A recent decision of the Court of Appeal for Ontario upholding a decision denying certification of a data breach class action continues the trend of proposed privacy actions failing to cross the preliminary certification hurdle.

Background

In Del Giudice v. Thompson, 2024 ONCA 70, the Court of Appeal upheld the motion judge's decision striking out the claim without leave to amend and dismissing the certification motion against the defendant financial institution and defendant online wholesaler. In this case, an employee of one of the online wholesale, which provided services to the financial institution, allegedly hacked into a database containing personal and financial information collected by the financial institution from credit card applicants and stored in a cloud server. The alleged data breach impacted over 106 million people, including 6 million Canadians. The plaintiffs commenced a proposed class action against the former employee, the financial institution and the online wholesaler.

The Fresh as Amended Statement of Claim, which pleaded 19 (yes, 19) cause of actions, was struck by the motion judge without leave to amend on that basis that: (1) it "egregiously" contravened the rules of pleading; (2) it failed to plead any viable causes of action against the Defendants; and (3) the amendments to the statement of claim made after the carriage motion transformed a proposed data breach class proceeding into a CA$240 billion action for data misappropriation and misuse.

Court of Appeal

On appeal, the plaintiffs argued that the motion judge erred in the following:

  1. Relying on unsworn documents in determining whether there was a reasonable cause of action;
  2. Determining that the pleadings did not support any reasonable cause of action; and
  3. Striking out 78 paragraphs of the statement of claim without leave to amend.

1. Reliance on unsworn documents

The appellants argued that the motion judge erred in relying on unsworn statements because the defendants' document brief contained four documents, including a privacy policy and credit card agreement, that the defendants argued were incorporated by reference into the claim. The Court of Appeal rejected the appellants' argument, relying on established case law that a document incorporated by reference in a pleading is not evidence (it is part of the pleading) and that a judge considering an incorporated document is not making findings of fact in relying upon such documents as part of its assessment of the pleading. A claim is deemed to include any document to which it refers and forms an integral part of a plaintiff's claim.

The appellants also argued that the documents were not incorporated by reference because they were not "central enough to the claim to form an essential element or an integral part of the claim" since the documents referred to contracts and the plaintiffs had pleaded breach of contract in the alternative. The Court of Appeal disagreed. Whether the documents were integral to the claim is assessed objectively and not according to the plaintiffs' intentions. Theories of liability pleaded in the alternative (such as the plaintiffs' alternative claim for breach of contract) are relevant to the analysis.

2. Pleadings did not disclose a viable cause of action

The Court of Appeal upheld the finding that the pleadings did not disclose a viable cause of action. The 19 causes of action were grouped into two categories: data misuse and data breach.

i. Data misuse

Just after the motion judge's ruling, the Court of Appeal released a trilogy of judgments in Owsianik v. Equifax Canada Co., 2022 ONCA 813, Obodo v. Trans Union of Canada Inc., 2022 ONCA 814 and Winder v. Marriott International, Inc., 2022 ONCA 815., which we have written about previously, see here. This trilogy established that a hack by a third party does not constitute intrusion upon seclusion by the database operator. The Court of Appeal relied on the trilogy in this case, finding that any allegation of improper retention, mistakes in safeguarding information or the misuse of that information did not satisfy the key element of intrusion upon seclusion; that the conduct is of a highly offensive nature, causing distress, humiliation, or anguish to a reasonable person. Even if the parties could succeed in arguing that there was a lack of consent on the aggregation and sale of financial information, this was not highly offensive.

The appellants relied on several other torts including misappropriation of personality, conversion, breach of fiduciary duty, breach of confidence. The Court of Appeal held that they were not viable causes of action based on the facts alleged.

ii. Data breach

The court also found that there was no viable claim in negligence. Most of the class members only suffered the risk of future loss from the risk of future identity theft and fraud. The court held that there is no right to be free from the prospect of damage, only a right not to suffer damage that results from exposure to unreasonable risk. Further, feelings of upset, disgust, anxiety, agitation or mere psychological upset that do not cause a serious and prolonged injury and that do not rise above the ordinary annoyances, anxieties and fears that people routinely experience as compensable harm are not recognized compensable harms.

The court rejected the appellants' assertion that it was required to accept as true the pleading that 6 million class members had suffered pecuniary loss from identity theft and fraud, repeating that on a pleadings motion, "a motion judge is not required to accept as true bald pleadings that are patently ridiculous in their scope and not supported by material facts."

The court also rejected the claim for pure economic loss. There was insufficient proximity under the branch of negligent performance of a service, as the appellants alleged. The appellants' pleadings failed to provide facts supporting the allegation that the defendants performed a service for their data; they only alleged that it offered the plaintiffs credit services.

The appellants attempted to rely on statutory causes of action from various privacy statutes. The court also found that these did not disclose viable causes of action. First, only the Privacy Act provided a civil cause of action, which required the defendant to "wilfully...violate the privacy of another" to establish liability. The appellants failed to plead that the respondents were wilful and instead relied on the failure to safeguard data recklessly or negligently.

3. Striking out the claims without leave to amend

The court deferred to the motion judge's decision not to grant leave to amend and dismissed the appeal. The motion judge's decision to strike out a pleading under r. 25.11 without leave to amend is discretionary and should not be interfered with on appeal unless the motion judge erred in principle, misapprehended, failed to take account of material evidence, or reached an unreasonable conclusion. None of those grounds applied. The appellants were given ample opportunity to advance a viable claim and could not.

Key takeaways

  1. This decision limits the claims available in data breach cases where a data collector or database operator has been the subject of breach by another person and has not itself intentionally misused the information collected (say, for example, for its own marketing purposes). Organizations that collect or hold data and fail to prevent hackers are generally not intruders for the purpose of the tort of intrusion upon seclusion. A breach of confidence may only be alleged if the data collected is used for unauthorized purposes, not simply that an unauthorized person accessed it through a data breach.
  2. There are challenges in claiming negligence in privacy breaches where there is no known fraud or identity theft. Parties must show compensable harm from real damages as opposed to the risk of future harm – and also plead such harm in a specific way at the clam stage.
  3. Where a document is referenced in a claim, it can form part of the record on a pleadings motion. Documents referenced in a pleading do not need to be proven through sworn statements as they form part of the pleadings.

A special thanks to Birpal Benipal, articling student, for his assistance with this article.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.