Cyber Law and Privacy Class Action: The View from Canada
A Q&A with Gerry Gill and Christine Galea of Dolden Wallace Folick LLP
Amid the rise of ransomware and socially engineered business email compromise attacks, Canadian cybersecurity and privacy law continues to evolve including a changing bar to entry for class action suits. We spoke to Gerry Gill and Christine Galea of Dolden Wallace Folick LLP for an update on Canadian legal trends.
What is happening on the privacy law front in Canada?
Gerry Gill: For about two years now, mandatory notification for privacy breaches has been in effect in every jurisdiction, except for the provinces of Quebec and B.C. In each of those provinces, their legislation is under revision and we anticipate that mandatory notification will now be mandatory across the country. In addition, the Federal Government has tabled legislation that alter the current privacy regime by replacing the Personal Information Protection and Electronic Documents Act (PIPEDA) The proposed new legislation essentially splits PIPEDA into two acts (the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act) which among other things, changes rules about the collection and use of personal information, creates a new statutory cause of action, and increased the potential for fines.
What is the current landscape for class action cybersecurity law?
Christine Galea: A lot, if not most, cyber breach of privacy claims are made in the class action context. In Ontario in the last year, we’ve seen at least one in six new class actions that are initiated are around breaches of privacy.
In October of 2020, there were some changes to the Class Proceedings Act in Ontario, which makes it more difficult to have a claim certified as a class action. On top of that, in a recent decision arising from the Simpson v. Facebook data breach claim, Justice Belobaba, a prominent class action judge here in Toronto, confirmed that it’s a two-step rather than one-step test to meet the commonality requirement under the Class Proceedings Act. He was previously of the view that only the one-step test had to be met. Since the two-step test is a higher threshold for the commonality requirement, it’s an extra hurdle for plaintiffs to jump for certification of their proposed issues in the context of a class action.
It means that a lot of class action lawyers in these cyber breach claims and privacy cases might want to bring their claims in other jurisdictions in Canada. So we might see more Alberta claims or B.C. claims going forward.
What other developments have emerged?
Christine Galea: Another important decision came out in Quebec earlier this year, the Lamoureux decision, which is a case that went to common issues trial and is the first privacy class action in Canada to have been determined on the merits. It’s very rare in class actions that it even gets to that point. It was a data breach claim around the loss of a laptop containing personal information. One of the pleaded causes of action, as it is in the majority if not all data breach claims, was tort of intrusion upon seclusion.
Very generally, the tort of intrusion upon seclusion is actionable without economic harm but requires the defendant itself to have committed the intrusion rather than a third party hacker.
In Lamoureux, the court determined that proof of actual compensable harm is necessary for breach of privacy class actions and it dismissed the case. The court said that the anticipation of a future harm due to the loss of personal information is insufficient—worry and inconvenience are not compensable.
What are the implications of this ruling?
Gerry Gill: PIPEDA provides a statutory cause of action that allows an affected individual to seek damages in circumstances where there has been a breach, even in the absence of actual harm. Damages can be awarded even in the absence of “out-of-pocket” expenses. If I can show that my privacy has been breached, I could be entitled to damages, though they could be relatively low depending on the nature of the information.
As Christine noted, the “intrusion upon seclusion” tort is also actionable without the need to prove economic harm. The ability to recover damages in such circumstances makes privacy claims particularly attractive to class actions lawyers.
Lamoureux insulates organizations (or individuals) who have been hacked from liability for intrusion by exclusion on the basis that hosting data that has been hacked does not constitute an intrusion of privacy. The decision essentially forces the plaintiffs to advance their claim in negligence which imports a requirement to prove damages.
Christine Galea: At this point, though, plaintiffs are still pleading intrusion upon seclusion. We may see change further down the line but for now this one decision that went to common issues trial doesn’t seem to be having an impact just yet.
In summary…
We want to thank Gerry and Christine for their thoughtful overview and commentary. The Canadian cyber insurance community that we all support will appreciate these insights.