In recent years, appellate court rulings on data breach class actions have created a distinct split across Canada, with courts in some provinces upholding a higher bar for class certification than others.
According to data privacy experts, that split has resulted in fewer data breach class action claims being filed in the provinces with more stringent certification standards, while more forum shopping takes place in provinces with more lenient rules.
“Breaches are continuing to happen all of the time. There has been no slowing in the number or intensity of breaches,” says Daniel Glover, a partner at McCarthy Tétrault LLP and national co-lead of the firm’s cyber/data group.
Even in cases where no one disputes that a breach occurred, the fact that bad actors often can’t access or use the leaked information makes it challenging to get data breach class actions certified in provincial courts where it’s necessary to prove that the breach caused harm. As a result, Glover says, “We are seeing class actions filed in British Columbia, Manitoba, Saskatchewan, Quebec, and Newfoundland and Labrador because there is an easier bar to hurdle to file a class action without actually knowing or being able to show… damages.”
In contrast, “We are seeing, at least in recent days, relatively few claims filed in… Ontario, Alberta and the Maritime provinces, except for Newfoundland,” where plaintiffs have to prove they suffered harm, Glover adds.
Melanie Szweras, principal at intellectual property firm Smart & Biggar, agrees that there’s been “a shift from broad certification to a little bit more strict scrutiny of the cases.”
She adds, "Ontario and Alberta are places where it’s becoming more difficult to certify, but in places like BC and Quebec, it's still more likely – or better or easier – to get a class action certified in a data breach situation.”
According to Glover, pursuing data breach class actions in BC, Manitoba, Saskatchewan, Quebec, and Newfoundland and Labrador has long been easier because all five jurisdictions have general privacy legislation that empowers plaintiffs to pursue legal action for invasion of privacy. This legislation “essentially removes the requirement to prove damage,” making it straightforward for class action plaintiffs to secure certification, Glover says.
In contrast, provinces without such privacy legislation are “stuck with the common law,” which has sometimes left consumers without straightforward remedies, Glover says. In 2012, however, an Ontario Court of Appeal decision called Jones v. Tsige established a civil cause of action called “intrusion upon seclusion,” a type of privacy tort meant to provide relief to plaintiffs subject to an intentional breach of privacy. Because plaintiffs with intrusion upon seclusion claims did not have to provide evidence that they suffered harm to establish liability, courts could certify class actions alleging these types of claims even if they didn’t have evidence that a data breach caused class members harm.
Jones effectively allowed Ontario courts to liberally certify data breach class actions even though the province lacked general privacy legislation. For years, intrusion upon seclusion was one of the primary tools that class counsel used in data breach classes.
That changed in 2022, however, when the Ontario Court of Appeal issued a trio of decisions in Owsianik v. Equifax Canada Co., Obodo v. Trans Union of Canada, Inc., and Winder v. Marriot International, Inc. These decisions found that plaintiffs could not rely upon intrusion upon seclusion arguments in cases where they were suing a company, but a third party illegally accessed the company’s database of customer information.
The court refused to extend liability to companies that held the information even if they allegedly failed to adequately protect the information because the companies did not themselves intrude upon their customers’ privacy. The Alberta Court of Appeal issued a similar decision around the same time.
Because plaintiffs with data breach concerns in provinces without general privacy legislation could no longer pursue damages from companies via intrusion upon seclusion claims, they were forced to claim negligence instead. However, such claims required proposed classes to show that they suffered “real pecuniary damages,” making it much harder to secure certification.
The challenge of bringing intrusion upon seclusion claims following the Ontario and Alberta appellate decisions is that “typically when it’s a person whose personal information has been breached, they’re suing the company that held that data, but often it’s a malicious third party actor that did the act that access the data, so it’s not the defendants themselves who have done anything deliberate,” Szweras says.
To successfully characterize an act as intrusion upon seclusion now, “it needs to be an intentional intrusion, and it also has to be highly offensive to a reasonable person, and the act has to be deliberate, not accidental,” Szweras says. She adds that that high bar, which does not exist in the provinces with general privacy legislation, means that “there’s more class actions on data privacy cases, for example, in British Columbia, than there will be in Ontario.”
Glover says he’s observed forum shopping, with many plaintiffs choosing to take their data breach class actions to BC. In addition to the province’s more lenient bar for class certification, Glover credits the trend to a provincial cost regime “that is very plaintiff-favourable,” where plaintiffs who bring certification applications are “subject to a no-cost regime, even if they lose in most circumstances. There’s very little downside as a result to file a claim before all the facts are known.”
On several occasions, Glover says he’s seen BC or Quebec-based class actions copying claims from lawsuits filed in the US. “Even if the case goes nowhere because there’s smoke, but there’s no fire, it’s very hard for a defendant to get costs awards because of the cost regime, which was designed by the BC legislature to be encouraging of class actions,” he says.
Last year, at least two BC Court of Appeal decisions further deepened the rift between how BC and provinces without general privacy legislation approach data breach cases. In contrast to Ontario and Alberta’s refusal to extend liability to companies that store breached consumer information, the BC court’s decisions in G.D. v. South Coast British Columbia Transportation Authority and Campbell v. Capital One Financial Corporation found that data custodians can be liable under BC’s privacy legislation because of a data breach committed by a third party.
“We're seeing a huge split between these provinces,” Glover says.
According to Szweras, some plaintiffs are using another strategy in pursuing claims against companies: filing class actions alleging data misuse. These cases suggest “that the company themselves mishandled the personal information,” she says. “Maybe they didn’t have good enough security safeguards, and that's why the third party might have been able to access that information. They’re trying to find direct involvement by the company that holds the data.”
Glover says he’s observed the same trend. “We’re starting to see those cases come up more often, mostly in British Columbia and Quebec, where the courts seem to be open to novel claims made by plaintiffs – that even if there is no direct damage to an individual, there might be a claim based on the value of the information or some other form of harm that streams from the idea that the data should not have been used in this way.”
As with data breach class actions, these claims will be difficult to bring in the provinces that use common law torts, Glover says. “But we’re seeing more cases filed for data misuse class actions in the other provinces.”