Welcome to the first instalment of Dentons’ quarterly privacy litigation digest in 2025. In this issue, we review the development in Home Depot’s class action proceedings in relation to sharing customers’ personal information with Meta, along with other key privacy decisions.

In our previous issue, we canvassed privacy litigation trends including: the requirement for data custodians to obtain meaningful consent from third parties to use their personal information; BC case law finding data custodians may be liable for data breaches if they fail to adequately safeguard personal information; and “openness” in BC to revisiting the issue of the existence of common law privacy torts in that province.

Home Depot class action saga continues

Another class action has been certified against Home Depot in relation to its alleged disclosure of customer information to a third party, Meta Platforms Inc. (a class action was previously authorized for invasion of privacy under the Québec Charter, and a proposed class action has been filed in Saskatchewan).

Case summary: Hvitved v. Home Depot of Canada Inc., 2025 BCSC 18

Home Depot estimated that it may have shared about 6.85 million unique hashed email strings with Meta during the relevant time period, all gathered from customers who requested to receive an electronic email receipt. The data sharing agreements in place between Home Depot and Meta permitted Meta to use the Home Depot customer information not just to assess Home Depot’s advertising efforts, but also to improve Meta’s own products, including user profiling and targeted advertising.

The plaintiff applied to certify a class action in British Columbia on behalf of all customers in Canada (excluding Québec) who provided their email address for the purpose of receiving an electronic receipt when making a purchase at a Home Depot store. The proposed class alleged the tort of intrusion upon seclusion; breach of privacy statutes in BC, Saskatchewan and Newfoundland and Labrador; common law duties; contractual obligations; and unjust enrichment. Home Depot argued in the first part of the certification test that no cause of action existed because customers had no reasonable expectation of privacy in the data shared with Meta, and there is no privacy interest in contact information such as an email address.

The Court certified the action on the basis of an alleged breach of the British Columbia Privacy Act, but struck the other causes of action. There was an argument before the Court about whether the tort of intrusion upon seclusion is available in BC; however, the Court found it was not necessary to engage with that issue based on its conclusion that the tort had not been made out on the pleadings.

Issues to watch

  • Consumers are increasingly aware of their privacy rights and sensitive to perceived violations of those rights. The potential liability relating to privacy breaches is significant and class actions have been increasingly certified in privacy claims.
  • Meaningful privacy policies and effective data agreements relating to the use of information by third parties remain critically important in protecting companies by demonstrating efforts to comply with privacy laws.
  • If an organization can compile data for commercial purposes, it is likely to be assumed that it can also review and manage that data for the purposes of confirming if individual privacy rights have been impacted.

Recent privacy decisions:

  • Vabuolas v. British Columbia (Information and Privacy Commissioner), 2025 BCCA 83 (Vabuolas): Two former Jehovah’s Witnesses (the Applicants) made a request under BC’s Personal Information Protection Act (PIPA) for their former congregations to provide them with their personal information. Section 23 of PIPA grants individuals the right to access their own personal information that is in the control of an organization. The congregations withheld certain information on the basis that it was privileged and confidential religious communication. The Applicants asked the Information and Privacy Commissioner to review the congregation’s decision to deny them access to the records. Upon the review, the congregations argued that certain provisions of PIPA are unconstitutional to the extent that they mandate the disclosure of confidential religious records. The Adjudicator held that ss. 23(1)(a) and 38(1) of PIPA infringe s. 2(a) (freedom of religion) of the Canadian Charter of Rights and Freedoms(Charter), but found the infringement to be justified under s. 1. She ordered the congregations to produce the disputed records to her pursuant to her power under s. 38(1)(b) of PIPA so she could determine what, if any, information the congregation was required to disclose.

    The congregations sought judicial review of the Adjudicator’s decision; however, the chambers judge dismissed the petition, expressing substantial agreement with the reasons of the Adjudicator. The congregations appealed and the Court of Appeal dismissed the appeal. According to Horsman J.A., the Adjudicator erred in finding that ss. 23(1)(a) and 38(1)(b) infringe s. 2(a) of the Charter. Instead, properly interpreted, these provisions empower the commissioner to consider Charter rights when deciding whether to order the production of records. To the extent that a production order unjustifiably infringes Charter rights, the source of the infringement is the production order itself and not the provisions of PIPA. In this case, Horsman J.A. found the production order proportionately balanced the appellants’ Charter rights with statutory objectives; therefore, the decision to issue the order was reasonable.
  • Bower v. Vancouver City Savings Credit Union, 2025 BCSC 99: The defendant, Vancouver City Savings Credit Union (Vancity), brought a summary trial application to dismiss the plaintiff’s claim for breach of privacy and for false reporting of missed payments to credit data collection agencies. Vancity loaned money pursuant to a loan agreement to the plaintiff and his father to buy a property in joint tenancy. The loan was secured by a mortgage registered against the property. In 2012, the plaintiff’s father transferred his 50% interest in the property equally to the plaintiff and to the plaintiff’s three siblings. This transfer constituted a default under the mortgage, as it was done without Vancity’s knowledge or consent. Vancity eventually initiated foreclosure proceedings. Vancity disclosed loan and mortgage documents in its possession to the defendant, Michelle E. Guy, then counsel to the plaintiff’s three siblings. The plaintiff argued that this disclosure was a breach of his privacy. The plaintiff’s action was dismissed. While the Court found that the plaintiff had a privacy interest in the mortgage documents, this interest was circumscribed by the loan agreement and Vancity’s entitlement to use the documents for a legitimate business use. By disclosing the mortgage documents, Vancity did not violate the plaintiff’s privacy because the documents disclosure was not inconsistent with the scope of his privacy interest in the documents. Further, Vancity did not violate the plaintiff’s privacy “wilfully and without a claim of right,” which means the necessary elements to establish the statutory tort of breach of privacy were not proven.
  • Quantz v. Ontario, 2025 ONSC 90: The plaintiff moved to certify a proposed class action arising from an alleged data breach by the province’s Ministry of Children, Community and Social Services in its operation of the Ontario Disability Support Program (ODSP). The program provides income support to eligible persons with disabilities. The plaintiff alleged that the unauthorized dissemination of confidential information outside of ODSP personnel identified the ODSP clients to each other. He further alleged that that action stigmatized him as being on the list of 45,000 ODSP clients and, in addition, provided information which could potentially be used to access his and all other ODSP clients’ case files. Those files contain personal medical information as well as confidential financial information about the clients. The plaintiff pleaded intrusion upon seclusion, negligence, breach of confidence and publication of private facts. The Court found that it was plain and obvious that the claim for intrusion upon seclusion could not succeed. The Court found that the Ministry employees who sent the information were persons acting within the Ministry’s authority and who, in the first instance, had a right to possess the data. Unfortunate as the errant email may have been, the offending element of intrusion—a key ingredient in the cause of action pleaded—was missing in this case. The Court also found it plain and obvious that the claims in negligence, breach of confidence and public disclosure of private facts could not succeed. Certification was denied.
  • Royer c. Capital One Bank (Canada Branch), 2025 QCCA 217: This was an appeal and two cross-appeals from a decision of the Québec Superior Court, which authorized a class action arising from unauthorized access to confidential information held by the respondents, Capital One Bank (Canada Branch), Capital One Financial Corporation and Capital One Bank (USA National Association (together, Capital One), and hosted on the respondent Amazon’s servers. A former Amazon employee illegally accessed the personal data of millions of Americans and Canadians collected by Capital One, and stored it on a personal server. Capital One discovered the breach when another hacker informed them of it. After notifying its customers, who were subject to the data breach, Capital One offered them two years of credit monitoring services and identify theft insurance. The appellant filed an application for authorization to institute a class action in Québec against Capital One and Amazon. The appellants allege the respondents were negligent by failing to adequately protect the personal information they collected from customers, keeping the information for too long, and failing to host the information in a secure environment. The judge partially authorized the class action against both Capital One and Amazon; however, not for all heads of damage. The judge limited the common issue for compensatory damages to whether the respondents are liable to pay member costs for monitoring their Capital One credit card accounts and statements for a period exceeding two years, and if so, what costs may be claimed? The appellants appealed this common issue, and the appeal was allowed. The Court of Appeal changed the common issue to the following: are the respondents liable to pay compensatory damages to the members and if so, in what amount?

Key takeaways

  1. Actual “intrusion” required in order to make out a claim in intrusion upon seclusion. The three-part test for the tort of inclusion upon seclusion requires, at the second stage, that “the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns” (Jones v. Tsige, 2012 ONCA 32at para. 71).A person who shares data that they have the right to possess is not unlawfully invading the plaintiff’s private affairs, and therefore cannot be found liable for the tort.
  2. The requirement that an organization provide a person’s personal information that is in their control upon request under BC’s Personal Information Protection Act does not violate s. 2(a) (freedom of religion) of the Canadian Charter of Rights and Freedoms. In the Vabuolas decision, the BC Court of Appeal reaffirmed that an administrative decision-maker is always required to proportionately balance Charter rights and values in exercising statutory discretion (unless the legislation clearly indicates otherwise). In Vabuolas, the Court of Appeal affirmed that the provisions of PIPA themselves do not violate s. 2(a) of the Charter; however, the Information and Privacy Commissioner for BC must always exercise their discretion under PIPA in a Charter-compliant manner.
  3. Although an individual has a reasonable expectation that a bank will not disclose their personal information to third parties, a bank may use customers’ personal information for a legitimate business purpose. Privacy interests are not absolute. As evidenced in the Bower decision (summarized above), using a customer’s personal information for a legitimate business purpose, such as to enforce a loan or a mortgage, is not a breach of privacy under BC’s provincial privacy legislation.

For more information, please contact Kelly Osaka, Victoria Merritt and Kathryn Gullason.

Print Friendly, PDF & Email
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Kelly Osaka

About Kelly Osaka

Kelly is co-leader of both the Litigation and Dispute Resolution group in Calgary and the Privacy and Cybersecurity subgroup, she is also a member of the Privacy and Cybersecurity group. An experienced commercial litigator, Kelly has particular expertise in class action defence, shareholder disputes, cyber breach coaching, cyber risk analysis, governance best practices, professional negligence, and regulatory investigations.

Full bio

Victoria Merritt

About Victoria Merritt

Victoria Merritt is a senior associate in the Employment and Labour group in the Dentons Vancouver office.

Full bio

Kathryn Gullason

About Kathryn Gullason

Kathryn Gullason (She/Her/Hers) is a research associate in the Litigation & Dispute Resolution group at Dentons. She supports the Firm’s lawyers and clients, researching complex legal issues, preparing opinions for clients, developing submissions for court and other proceedings, tracking legal developments in the Firm’s key practice areas and drafting legal insights.

Full bio

RELATED POSTS