- Canadian Businesses Increasingly Face Privacy Breach Class Actions Absent Traditional Forms of Damages
- December 28, 2015 | Authors: Daniel Girlando; Barry Glaspell
- Law Firm: Borden Ladner Gervais LLP - Toronto Office
- Two privacy breach class actions recently certified against the Federal Government — Condon and John Doe — demonstrate a timing dilemma faced by all Canadian corporations hit with these sorts of claims. On the one hand, whether any proposed privacy breach class member will be successful in proving legally recognizable damage is open to considerable debate. On the other, the key merits questions will often be deferred, class certification addressing the form of action as opposed to its substantive validity. Accordingly, defendants need to carefully weigh whether, and when, to move for summary dismissal.
A Lost Hard Drive — Condon v. Canada1
Condon is the Federal Court of Canada's first "intrusion upon seclusion" privacy breach class action. An unencrypted hard drive containing personal information of 583,000 students, having received loans from the student program, was reported lost from a filing cabinet. Upon being notified, plaintiffs claimed costs incurred in preventing identity theft; out-of-pocket expenses; and unspecified amounts for inconvenience, frustration, anxiety and increased risk of identity theft.
Despite the motion judge having certified an "intrusion upon seclusion" class action, the proposed representative plaintiffs appealed. They requested, in addition, certification of common issues in negligence and for breach of confidence.2 The Federal Court of Appeal allowed the appeal. Having noted the absence of any evidence personal information has been inappropriately accessed or that any plaintiff has been a victim of fraud or identity theft,3 the appeal court still criticized the motion judge for having weighed the claim's merits, finding no compensable damage. The Court of Appeal held that a mere pleading of out-of-pocket expenses is sufficient, such that negligence and breach of confidence could be part of the certified common issues.
The Revealing Letter Envelope — John Doe v. Canada4
In the second case, plaintiffs sue Health Canada for having breached privacy by inadvertently disclosing their participation in a marijuana medical access program. Each class member, approximately 40,000 individuals, was sent a letter in an envelope identifying them as a program licensee.5 The class action advances six causes of action against Health Canada: breach of contract, negligence, breach of confidence, intrusion upon seclusion, "publicity given to private life,” and breach of a Charter right to privacy.6 The Federal Court certified all six as common issues, emphasizing the low threshold for certification as it does not involve a merits assessment, only requiring plaintiffs to show "some basis in fact" for each requirement.7
Citing the Condon appeal decision, the John Doe court found a very general damages plea to be sufficient to certify the claim in negligence. That class members may not be successful in proving damage at trial was not viewed as a basis for striking a negligence claim early in the litigation. With respect to the asserted "publicity given to private life" tort, the John Doe court held this claim is novel and should be allowed to proceed. On the appropriateness of advancing a class action with anonymous representative plaintiffs, and the tension between avoiding having one's privacy interests further injured through litigation and the open court principle, the John Doe court recommended that at least one "public" class representative should be identified.
Weighing Summary Dismissal
Accidental data breaches and lost or stolen unencrypted USBs, laptops, phones and hard drives have been leading, in certain circumstances, to statutorily-required notices across Canada. These notices may create an identifiable class. Class actions are presently being certified for intrusion upon seclusion when the facts suggest little or no actual damage. It is important for clients to bear in mind that on the Condon and John Doe facts, it is unlikely plaintiffs will be able to establish at the common issues trial the level of recklessness, as opposed to negligence, necessary to substantiate this new intentional tort. Accidental data breach cases will not generally justify an intrusion upon seclusion claim.
While the intentional intrusion upon seclusion tort may not require proof of traditional damages, negligence claims still do require compensable harm.8 Where a plaintiff can neither satisfy the requirement of reckless disclosure for intrusion upon seclusion nor actual damages for negligence, a defence-side summary judgment motion will often be appropriate, the timing of which is open to professional judgment.
In contrast, the intentional tort may be made out against a rogue employee who deliberately misuses personal data. But a rogue will likely have no exigible assets or insurance. The question then arises as to whether employers can be fixed with vicarious liability for criminal or other illegal employee misuse of personal information. Whether vicarious liability exists in respect of the intrusion upon seclusion tort has yet to be determined by Canadian courts.
1 Condon v. Canada, 2015 FCA 159.
2 The motion judge carefully distinguished causes of action in respect of which damages are alleged not to be an essential element from those which are. The first category includes claims for breach of contract and the recently-coined tort of intrusion upon seclusion. Claims in negligence and for breach of confidence were treated as traditional damages claims. To the motion judge, it was plain and obvious those claims would fail for lack of compensable harm.
3 Plaintiffs alleged spending hours on the phone seeking status updates from the Minister. There is no concrete evidence of increased future identity theft risk or that plaintiffs availed themselves of credit monitoring.
4 John Doe v. Canada, 2015 FC 916.
5 Canadians suffering from debilitating illnesses are authorized under the program to possess marijuana for personal medical use provided that a physician certifies certain symptoms falling within defined categories, for example, those arising from multiple sclerosis or a serious spinal cord injury. Health Canada's enclosed letter discussed, among other things, the increased risk of violent home invasions faced by program members.
6 Plaintiffs plead Health Canada exacerbated the risk of experiencing violence and disclosed to a reasonable person viewing the envelope that recipients suffer a grave or debilitating illness. Damages are requested for "costs incurred to prevent home invasion, theft, robbery and/or damage to personal property including marijuana plants and related paraphernalia,” costs incurred for personal security, damage to reputation, loss of employment, mental distress, and out-of-pocket expenses.
7 Health Canada argued that the Privacy Act, which provides that no proceedings lie against the Government for disclosure in good faith of any personal information, is a bar to a class action. The court found that, by using pleaded words such as high-handed, outrageous, reckless, wanton, entirely without care, deliberate, callous, etc., the pleading was sufficient. Whether the Privacy Act may afford the Government a defence will have to be decided at a later stage.
8 A plaintiff in these accidental breach cases may not be able to establish the intentional tort's existence. For example, the tort is not part of British Columbia law, see Ari v. Insurance Corporation of British Columbia, 2015 BCCA 468.