In this edition of Dentons’ quarterly privacy litigation digest, we review recent key privacy decisions, including a privacy-related class action where a BC Court certified a class proceeding against a health-tracking app that allegedly disclosed users’ personal information to third-party analytics companies and a BC Court decision finding that privacy laws apply to federal political parties. Additionally, in Québec, plaintiffs were authorized to bring privacy-related class actions against Google and Home Depot Canada. We further consider an emerging trend in privacy litigation—the use of Norwich orders to uncover anonymous online wrongdoers and cybercriminals.

You can access our previous update here where we canvassed trends including certification applications, data breach class actions and privacy rights versus open court access.

Recent key decisions:

  • Lam v. Flo Health Inc., 2024 BCSC 391: A BC Court certified a proposed class action alleging the tort of intrusion upon seclusion, the tort of breach of confidence and breach of privacy legislation against Flo Health Inc., a technology start-up company that makes the Flo Health & Period Tracker App. Users entered personal health information into the app to track their menstrual cycles, among other things. To use the app, users must consent to Flo’s privacy policy which informed users that it would share certain personal information with third-party vendors in an aggregate and anonymous format. Flo entered into agreements with a number of analytic companies permitting them to use Flo’s user data for product promotion. In considering whether to certify the intrusion upon seclusion claim, the Court distinguished between cases where personal information is inadvertently disclosed to third parties (hackers), versus where a company intentionally discloses personal information to third parties (vendors). The Court found the latter included the intentional and unauthorized dissemination of personal information without consent and certified the intrusion upon seclusion claim against Flo. However, the Court refused to certify the tort of intrusion upon seclusion for BC or Alberta residents, as the tort has not been “expressly” recognized by the courts in those provinces.
  • In considering whether the proposed common issues could be certified, the Court found that the nature of the information requested was similar for each user and was inherently personal and sensitive. The Court concluded it would be a matter for a common issues trial to determine whether the information was in an aggregated and anonymized form and whether meaningful consent to transfer sensitive data to third-party vendors had been obtained. The Court certified the action for breach of the statutory torts set out in the provincial privacy acts, intrusion upon seclusion (except for British Columbia and Alberta) and breach of confidence. The class includes all Canadian residents (excluding Québec) who used Flo between June 1, 2016, and February 23, 2019.
  • Liberal Party of Canada v The Complainants, 2024 BCSC 814: The petitioners (the Liberal Party of Canada, the New Democratic Party of Canada and the Conservative Party of Canada) sought to quash a decision of the Office of the Information and Privacy Commissioner for British Columbia (OIPC) holding that that BC’s Personal Information Protection Act (PIPA) is constitutionally applicable to the collection, use and disclosure of personal information in BC by federal political parties registered under the Canada Elections Act. The petitioners also sought declarations that PIPA does not apply to them and that the OIPC does not have jurisdiction over them. The issue before the Court was whether a valid provincial privacy law of general application is applicable to federal political parties. The Court dismissed the petition, finding that PIPA does not result in an operational conflict with the Canada Elections Act or frustrate a valid federal purpose. According to the Court, PIPA was designed to “dovetail” with federal laws, to exclude its application to organizations subject to PIPEDA and to specifically allow for the non-consensual collection, use and disclosure of personal information where authorized by valid federal laws such as the Canada Elections Act.
  • Ari v Insurance Corporation of British Columbia, 2024 BCSC 964: In this case, the Court considered the amount of damages that should be awarded in a class action. The class action arose when an ICBC employee improperly accessed and sold the personal information of 79 ICBC customers. The information was used to target 13 individuals in arson and shooting attacks. In reasons for judgment following a summary trial,[1] the Court found that the employee’s conduct violated the BC Privacy Act and that ICBC was vicariously liable. ICBC’s appeal from the judgment was dismissed.[2] The issue before the Court in this decision was the assessment of class-wide damages. The Court noted that there is a “need for accountability” for large organizations that are storing vast amount of personal information. As there were similarities between this case and the 2012 Ontario Court of Appeal case of Jones v Tsige, the Court used that case as a guideline. Since the breach of privacy in this case was more serious than that in Jones, the Court concluded that an award of CA$15,000 per class member was appropriate.
  • Homsy c. Google, 2024 QCCS 1324: The plaintiff applied for authorization to institute a class action against Google LLC in regards to its facial biometrics technology. According to the plaintiff, Google violated privacy rights by extracting, collecting, preserving and using facial biometric data without providing sufficient prior notice, obtaining informed consent or publishing biometric data preservation policies, which are requirements under the Québec Act respecting the protection of personal information in the private sector. The Québec Superior Court initially dismissed the authorization application; however, the Québec Court of Appeal found that the trial judge erred in concluding there was no arguable case and reverted the decision back to the trial judge for redetermination. In this decision, the trial judge authorized the plaintiff to bring a class action for damages against Google for violating the Civil Code of Québec, the Act respecting the protection of personal information in the private sector, the Charte des droits et libertés de la personne (the Québec Charter) and the Québec Consumer Protection Act.
  • Option Consommateurs c. Home Depot of Canada Inc., 2024 QCCS 1305: The plaintiff requested authorization from the Québec Superior Court to bring a class action against Home Depot Canada Inc. According to the plaintiff, Home Depot breached customers’ privacy by sharing their personal information with Meta Platforms Inc. and Facebook without their consent. The information that was allegedly improperly shared included encrypted email addresses, the amount of the transaction and the category of goods purchased. For customers with active Facebook accounts, Meta could decrypt the email addresses and identify the customers. The proposed class includes any person with an active Facebook account who purchased or rented a good or service in Québec from Home Depot in store and provided their email address between January 1, 2018, and October 30, 2022. The Court authorized the class action for invasion of privacy under the Québec Charter. No other causes of action were authorized.

Norwich orders and cyberattacks:

Canadian businesses that have experienced cyberattacks often find that the information necessary to bring a legal proceeding is in the possession of a third party. Norwich orders are a tool litigants are increasingly relying on to identify wrongdoers or obtain information necessary to commence a legal proceeding. In the context of cybersecurity, Norwich orders may be used to identify the perpetrators or victims of cyberattacks.

A Norwich order may be granted where:

  • The applicant demonstrates a valid or reasonable claim;
  • The applicant establishes that the third party from whom information is sought is somehow involved in the acts complained of, but may be innocently involved (i.e., a company that is the victim of a cyberattack);
  • The third party is the only practicable source of the information (but need not be the only source);
  • The third party from whom the information is sought must be reasonably compensated for any expenses arising from compliance with the order; and
  • The interests of justice favour the granting of the order.[3]

For example, in Rogers Communications Inc. v. Voltage Pictures, LLC, 2018 SCC 38, copyright owners obtained a Norwich order to compel an internet service provider to disclose the identity of a person suspected of infringing the owner’s copyright. The issues in Voltage Pictures focused mainly around compensation for the costs of complying with the Norwich order.

In another case, Bungie Inc. v. TextNow Inc., 2022 ONSC 4181, a company obtained a Norwich order to identify persons harassing their employees with threatening phone calls, text messages and voicemails. Although the applicants had no intention of suing the perpetrators in Ontario, the Court held that Norwich orders ought to be available to help identify people who harass others with racism, dox or exploit personal information and make overt threats of physical harm and death.[4] According to the Court, obtaining discovery of the identity of a purported criminal and civil wrongdoer is a recognized purpose of a Norwich order.[5]

However, in CDW Canada Inc. v. Ali, 2022 ONSC 4520, the Court denied a motion seeking a Norwichorder since it was not necessary for the action to proceed and there were other practicable sources of the information being sought. In CDW Canada, the defendant, a marketing specialist at CDW Canada Inc., engaged a company called Spacecaps to provide marketing services to CDW. Unbeknownst to CDW, Spacecaps was a sole proprietorship created by the defendant employee. Over 6 years, the defendant granted Spacecaps (i.e., himself) contracts worth hundreds of thousands of dollars in his capacity as a marketing specialist at CDW. CDW sued the defendant employee, among others, and sought a Norwich order to compel certain banks to produce information about bank accounts held by the defendants. The defendants did not object to providing the banking information but objected to the issuance of the Norwich order to the banks. The Court held that it was not appropriate to issue a Norwich Order in the circumstances. In the Court’s view, a Norwich order was not necessary for the action to proceed and third-party banks were not the only practicable source of information, given the defendants’ willingness to provide the information.

While Norwich orders arise in a variety of cases, they are increasingly being used to identify anonymous online wrongdoers. In this capacity, there is scope to use Norwich orders in litigation involving cyberattacks since it may be difficult to otherwise identify either the perpetrators or the victims of cyberattacks. However, Norwich orders are considered an extraordinary remedy and will only be granted in exceptional circumstances, where all the elements of the test are met.

Key takeaways

  1. Certification of privacy-related class actions continues: Alleged misuse of personal information by governments and corporations continues to be a fertile ground for the certification of class proceedings. These cases may arise either where personal information is inadvertently disclosed to third parties or where a company intentionally discloses personal information to third parties. In either case, whether such certified class proceedings are able to successfully establish harm as a result of the alleged improper disclosure of personal information remains to be seen.
  2. Intrusion upon seclusion still not “expressly” recognized by BC and Alberta courts: Lam v. Flo Health Inc., summarized above, is a recent example of the courts refusing to certify an intrusion upon seclusion claim in BC or Alberta. It is unlikely that an intrusion upon seclusion claim will be certified in BC or Alberta until there is express recognition of the tort by the courts in those jurisdictions.
  3. Unmasking cybercriminals via Norwich orders: While Norwich orders are an exceptional remedy, in the right circumstances they may be a powerful tool to enable litigants to bring legal proceedings in relation to a cyberattack.

For more information on this topic or any questions related to the legal implications of these decisions on your business, please contact the authors, Kelly Osaka or Sasha Coutu.

A special thanks to Kathryn Gullason, research associate, for her assistance with this article.

[1] (2022 BCSC 1475)  

[2] (2023 BCCA 331)

[3] Rogers Communications Inc. v. Voltage Pictures, LLC, 2018 SCC 38 at para. 18

[4] Bungie Inc. v. TextNow Inc., 2022 ONSC 4181 at para. 47

[5] Bungie Inc. v. TextNow Inc., 2022 ONSC 4181 at para. 47

Print Friendly, PDF & Email
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Kelly Osaka

About Kelly Osaka

Kelly is co-leader of both the Litigation and Dispute Resolution group in Calgary and the Privacy and Cybersecurity subgroup, she is also a member of the Privacy and Cybersecurity group. An experienced commercial litigator, Kelly has particular expertise in class action defence, shareholder disputes, cyber breach coaching, cyber risk analysis, governance best practices, professional negligence, and regulatory investigations.

Full bio

Sasha Coutu

About Sasha Coutu

Sasha Coutu is an associate in the Privacy and Cybersecurity group and the Litigation and Dispute Resolution group at Dentons.

Full bio

RELATED POSTS