In this issue, we discuss the Federal Court of Appeal’s decision upholding the requirement that users provide meaningful consent to share their personal information with third parties. We also examine a trilogy of class action decisions where the Ontario Court of Appeal refused to extend the common law tort of intrusion upon seclusion to data custodians.[1] In contrast, the British Columbia (BC) Court of Appeal took a different approach in a recent class action certification appeal by finding that it is at least arguable that a data custodian that fails to adequately protect the private information it holds has willfully violated the privacy of class members, contrary to the provincial Privacy Act. Finally, we review the latest discourse in BC on whether the common law privacy torts can co-exist with the statutory torts set out in provincial Privacy Acts.

You can access our previous issue here, where we canvassed trends including the certification of privacy-related class actions, judicial recognition of the tort of intrusion upon seclusion and the unmasking of cybercriminals via Norwich orders.

Recent key decisions:

  • Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140: In this case, the Privacy Commissioner of Canada alleged that a social media company breached the Personal Information Protection and Electronic Documents Act (PIPEDA) when it shared users’ personal information with third-party applications hosted on the organization’s platform. The proceeding arose from an investigation by the Commissioner into a third-party app called “this is your digital life” (TYDL), which was presented to users as a personality quiz. TYDL sold users’ data and the data of their contacts to Cambridge Analytica Ltd., which allegedly used the data to develop targeted messages for political issues. The Federal Court dismissed the Commissioner’s application, finding that the Commissioner had not shown that the organization failed to obtain meaningful consent from users to share their data or that the organization had failed to adequately protect user data.
  • The Federal Court of Appeal allowed the Commissioner’s appeal, ruling that the organization breached PIPEDA’s requirement to obtain meaningful consent from users prior to data disclosure and failed in its obligation to safeguard user data. Meaningful consent was found to be based on a reasonable person’s understanding of the nature, use and consequences of the disclosure of their data. Here, a reasonable person would not have understood that by downloading a personality quiz, they were consenting to the app using their data, and the data of their contacts, to sell to a third party for the purpose of targeted political advertising. The Court further found the organization failed to adequately supervise the apps and dismissed concerns raised by the organization that it was impossible to review third-party privacy policies to ensure compliance. The organization could not profit from offering the apps onto its platform and then limit the scope of its responsibilities under PIPEDA based on alleged inconvenience or expense.
  • G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252 (G.D.): This appeal concerned whether a person can sue a data custodian for breach of privacy under the BC Privacy Act or in negligence where, due to inadequate security, a malicious actor accesses personal information in the data custodian’s possession. The chambers judge dismissed an application to certify a proposed class proceeding against TransLink after hackers gained access to personal information stored on TransLink’s network drives. The chambers judge found under the first part of the certification test that the claims were bound to fail because a data custodian cannot be liable under the Privacy Act for a data breach caused by a hacker.
  • The Court of Appeal allowed the appeal finding that the allegations that TransLink willfully violated the privacy of the plaintiffs, contrary to the Privacy Act, were sufficiently pleaded to sustain a cause of action. The Court emphasized that from a policy perspective refusing to certify a claim under the Privacy Act against an allegedly reckless data custodian would effectively remove any deterrent to engaging in such conduct. The risk of a class action being certified against a data custodian could be an incentive to inure the expense of technological safeguards. The Court of Appeal remitted the certification application back to the trial court for redetermination.
  • Campbell v. Capital One Financial Corporation, 2024 BCCA 253: The BC Court of Appeal dismissed an appeal and cross appeal arising from the certification of a multi-jurisdictional class action against a financial institution. The proposed class consisted of individuals whose personal information was accessed in a cybersecurity incident. The chambers judge certified a number of claims but rejected the claims of intrusion upon seclusion and breach of confidence finding that both were bound to fail. The plaintiff appealed, arguing that the chambers judge erred in declining to find that the common law tort of intrusion upon seclusion exists in BC. The plaintiff submitted that a hacker committed the tort of intrusion upon seclusion and, if the Court of Appeal found that this tort exists in BC, the trial judge could then decide if damages may be apportioned to the defendant financial institution for negligence which caused or contributed to the intrusion damages.
  • Since the Ontario Court of Appeal recognized a new privacy tort of intrusion upon seclusion in Jones v. Tsige, 2012 ONCA 32, the trial courts in other provinces have either recognized the tort, declined to recognize it or viewed the question as unsettled. Another issue has also arisen—whether the tort of intrusion upon seclusion is limited to defendants who violate the privacy rights of another, or whether it can be extended to data custodians who fail to adequately protect the private information they hold. In a trilogy of class action decisions, the Ontario Court of Appeal refused to extend the tort to data custodians.[2]
  • In this case, the plaintiff did not argue that the defendant financial institution was itself liable for intrusion upon seclusion due to reckless storage of personal information. Instead, the main issue raised under this ground of appeal was whether the defendant financial institution was negligent and; therefore, jointly and severally liable with the hacker under the BC Negligence Act, and equivalent legislation in other provinces. According to the plaintiff, the class members suffered damages as a result of the combined tortious conduct of the hacker and the defendant financial institution, rendering the defendant jointly and severally liable with the hacker for the “intrusion damages” (i.e., moral damages, not pecuniary damages). The Court rejected this ground of appeal on the basis that, under the Negligence Act, two tortfeasors can only be jointly and severally liable if they contribute to the same damage. According to the Court, while moral damages are available under the tort of intrusion upon seclusion, they are not recoverable in negligence. Therefore, the alleged damages suffered by class members as a result of the acts of the hacker (committing the tort of intrusion upon seclusion) and the defendant financial institution (for negligent data protection) could not be the “same damage.” The Court concluded that it was “plain and obvious” that the plaintiff could not use the Negligence Act to recover moral damages against the defendant due to any alleged negligence on their part. The appeal and cross-appeal were both dismissed.
  • Moon v. International Alliance of Theatrical Stage Employees (Local 891), 2024 BCSC 1560 (Moon): The plaintiff was a long-time Senior Steward (an elected position) with the defendant trade union. The plaintiff sued the union, as well as various individual defendants, for compensatory damages related to an en masse distribution of a report that flowed from an investigation into her credit card use. The report contained disputed and serious allegations of misconduct against the plaintiff, which she alleged became a major issue in her continued employment and re-election. The plaintiff also made a complaint to the BC Office of the Information and Privacy Commissioner under the Personal Information Protection Act (PIPA). The Commissioner found that the union had not complied with its duty under s. 34 of PIPA to make reasonable security arrangements to protect the plaintiff’s personal information.
  • The Court considered whether the tort of “public disclosure of private facts” exists in BC, finding that “[a] review of the case law suggests that BC courts have consistently held that a common law tort related to a breach of privacy does not exist in the province.” However, the Court found that recent Court of Appeal decisions have indicated, “openness to potentially revisiting the issue of whether common law privacy torts exist in British Columbia.”[3] We highlight this subject in a previous issue of the Quarterly Privacy Litigation Digest here. The Court concluded that “the BC case law suggesting the non-existence of a privacy tort is questionable” and, therefore, it is not plain and obvious that there is no common law tort in BC. The Court also found it had jurisdiction to hear and decide claims for damages arising from the contravention of PIPA. Finally, the Court held that a common law duty of care can exist alongside a statutory duty, and there is no legal impediment to a party pleading a breach of both the Privacy Act and PIPA, particularly at the early stages of a proceeding.

Key takeaways

  1. Consent must be obtained for use of personal information by third parties. While the Federal Court of Appeal issued a declaration that the social media platform breached PIPEDA by failing to obtain meaningful consent from users and failed to safeguard user data, it remains to be seen what consequences, if any, the organization will face as a result of this ruling. The Court ordered the parties to either agree on a remedial order, or return to Court to make submissions on the appropriate remedy.
  2. Contrary to trends in Ontario, BC courts have found that data custodians may be liable in privacy class actions for a data breach by a hacker if they fail to adequately safeguard personal information. In G.D., the BC Court of Appeal found that it was “at least arguable” at the certification stage that an entity’s failure to take reasonable measures to safeguard personal information resulting in a data breach is a violation of a person’s privacy under the BC Privacy Act. The issue of a data custodian’s liability in the event of a data breach was also recently addressed by the Ontario Court of Appeal in a trilogy of class action decisions.[4] The Ontario Court of Appeal refused to find entities that hold personal information and allegedly fail to adequately protect that information liable for the common law tort of intrusion upon seclusion. Therefore, data custodians may be held liable for a data breach by a third-party hacker in provinces that have statutory privacy torts (BC, Saskatchewan, Manitoba and Newfoundland), but not under the common law tort of intrusion upon seclusion.
  3. BC courts indicate “openness” to revisiting the issue of common law privacy torts in the province. In Moon the BC Supreme Court refused to strike a claim alleging the common law tort of public disclosure of private fact, citing recent BC Court of Appeal decisions that indicate “openness” to revisiting the question of whether common law privacy torts exist in BC. We discuss this subject in a prior issue [here].The Court’s conclusion that the privacy tort issue remains open in BC will influence future privacy actions that are still in their early stages, and will make it unlikely that courts will strike a properly plead privacy tort claim until the issue is decided one way or another.

For more information, please contact Kelly Osaka and Kathryn Gullason.

[1] Owsianik v. Equifax Canada Co., 2022 ONCA 813, leave to appeal to SCC ref’d, 40577 (13 July 2023), Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814, leave to appeal to SCC ref’d, 40555 (13 July 2023), and Winder v. Marriott International, Inc, .2022 ONCA 815, leave to appeal to SCC ref’d, 40573 (13 July 2023).

[2] Owsianik v. Equifax Canada Co., 2022 ONCA 813, leave to appeal to SCC ref’d, 40577 (13 July 2023), Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814, leave to appeal to SCC ref’d, 40555 (13 July 2023), and Winder v. Marriott International, Inc, .2022 ONCA 815, leave to appeal to SCC ref’d, 40573 (13 July 2023).

[3] Moon v. International Alliance of Theatrical Stage Employees (Local 891), 2024 BCSC 1560 at paras. 204-209, citing Tucci v. Peoples Trust Company, 2020 BCCA 246 and Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331.

[4] Owsianik v. Equifax Canada Co., 2022 ONCA 813, leave to appeal to SCC ref’d, 40577 (13 July 2023), Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814, leave to appeal to SCC ref’d, 40555 (13 July 2023), and Winder v. Marriott International, Inc, .2022 ONCA 815, leave to appeal to SCC ref’d, 40573 (13 July 2023).

Print Friendly, PDF & Email
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Kelly Osaka

About Kelly Osaka

Kelly is co-leader of both the Litigation and Dispute Resolution group in Calgary and the Privacy and Cybersecurity subgroup, she is also a member of the Privacy and Cybersecurity group. An experienced commercial litigator, Kelly has particular expertise in class action defence, shareholder disputes, cyber breach coaching, cyber risk analysis, governance best practices, professional negligence, and regulatory investigations.

Full bio

Kathryn Gullason

About Kathryn Gullason

Kathryn Gullason (She/Her/Hers) is a research associate in the Litigation & Dispute Resolution group at Dentons. She supports the Firm’s lawyers and clients, researching complex legal issues, preparing opinions for clients, developing submissions for court and other proceedings, tracking legal developments in the Firm’s key practice areas and drafting legal insights.

Full bio

RELATED POSTS