professor William Prosser’s “four-tort catalogue,” which includes the following four privacy torts:[12]

  1. Intrusion upon seclusion
  2. Public disclosure of private facts
  3. Misappropriation of personality, and
  4. Publicly placing a person in a false light

On Dec. 19, 2019, the Ontario Superior Court of Justice released its decision in Yenovkian v Gulian,[13] in which it recognized the last privacy tort: “publicly placing a person in a false light.” This tort protects an individual’s “right to control the way they present themselves to the world.” Liability for giving publicity in a manner concerning another that places the other before the public in a false light attaches where: (i) the false light in which the other is placed would be highly offensive to a reasonable person, and (ii) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed. The publicity must only show the person “as other than they are,” rather than “as worse than they are,” There is no damages cap, like the $20,000 cap for the tort of intrusion upon seclusion.

Privacy statute v common law torts – the battle continues

In B.C., the courts have consistently held that there is no common law tort for breaches of privacy in the province because of the similar statutory cause of action under the Privacy Act, R.S.B.C. 1996, c. 373. However, in Tucci v Peoples Trust Company, the B.C. Court of Appeal stated in obiter that whether a common law tort can exist in B.C. was an “interesting question” for a future case. The court stated that it was “unfortunate” that the plaintiffs did not appeal the chambers judge’s conclusion that the tort did not exist in B.C. because “the time may well have come” for the court to revisit the issue, noting that prior judgments were largely conclusory and perhaps outdated. We may therefore see more litigation on this issue.

Expert reports and privilege

In response to a data breach, companies typically retain experts to investigate the breach and prepare a report. Where there is a subsequent regulatory investigation or litigation, there is a risk that the report may be producible, unless the company can establish that it is protected by litigation or solicitor-client privilege. There has been recent case law in both Canada and the United States on this important issue.

The Information and Privacy Commissioner of Ontario released a decision on March 30, 2020, rejecting the subject company’s claims of privilege over expert reports created by third party cybersecurity firm.[14] With respect to litigation privilege, the IPC found that the company did not provide sufficient evidence that the reports were created for the dominant purpose of litigation; and that the reports would have been prepared regardless of any litigation based on the company’s statutory obligations to identify, contain, investigate and remediate the breach. The IPC also rejected the claims of solicitor-client privilege, as the company did not indicate which documents were made to or from counsel, or how they were made for the purpose of seeking legal advice. Accordingly, the expert reports were producible.

Conclusion

These recent trends show the significant developments in privacy litigation over recent years. With the expected modernization of both federal and provincial privacy laws that will likely affect (and increase) privacy rights, it is expected that privacy litigation will also increase. However, Ontario’s new class action regime may affect the number of new privacy class actions that are certified. All of this will create a dynamic landscape for privacy litigation in the coming years.

Chloe Snider is a partner with Dentons Canada LLP. The author thanks Kirstin AuCoin, an articling student at Dentons, for her assistance with this paper.

End notes

[1] Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, section 10.1

[2] 2020 BCCA 246 [Tucci].

[3] See Kaplan v. Casino Rama, 2019 ONSC 2025 [Kaplan] and Broutzas v Rouge Valley Health System, 2018 ONSC 6315.

[4] Kaplan, supra.

[5] Tucci, supra.

[6] Condon v. Canada, 2015 FCA 159.

[7] Douez v. Facebook, 2018 BCCA 186.

[8] Tocco v. Bell Mobility, 2019 ONSC 2916.

[9] The Smarter and Stronger Justice Act, 2020.

[10] WM Morrison Supermarkets plc v Various Claimants, [2020] UKSC 12.

[11] MacBrayne v. LifeLabs Inc., 2020 ONSC 2674 and Del Giudice v Thompson, 2020 ONSC 2676.

[12] Jones v. Tsige, 2012 ONCA 32.

[13] 2019 ONSC 7279.

[14] PHIPA Decision 114.