Class action lawsuits based on data breaches or alleged misuse of personal information continue to be a major feature of the privacy and cybersecurity landscape. Historically, the majority of such claims have been certified. However, more recently, courts have begun to refuse to certify due to an insufficient “basis in fact” regarding the damage or harms claimed. The recent decision of the BC Superior Court in Chow v Facebook illustrates this trend.[1]
The claim
Advancing claims based on violations of the BC Privacy Act,[2] the tort of unlawful means and unjust enrichment, the plaintiffs alleged that the defendant had:
- Scraped call and text message data from users of its Messenger applications on Android OS, by surreptitiously collecting call and text message data from users under the guise of accessing their contacts to supply its friend recommendation algorithm.
- Deliberately employed secret workarounds to collect the data without users’ informed permission or knowledge, by exploiting the interaction between the messenger app and the Android OS.
- Collected, used, retained and commercialized the call and text message data it obtained from users, and profited from that collection at users’ expense.
The certification decision
The court found that the plaintiffs had failed to lead sufficient evidence to support their allegations that the defendant had “collected, used, retained and commercialized” the call and text data and “profited from that collection at users’ expense”. Specifically, the court found that:
- The representative plaintiffs’ own affidavits did little more than establish that they had both used an Android phone to access the defendant’s apps; and
- The plaintiffs’ expert evidence, at best, supported only a finding that the defendant may have collected Messenger users’ call and text data. What was missing, though, was any basis in fact for the allegations relating to the alleged misuse of the data.
This left the plaintiffs relying on the affidavit of a paralegal employed by their lawyer, which essentially consisted of documents obtained by way of internet searches:
- An opinion piece from the magazine Arts Technica reporting on a man in New Zealand who had discovered that the defendant had collected call data from his Android phone, and which suggested that its apps defaulted to opt-in for the call and text data feature;
- A disclosure package released by the UK government consisting of notes made by the chair of a parliamentary committee examining digital issues, as well as leaked internal company emails discussing a proposed permissions update.
After reviewing authorities on the admissibility and use of information obtained from the Internet, the court found that because the paralegal had no personal knowledge of these materials and could not attest to their reliability, they were inadmissible. The court further found that even if they were, the materials provided no basis in fact for the plaintiffs’ allegation that the defendant had used or misused call and text data to enrich itself at the expense of users of Messenger. In essence, the court accepted the defence’s argument that the plaintiffs’ claim had been “downloaded from the Internet.”
Having found the plaintiffs’ evidence wanting, the court nonetheless went on to consider the test for certification under the Class Proceedings Act.[3]
Causes of action
The court found the plaintiffs had properly pleaded a cause of action under s. 1 but not s. 3(2) of the Privacy Act. The court also held that the claims for unjust enrichment and unlawful means failed the pleadings threshold.
The court found that the plaintiffs had pleaded material facts concerning the alleged collection, retention and use of call and text data obtained from users without their knowledge or consent, which resulted in a loss of privacy. Thus, the pleading disclosed a cause of action under s. 1 of the Privacy Act, which requires a plaintiff to show that a tortfeasor has willfully, and without a claim of right, violated their privacy.
However, the court found that the plaintiffs had not pleaded the essential elements of the tort under s. 3(2) of the Privacy Act, which requires a plaintiff to show that a person has used their name or portrait for the purpose of advertising or promoting the sale of, or other trading in, property or service without consent. The court found that the plaintiffs had not pleaded that the company had actually used their name or portrait (or that of any putative class member), nor had they pleaded that any such use was for the purpose of advertising or promoting the sale of, or other trading in, property or services. The court further found that the plaintiffs had not pleaded any material facts to support their claim under s. 3(2).
Moving to the claim of unjust enrichment, the court found that the plaintiffs had not pleaded any material facts about the alleged deprivation. Moreover, they had not pleaded any material facts setting out the nature or extent of any value in the call and text data. With respect to the claim of unlawful means, the court found that the plaintiffs had not pleaded material facts to support an economic value in their private information or damage to their economic interests, as required.
Common issues
The court found that the plaintiffs’ surviving claim, s. 1 of the Privacy Act, failed the common issues test. This was because under s. 1 of the Privacy Act, in order to determine whether the impugned conduct constitutes a breach of privacy, the court must consider what is “reasonable in the circumstances” and, further, must have regard for the “nature, incidence and occasion of the act of conduct and to any domestic or other relationships between the parties.” The court found that this requires consideration of the specific context in which an act or conduct occurs and the individual circumstances of the person claiming a breach. Since the plaintiffs had failed to establish any basis in fact to conclude that reasonableness and context could be proved on a class-wide basis, the question whether the defendant had breached s. 1 of the Privacy Act was not determinable on a class-wide basis.
Preferable procedure
The court held that the objectives of judicial economy, access to justice and behaviour modification were not engaged here. There was no evidence of any actual loss or harm to the plaintiffs. And, any benefits of proceeding as a class action were disproportionate to the time required, and the complexity and expense of doing so.
Takeaways
As noted above, this decision illustrates the courts’ increasing skepticism towards the certification of privacy-related class actions. In the past, courts were often content to let the strength of plaintiffs’ claims be tested at trial. Now, they seem prepared to exercise a gatekeeping function at the certification stage. A business finding itself embroiled in such litigation will want to expose any qualitative issues in the plaintiffs’ pleadings and evidence to persuade the court that there is a fatal absence of any “basis in fact”, as in Chow.
If you have any questions about this insight, please reach out to Luca Lucarini.
[1] 2022 BCSC 137.
[2] RSBC 1996, c 373.
[3] RSBC 1996, c 50.