The proliferation of privacy-related class actions in 2023 continued the trend of plaintiffs seeking recourse for data breaches affecting the personal information of customers, employees and others held by organizations. While some privacy class proceedings were certified, courts have strictly scrutinized the viability of data breach-based claims. Towards the end of 2023, class counsel were increasingly struggling to convince the courts to certify. Another emerging privacy litigation trend in 2024 is the extent to which privacy rights may be exerted over documents produced in the course of litigation. Organizations increasingly sought to avoid production of documents that contained personal information based on concerns over confidentiality. To date, courts have generally ruled on the side of disclosure and open courts.
Recent key decisions:
Federal
- John Doe v. Canada, 2023 FC 1636: This case arose from Health Canada’s mass mail-out of letters to participants in the Marihuana Medical Access Program (MMAP), which displayed the sender’s return address as “Marihuana Medical Access Program” and the full name and address of the recipient. The plaintiffs claimed the mail-out outed their participation in the program, disclosed their personal information and violated their right to privacy constituting negligence and a breach of confidence by Health Canada. The plaintiffs’ claim was certified as a class proceeding. The plaintiffs then brought a motion for summary judgment, which was granted in part. The Court dismissed the breach of confidence claim. Regarding the negligence claim, the Court found that Health Canada owed class members a duty of care in collecting, using, retaining and disclosing their personal information and that Health Canada breached that duty of care. However, the Court concluded that the plaintiffs did not establish that Health Canada’s breach of the duty of care caused class-wide damage to the class members; therefore, Health Canada’s liability for damages for negligence could not be determined in the class proceeding. Class members would instead have to pursue their damages claims by individual trials or assessments. According to the Court, the process for doing so would be determined separately by case management.
- 9219-1568 Quebec Inc. v. Canada (Privacy Commissioner), 2023 FC 1428: Subsidiaries of the company “MindGeek S.à r.l.,” whose primary business is adult content streaming services, applied to stay the publication of the Privacy Commissioner’s investigation report about a complaint against the company. The complainant alleged that Mindgeek collected, used and disclosed personal intimate images and videos and personal information without consent, contrary to the Personal Information Protection and Electronic Documents Act (PIPEDA). MindGeek obtained a confidentiality order sealing details of the investigation and a publication ban preventing publication of the report. In this decision, MindGeek sought to extend the publication ban and confidentiality order. The Court approved a revised confidentiality order, limited to protecting only those documents that might identify the complainant. However, the Court found that MindGeek did not successfully demonstrate that the benefits of the publication ban outweighed the negative effects of intruding on the open court principle, which requires court proceedings to be open to the public. The publication ban preventing publication of the Privacy Commissioner’s report was discontinued.
British Columbia
- Lang v. Lapp, 2023 BCSC 1901: The plaintiffs had attempted to enforce a judgment against the defendant in California, which was recognized in BC in 2009. This application was for orders related to an examination in aid of execution. As a judgment creditor, the plaintiff argued that they were entitled to certain documents ahead of the examination in aid of execution, but many of the documents produced by the defendant were redacted. The Court was asked to determine whether the defendant was obligated to provide unredacted documents that would disclose personal information of the defendant’s clients. The defendant argued that she was obliged to protect this information under BC’s Personal Information Protection Act (PIPA). The question of whether PIPA protects the personal information of non-parties had not yet been considered in the context of an examination in aid of execution. The Court ruled that the documents were relevant to the issues to be examined on and that the plaintiff required unredacted disclosure to assist with collection on the judgment. Accordingly, the application was granted.
- Situmorang v. Google, LLC, 2024 BCCA 9: The appellant appealed the dismissal of an application to certify a proposed class proceeding against Google regarding its use of facial recognition technology, arguing the claim did not disclose a a reasonable cause of action. The appellant alleged that Google had used facial recognition technology to extract, collect, store and use the facial biometric data of Canadians without their consent. The appellant claimed that this data was intrinsically sensitive personal information and that Google’s practices constituted a violation of privacy under the Privacy Act and the tort of intrusion upon seclusion. The BC Court of Appeal ruled that the notice of civil claim disclosed a cause of action under the Privacy Act and sufficiently pleaded the elements of the tort of intrusion upon seclusion. The Court of Appeal ordered that the viability of the privacy tort of intrusion upon seclusion in BC should be addressed by the court below, and remitted the issue to the BC Supreme Court. The order dismissing the action and the certification application was set aside.
- Lewis v. WestJet Airlines Ltd., 2024 BCSC 111: In this certified class action, the representative plaintiff claimed WestJet systematically breached its employment contracts with flight attendants by failing to properly address harassment. The plaintiff sought production of settlement documents regarding harassment complaints despite settlement privilege. She argued that there was an exception because she was not seeking to use them to establish WestJet’s liability, and also argued that there was a public interest in addressing workplace harassment that outweighed the public interest in promoting settlement. In addition to its discussion on settlement privilege, the Court stated that there was a concern about privacy interests in regards to producing the documentation, noting that privacy rights of third parties, while not an absolute bar to production, are considerations in determining the proper ambit of discovery once relevance has been established. The Court dismissed the application to produce the privileged documents.
Ontario
- Carter v. LifeLabs Inc., 2023 ONSC 6104: The Ontario Superior Court approved a settlement in a class action against LifeLabs regarding a data breach that potentially affected the personal information of 8.6 million individuals. The Court approved the settlement and counsel fees, but did not approve a request for a CA$2,500 honorarium for each representative plaintiff. The Court found there was no evidence that the class members’ personal information was actually affected by the data breach, and the settlement was a fair and reasonable result for the class members.
- Del Giudice v. Thompson, 2024 ONCA 70: The financial institution defendants collected data from people applying for credit cards and stored the data on the online wholesaler defendants server. The online wholesaler was hacked and the personal and confidential information provided to the financial institution was exposed or became vulnerable to exposure. The financial institutions customers whose data was breached sought to certify a class action against the financial institution and online wholesaler for various torts related to data misappropriation and misuse. The motion judge struck the plaintiffs’ pleadings and dismissed the certification motion without leave to amend, concluding that the purported class proceeding was “doomed to fail.” The plaintiffs appealed. The Ontario Court of Appeal agreed with the motion judge’s findings. The Court of Appeal found that the plaintiffs’ claim for intrusion upon seclusion did not have merit (among other non-privacy related claims) and dismissed the appeal.
- Highland Cannabis Inc. v. Alcohol and Gaming Commission of Ontario, 2024 ONSC 423: The plaintiff sued High Tide Inc. and the Alcohol and Gaming Commission (AGC) in the torts of intrusion upon seclusion and conversion regarding a data breach at the AGC. The plaintiff claimed that High Tide accessed data about the plaintiff’s sales and used it to the plaintiff’s detriment. The Court dismissed the claim as against High Tide, finding that it was plain and obvious that the claim could not succeed. According to the Court, the plaintiff failed to plead a legally viable cause of action for intrusion upon seclusion or conversion. Regarding intrusion upon seclusion, there was no allegation that High Tide sought out the data or was involved in the breach. Therefore, there was no “intentional act” by High Tide, which is a required element of the tort.
Key takeaways:
- Class action scrutiny: Courts are critically assessing the actual harm caused by data breaches in privacy-related class actions, often resulting in certification hurdles and challenges in assessing aggregate damages.
- Intrusion upon seclusion claims face high bar: A claim alleging the tort of intrusion upon seclusion must properly plead all elements of the tort, including the requirement of an intentional act, or risk being struck. Defendants facing an allegation of intrusion upon seclusion may successfully defeat such a claim at an early stage of the proceeding on this basis. There is a judicial consensus emerging (at least in Ontario) that an organization that is the victim of a data breach cannot be liable for intrusion upon seclusion. The existence of the tort in jurisdictions with statutory torts for breach of privacy is also still unclear. The British Columbia Court of Appeal has twice commented on the ambiguity in the law in the Situmorang decision (summarized above) and Tucci v. Peoples Trust Company, 2020 BCCA 246.
- Privacy vs. disclosure: Courts are increasingly being called upon to balance privacy rights and organizations’ obligations to protect personal information with litigants’ right to document disclosure in court and regulatory proceedings. To date courts have generally favoured disclosure over protection, emphasizing the principle of open courts.
For more information, please contact the co-authors Kelly Osaka or Luca Lucarini.
A special thanks to Kathryn Gullason, research associate, for her assistance with this article.