Written By Nina Butz and Miranda Cooper
The past year has introduced some uncertainty for institutional defendants facing privacy breach class actions in Canada. While Ontario’s Court of Appeal has been consistent in its approach to class actions against “database defendants”, two decisions of the British Columbia Court of Appeal suggest that plaintiffs may have more success recovering from such defendants in jurisdictions that have codified a breach of privacy cause of action, like British Columbia, as opposed to those that have recognized the tort of intrusion upon seclusion, like Ontario.
The term “database defendants” refers to organizations that collect and store personal information while carrying out a commercial purpose and whose databases are accessed by unauthorized third parties. Class actions brought against database defendants have become increasingly common. The earliest examples were brought in Ontario and pleaded the tort of intrusion upon seclusion.
Intrusion upon seclusion is a common law breach of privacy cause of action that aims to provide redress for moral and emotional harm suffered by plaintiffs whose privacy has been intentionally invaded. It was adopted by the Ontario Court of Appeal in its 2012 decision in Jones v Tsige. The tort of intrusion upon seclusion has the following three elements
- the defendant must have invaded or intruded upon the plaintiff's private affairs or concerns, without lawful excuse,
- the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly, and
- a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish.
Unlike most common law causes of action, the tort of intrusion upon seclusion does not require proof of pecuniary loss to justify a damages award. This feature of the tort makes it an appealing cause of action for plaintiffs suing for invasions of privacy.
The tort’s availability for plaintiffs in this context was tested in three proposed privacy class actions that ultimately came before the Ontario Court of Appeal in (a) Owsianik v Equifax Canada Co., (b) Obodo v Trans Union of Canada Inc., and (c) Winder v Marriott International Inc. (collectively, the Trilogy).
As discussed in Bennett Jones’ Class Actions: Looking Forward 2024, the Trilogy concerned attempts to hold database defendants liable for breaches by unauthorized third party-hackers. Central to the Ontario Court of Appeal’s dismissal of all three of the Trilogy appeals was its finding that there was no conduct by the database defendants (as opposed to the actual hackers) that could amount to an intrusion into or an invasion of the plaintiffs’ privacy. The Court found that holding the database defendants liable for the tortious conduct of unknown hackers would “create a new and very broad basis for a finding of liability for intentional torts.”
The Supreme Court of Canada denied leave to appeal from each of the Trilogy decisions. The Ontario Court of Appeal affirmed the Trilogy in its 2024 decision in Del Giudice v Thompson, a parallel proceeding to the British Columbia case Campbell v Capital One Financial Corporation, 2024 BCCA 253 (Capital One), explored below.
In contrast, database defendants face a different landscape in British Columbia because of the province’s Privacy Act. Section 1(1) of the British Columbia Privacy Act provides that “it is a tort, actionable without proof of damages, for a person, wilfully and without a claim of right, to violate the privacy of another.” Broadly speaking, this cause of action is only available to residents of the province.
In two 2024 certification decisions, the British Columbia Court of Appeal addressed whether an alleged “reckless” failure by database defendants to protect customers’ data could constitute a privacy violation under the British Columbia statute. While not decisively finding a cause of action against database defendants, the British Columbia Court of Appeal found in both cases that the plaintiff’s Privacy Act allegations were not plain and obviously doomed to fail at the pleadings step of the certification test.
In G.D. v South Coast British Columbia Transportation Authority, 2024 BCCA 252 (South Coast), the British Columbia Court of Appeal found that it was at least arguable that a database defendant could be found to have wilfully violated the privacy of individuals whose personal information is stored under the British Columbia Privacy Act. In Capital One, the British Columbia Court of Appeal similarly held that the Privacy Act claims were not bound to fail (including those claims brought under the equivalent statutes in Saskatchewan and Newfoundland and Labrador).
In both South Coast and Capital One, the British Columbia Court of Appeal distinguished the intrusion upon seclusion analysis in the Trilogy from “wilful violation” under the British Columbia Privacy Act. The Court acknowledged in Capital One that the Trilogy could be useful in interpreting the scope of a “wilful violation” of privacy under the British Columbia Privacy Act. However, it also emphasized that the common law tort and statutory causes of action “are not mirror images of each other.” However, the Court declined to determine whether the tort of intrusion upon seclusion also exists in British Columbia, which question has yet to be resolved by the province’s judiciary.
The Ontario and British Columbia lines of decisions also diverge from a policy perspective. In the Trilogy, the Ontario Court of Appeal expressed significant concern with the potential consequences of a wide extension of the scope of intentional torts. On the other hand, the British Columbia Court of Appeal “see[s] the floodgates argument differently, and that is as a flood of unprotected personal information flowing out of the control of the persons whose information it is, and into the hands of bad actors, unless the law responds adequately.” Nonetheless, it should be noted that the difference in policy perspective likely arises from the difference in the statutory regimes of British Columbia and Ontario.
Saskatchewan, Manitoba and Newfoundland and Labrador also have legislation that provides for a breach of privacy cause of action like British Columbia’s. However, the Saskatchewan, Manitoba and Newfoundland and Labrador statutes expressly state that they are not in derogation of other rights such as those under the common law. This may impact whether or how intrusion upon seclusion is adopted to coexist with those provinces’ statutory torts compared to British Columbia. For example, in Welshman v Central Regional Health Authority, the Supreme Court of Newfoundland and Labrador relied upon this very distinction in finding that the plaintiffs’ claim under the tort of intrusion upon seclusion was certifiable.
Other provinces, including Nova Scotia and Manitoba, also appear to have recognized the common law tort. In the absence of a statutory cause of action for breach of privacy, Alberta courts have been reticent to recognize the tort of intrusion upon seclusion.
Looking Forward
As the British Columbia Court of Appeal recently noted in InvestorCOM Inc v L’Anton, “it is now recognized that the approach to data breaches in Canada may vary between provinces—including as between those that have a statutory breach of privacy tort and those that do not.” As such, both the causes of action alleged against database defendants and the jurisdictions in which such class actions are commenced in Canada are likely to be impacted going forward.
Ontario courts have made clear that the tort of intrusion upon seclusion is not a viable cause of action in these circumstances, while British Columbia courts are approaching database defendants as potentially liable for “wilful violations” of privacy under the Privacy Act. This divergence is likely to exacerbate the existing trend toward commencing class actions in British Columbia, at least with respect to privacy class actions, and at least until a decision on the merits is made on the issue in the province.
How those jurisdictions with both the statutory and common law privacy tort will reconcile these two causes of action and approach database defendants in light of these appellate decisions remains to be seen.
Other Articles In This Series
- Competition Act Amendments Open Door to Quasi Class Actions
- Supreme Court of Canada to Decide Scope of “Material Change” With Far-Reaching Consequences for Securities Class Actions
- Supreme Court Approves Constitutionality of Multi-Crown Class Action
- Raising the “Low Bar”: Plaintiffs Seek New Strategies to Prove Common Issues for Certification
- The Ontario Court of Appeal Clarified When Class Actions Should be Dismissed for Delay
- Court of Appeal Cuts Off Speculative Product Liability Claims
- Screening By the Authorizing Judge: Québec Court of Appeal Upholds the Principle of Partial Dismissal in Salko c. Financière Banque Nationale inc.
- British Columbia Grapples With Evidentiary Issues and the Requirement for a Workable Methodology
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.
For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.
Bennett Jones