Also in February 2021, the Ontario Superior Court of Justice approved the settlement in a privacy class action against Yahoo!, which opportunity the Court took to provide a review of the landscape of privacy class actions in Canada. Amongst other observations, the Court noted that privacy class actions have an 80% success rate at certification and, therefore, are at “a low risk of not being certified.”[iv]
These decisions represent significant developments in the relatively novel and rapidly evolving area of privacy class actions, and they may be considered from different perspectives. This article outlines a few practical takeaways that would contribute to a more predictable practice of privacy class actions in Canada.
Contrary to what has been recently suggested, privacy class actions are risky. The observation that privacy class actions are likely to be certified is based on mixed data from consent as well as contested certification motions over an extended period of time, where both substantive and procedural laws have materially evolved, and across settlements with largely varying economic dynamics. It, accordingly, does not accurately reflect the actual risk in a privacy class action at its commencement.
In fact, given their relatively high rate of dismissal in recent years, privacy class actions would seem to be disproportionately riskier compared with other types of class actions. Whereas contested certification motions generally have a success rate of approximately 73%,[v] over the past few years, the success rate of contested certification motions in privacy class actions has been closer to approximately 50%.
The disproportionally higher rate of failure of privacy class actions is due largely to the view repeatedly expressed by courts that falling victim to a privacy breach is a normal inconvenience of life that does not, per se, result in compensable damages.[vi] In certain cases, the same notion has been incorporated into an inquiry as to whether there is a reasonable expectation of privacy in the circumstances. If there is no reasonable expectation of privacy, there is no privacy harm, thus no claim for violation of privacy. For example, current jurisprudence seems to be leaning toward a pre-certification finding that there is no reasonable expectation of privacy in information that is generally perceived to be in the public domain, such as an individual’s name, date of birth and email address. Accordingly, some courts have found that, categorically, the unauthorized disclosure of that kind of information does not give rise to liability for privacy violation.[vii]
The above, however, does not reflect the realities of the very dynamic and complex issue of privacy in today’s digital age. And, were this view to be adopted, it would undermine not only private litigation as a real and meaningful vehicle to enforce the right to privacy and to provide access to justice to victims of privacy violations, but also the general enforcement of privacy laws in Canada.
First and foremost, Canadian privacy law does not require plaintiffs to prove economic harm or injury on common privacy breach causes of action, including the tort of intrusion upon seclusion and breach of provincial privacy legislation in certain Canadian provinces. Therefore, where the pleadings properly set out the elements of the causes of action, privacy claims should not be dismissed at a procedural juncture simply because there is no immediate proof of economic harm.
If—for practical reasons or under the traditional common law headings of liability such as negligence or breach of contract—proof of harm may be required for the purposes of the pleadings and at certification, plaintiffs ought to be able to establish harm through economic theories of damages and liability focusing on the inherent value of the information, the risks arising out of a privacy breach, or restitutionary relief.
Furthermore, harm in the context of privacy breach claims has largely been considered as being synonymous to economic harm. This would be inconsistent with the nuanced conception of harm privacy laws, which specifically recognize various types of personal and emotional harms and injury, as well as further damages to finances and relationships.[viii] Canadian courts have not to date engaged in a consideration of the vast and complex issues around privacy harms, and it would be extremely beneficial to the jurisprudence if on the next opportunity these conceptions can be canvassed and explored. Of note, there is an extensive body of caselaw on privacy harms in the United States, and this topic has received substantial attention from privacy scholars and academics. Although United States courts have not reached consensus on the issues around privacy harms, Canadian litigants and courts can draw on the existing jurisprudence and scholarly literature as they advance the conversation around privacy harms.
Similarly, privacy is a nuanced concept, thus it would be impossible to come up with a “one-size-fits-all” solution to determine the reasonable expectation of in all privacy breach matters. The Supreme Court of Canada has cautioned that the existence of certain information in the public domain would not per se result in a finding that, categorically, there is no reasonable expectation of privacy.[ix] Whether there is reasonable expectation of privacy would involve an inquiry into the entirety of the circumstances, and would involve mixed questions of fact and law which are simply not capable of determination at the procedural certification/motion to strike stage. The analytical starting point should be Canada’s privacy laws, which protect any information that is personally identifying of an individual. So long as the information at question is under the protection of the law and there is, on the pleading, a reasonable cause of action, the claim should be allowed to proceed.
Practically speaking, the dismissal of several proposed privacy breach class actions over the past couple of years emphasizes the fact that not every privacy breach incident would reasonably give rise to legal liability. While custodians of personal information are subject to specific requirements to protect that information by way of appropriate safeguards, data security is never guaranteed. What makes a case different from those incidents that happen on a daily basis? What kind of data breach would give rise to potential liability worthwhile of judicial attention?
These are extremely complex questions, the answers to which are highly fact-centric and highly contextual. There may even not be a straightforward, clear or generally accepted answer. Counsel and courts of different jurisdictions may have differing views on them in identical circumstances. Consider the Yahoo! data breach, for example. A claim arising out of the same Yahoo! data breaches was dismissed in Québec, while it achieved sizeable and meaningful settlements in Ontario and the United States. To determine which case may give rise to a viable claim for legal liability requires exercise of significant judgment and a thorough assessment of the facts.
With that caveat in mind, plaintiffs should be cautioned that privacy or data breaches that result in the exposure of generally publicly available, practically insensitive information may not give rise to an obvious liability claim. It is, for example, likely that the compromise of email addresses and hashed passwords, with nothing more, would not be considered a viable claim for violation of privacy. Still, the victims should update their passwords. This would certainly be very inconvenient, but it would not necessarily be considered outside the ordinary in today’s time and age.
With respect to more serious data or privacy breaches, the determination of whether there is a viable claim is highly contextual, and it should also include a consideration of whether the claim, even though it may be viable on an individual basis, would be amenable to class-wide adjudication.
Lastly, data breaches are not static incidents. They involve constantly evolving circumstances, and this can have a wide range of impacts on a privacy breach class action. For example, it is normally the case that the information exposed in a data breach is not immediately leaked on the dark web or otherwise abused by criminals. It may be that the personal information will be used for improper or criminal activities many years after the incident. After all, people’s names, dates of birth, and social insurance numbers do not often change. Similarly, other events subsequent to a data breach such as internal investigations or regulatory enforcement actions may substantially modify the dynamics of a case. To the extent possible, case planning and management should provide for these possibilities to ensure that the claim remains viable and manageable via a class action. In all cases, privacy actions should be litigated flexibly to adapt to evolving case dynamics and circumstances. Litigation plans can prove extremely helpful in advancing this goal as privacy breach cases progress.
The Path Forward
The right to privacy is a fundamental right that is rooted in constitutional rights and freedoms. Its effective enforcement is crucial to ensure our individual autonomy, enhance the integrity of our economy and safeguard our national security. Private litigation through collective action has been an effective means to enforce the law, and it is expected to remain as such. We should accordingly expect to see a healthy, consistent level of new filings of privacy class actions.
It is also expected that Canadian privacy law and class action practice will experience major developments in the near future as a result of the following two matters.
First, some of the actions that were commenced in the past couple of years are approaching the certification stage, and they are expected to incorporate the lessons from past certification decisions. Of note, there are parallel proceedings with respect to several of those privacy class actions, including Facebook, Marriott International/Starwood Hotels and MGM Resorts, some of which are significantly advanced down the litigation road. To some extent, it is expected that the developments in the United States will practically influence the outcome of the Canadian side of the litigation.
Second, Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act is undergoing a major reform, which will include the creation of a private right of action, a procedure and a tribunal to deal with private claims. Litigators will be watching with interest to see how the upcoming amendments will interact with the more conventional class action practice, if and when they are adopted.
- [i] Setoguchi v Uber B.V., 2021 ABQB 18.
- [ii] Simpson v Facebook, 2021 ONSC 968.
- [iii] Broutzas v Rouge Valley Health System, 2018 ONSC 6315; 2019 ONSC 2025; Bourbonnière c Yahoo! Inc., 2019 QCCS 2624; Kaplan v Casino Rama, 2019 ONSC 2025; Li c Equifax inc., 2019 QCCS 4340.
- [iv] Karasik v Yahoo! Inc., 2021 ONSC 1063 at paras 135, 138.
- [v] Law Commission of Ontario, Class Actions: Objectives, Experiences and Reforms, Final Report, p 5 (July 2019), online: https://www.lco-cdo.org/wp-content/uploads/2019/07/LCO-Class-Actions-Report-FINAL-July-17-2019.pdf.
- [vi] See, for example, Setoguchi v Uber B.V., 2021 ABQB 18 at para 53, citing with approval to Bourbonnière c Yahoo! Inc., 2019 QCCS 2624 at para 44.
- [vii] See, for example, Setoguchi v Uber B.V., 2021 ABQB 18 at para 45, adopting Kaplan v Casino Rama, 2019 ONSC 2025 at para 62, Broutzas v Rouge Valley Health System, 2018 ONSC 6315 and Grossman v Nissan Canada, 2019 ONSC 6180 at para 10.
- [viii] See, for example, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 10.1(7), defines “significant harm” as being inclusive of “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
- [ix] R v Jarvis, 2019 SCC 10 (“Furthermore, being in a public or semi-public space does not automatically negate all expectations of privacy”). Of note, in Stewart v Demme, 2020 ONSC 83, the Court considered the non-exhaustive list of factors outlined in R v Jarvis is considering whether the circumstances give rise to a reasonable expectation of privacy.
Originally published by the Class Actions Law Section of the Ontario Bar Association.