Setoguchi v Uber and Simpson v Facebook
When widespread data privacy breaches occur, compromised organizations have genuine concern that class action certification is likely to follow. However, two recent decisions illustrate how important it is for claimants to provide sufficient evidence at certification that a class-wide claim for compensable harm actually exists however, the guidance provided by the Supreme Court on what constitutes the evidentiary floor also suggests the merits cannot be wholly ignored.
These decisions also illustrate how organizations can mitigate the risk of a successful class action being brought in relation to privacy breaches if they are well prepared and respond appropriately to the breaches.
Setoguchi v Uber BV and Simpson v Facebook Case Highlights
In Setoguchi v Uber BV (Setoguchi) Justice Rooke of the Alberta Court of Queen's Bench denied certification in an action involving an external criminal data hack of Uber.
In October 2016 hackers obtained the names, phone numbers and addresses of Uber users and drivers. Uber paid the attacker for assurances the data would be destroyed. When doing so, Uber did not notify its customers and regulators as required under section 10.1(3) of PIPEDA. The matter only came to light through a leak to the media in November 2017.
Setoguchi claimed Uber breached its contractual, common law and statutory obligations to protect the personal data and keep it safe from unauthorized parties and to notify users and drivers of the breach.
In Simpson v Facebook (Simpson) Belobaba J. of the Ontario Superior Court denied certification in an intrusion upon seclusion action. The action centred on an allegation that Facebook wrongly shared user information with a data analytics firm, Cambridge Analytics, notorious for its role in the 2016 U.S. election. The class sought symbolic or moral damages and punitive damages.
"Some Basis in Fact" and the Court's Gatekeeper Role
Both bids for certification failed to meet the unique "some basis in fact" evidentiary standard. Supreme Court authority states the standard is less than the balance of probabilities and asks not whether there is some basis in fact for the merits of the claim itself, but rather whether there is some basis in fact for each of the individual certification requirements (excluding the cause of action analysis).
When Courts consider the guidance on what constitutes the evidentiary floor, the merits arguably cannot be wholly ignored. Evidence, at least as to the existence of an arguable issue, must ascend beyond mere speculation. If the certification process is intended to be a meaningful screening device the assessment of evidence must be more than superficial and rise above symbolic scrutiny.
Justice Rooke also emphasized Justice Rothstein's analysis in Pro-Sys v Microsoft: "There must be sufficient facts to satisfy the applications judge that the conditions for certification have been met to a degree that should allow the matter to proceed on a class basis without foundering at the merits stage."
In Setoguchi, plaintiff counsel argued that it was unclear whether the hacked information also included information such as credit card numbers, bank accounts, social security numbers, dates of birth or other government identifiers. Uber contended the hacked information only contained phone numbers, email addresses and other information people routinely provide publicly on a daily basis.
Plaintiff counsel relied on the principles that Courts are not supposed to make merits determinations (especially in advance of document disclosure) and no findings should be made except in the face of uncontradicted evidence. However, it was uncontradicted that neither side was aware of a single individual suffering any kind of identity theft, fraud or loss in the three years following the hack.
The Court's Decisions
Justice Rooke found this evidence was insufficient to establish any person could have suffered any harm arising from the hack. He indicated that providing some evidence or some basis in fact that loss or damage actually occurred is required to allow a court to fulfil its function as a meaningful screening device. He did not specifically link this broadly stated requirement to any particular certification criteria and arguably treated it as a free standing test. However, he separately noted the preferability criteria was not met largely due to the lack of evidence of class-wide harm.
Justice Rooke made that finding even though it is legally recognized a claim for nominal damages exists where contracts are breached but no loss is suffered. His overall analysis reflects the position that genuine actions are not commenced only to pursue nominal damages. The Court's role of gatekeeper is engaged if the evidence tendered at the certification stage suggests nominal damages are the only arguable avenue.
In the Simpson decision, the Plaintiff's evidence that Facebook had wrongfully allowed user data to be shared with Cambridge Analytica apparently rested solely on a notice that Facebook sent to its customers that their personal data "may have been misused."
At certification Facebook swore it had no information or evidence that any data from Canadian users was shared with Cambridge Analytica. It also relied on numerous statements made under oath in international proceedings that no personal data from Facebook users outside of the U.S. was ever transferred to Cambridge Analytica.
It's not clear whether Justice Belobaba considered the Plaintiff's evidence to constitute "no evidence" by itself or only when considered against Facebook's responding evidence. In any event, Justice Belobaba concluded there was no evidence in fact to support the core allegation that personal data of Canadian Facebook users was shared with Cambridge Analytica.
Given this core allegation underpinned the proposed common issues, the certification test could not be met.
Setoguchi and Simpson illustrate the challenges to certification where a class is unable to provide some evidence of compensable harm or where nothing more than suspicion of information misuse exists on the record. Both Courts noted the importance of protecting individual privacy and personal data but nonetheless could not ignore the requirement for some evidence of an actual breach causing harm. Customers' abstract fear of future harm, or minor inconveniences to customers, are insufficient to pass through the screening device the Courts, as gatekeepers, are obligated to apply.
These decisions serve as a reminder to organizations to ensure that they are following legal requirements and best practices when it comes to preparing for and responding to privacy breaches to ensure that they are appropriately mitigating the associated risks. Such preparation and response can be important factors in mitigating the risk of successful class actions being brought.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.