Privacy Class Action: Data Breach

OH
Osler, Hoskin & Harcourt LLP

Contributor

Osler is a leading law firm with a singular focus – your business. Our collaborative “one firm” approach draws on the expertise of over 400 lawyers to provide responsive, proactive and practical legal solutions driven by your business needs. It’s law that works.
The defendant High Tide Inc. and the plaintiff Highland Cannabis Inc. are in the retail cannabis industry. Highland Cannabis commenced an action against High Tide...
Canada Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

Highland Cannabis Inc. v. Alcohol and Gaming Commission of Ontario, 2024 ONSC 423

Read more about the case: Highland Cannabis Inc. v. Alcohol and Gaming Commission of Ontario, 2024 ONSC 423

Facts

The defendant High Tide Inc. and the plaintiff Highland Cannabis Inc. are in the retail cannabis industry. Highland Cannabis commenced an action against High Tide and the Alcohol and Gaming Commission of Ontario (AGCO), in relation to a data breach at the AGCO. Specific data regarding sales figures at retail cannabis stores for the months of July and December 2021 was either leaked or misappropriated. Highland Cannabis claimed that High Tide accessed this data and used it to the detriment of Highland Cannabis. High Tide brought a motion to dismiss the action on the basis that it was frivolous, vexatious and an abuse of the court's process.

Decision

The court granted High Tide's motion and dismissed the action as against it. The court found that the statement of claim was frivolous and vexatious, and that it was plain and obvious that the plaintiff could not succeed in its claims. The court held that there was no cause of action for intrusion upon seclusion, as High Tide did not intentionally intrude on the plaintiff's private affairs or concerns, and a reasonable person would not regard the invasion (accessing the sales data) as highly offensive causing distress, humiliation or anguish. The court further held that there was no cause of action for conversion, as the tort does not apply in the case of a data breach, and High Tide did not interfere with the plaintiff's right or title to the data. The court held that the mere viewing by passive recipients, in the context of this breach, cannot amount to an unlawful act.

Key Takeaway

This case illustrates the limitations of the torts of seclusion and conversion in the context of data breaches. The court noted that the tort of intrusion upon seclusion requires intentional or reckless conduct, and that High Tide was also a victim of the data breach. The court found that the tort of conversion does not apply to information, intellectual or intangible property, and that High Tide did not interfere with Highland Cannabis's right or title to the data.

Carter v. LifeLabs Inc., 2023 ONSC 6104

Read more about the case: Carter v. LifeLabs Inc., 2023 ONSC 6104

Facts

The plaintiffs, who are current or former customers of LifeLabs, a medical laboratory testing company, sued LifeLabs for a data breach that potentially affected the personal information of 8.6 million customers. The plaintiffs alleged various causes of action, including negligence, breach of contract, consumer protection remedies, statutory privacy violations and unjust enrichment, and sought damages and disgorgement of profits. After four years of litigation, the parties agreed to settle the action subject to court approval. The settlement agreement provided for a payment of $4.9 million in guaranteed settlement funds and $4.9 million in contingent settlement funds by LifeLabs to the class members, depending on the number of claims filed. The settlement agreement also stipulated that class counsel would request a 25% contingency fee of the settlement funds, and that each representative plaintiff would receive an honorarium of $2,500, if approved by the court.

Decision

The settlement agreement and the counsel fee were approved, but the request for honorarium was denied. The representative plaintiffs' contribution was typical of the good work done by representative plaintiffs, and the court held that this was not an exceptional case that would justify an honorarium.

Key Takeaway

The court will scrutinize the fairness and reasonableness of a settlement agreement and counsel fees in a class action, and will consider various factors, such as the likelihood of recovery, the amount and nature of the settlement, the recommendation and experience of counsel, the future expense and duration of the litigation, the number and nature of objections and the presence of good faith bargaining.

Option Consommateurs c. Home Depot of Canada Inc., 2023 QCCS 3493

Read more about the case: Option Consommateurs c. Home Depot of Canada Inc., 2023 QCCS 3493

Facts

The defendant Home Depot allegedly breached its legal and statutory obligations by sharing with Meta Platforms Inc. and Facebook the personal information of class members without their consent, thereby violating their fundamental right to privacy. The Office of the Privacy Commissioner of Canada (OPC) investigated the sharing of personal information and concluded that the defendant had failed to obtain valid consent for the disclosure of such information.

The defendant was seeking permission to submit relevant evidence at the authorization stage under section 574 of the Code of Civil Procedure (CCP). At the outset, the court reiterated that it may allow relevant evidence at this stage if such evidence would enable the court to have a better understanding of the facts in its assessment of the criteria of section 575 of the CCP, while acting with caution to avoid turning the screening mechanism into a "pre-trial."

Decision

The court granted the defendant permission to file Home Depot's Privacy and Security Statement in evidence, but denied permission relating to Facebook's Privacy Policy and Tools pertaining to Off-Facebook Activity.

The court decided that Home Depot's Privacy and Security Statement is a relevant and essential piece of evidence in the factual framework on which the request to authorize a class action is based. According to the court, this evidence would allow the defendant to contest allegations contained in the application in connection with the conditions of use or sharing of personal information. The court further found that this evidence would enable the defendant to present arguments highlighting the difference between in-store purchases and those made on the defendant's website, which were not the subject of the OPC's investigation, and would therefore be useful for the composition of the class and the formulation of questions of fact.

With respect to Facebook's documents, the court ruled that the defendant had not met its burden of proof. While the defendant argued that these documents, referred to in the OPC's report, are necessary to demonstrate the tools available to Facebook users to control their personal information, the court pointed out that it is not sufficient to wish to complete an exhibit if the relevance of the evidence is not demonstrated.

Key Takeaway

Confidentiality and security statements may be filed as relevant evidence under section 574 of the CCP where such statements allow a defendant to contest allegations contained in the application in connection with the conditions of use or sharing of personal information, and to present arguments in relation to the composition of the class and the formulation of questions of fact.

However, it is not sufficient to argue that the evidence being sought to be filed complete an exhibit if the relevance of the evidence is not demonstrated.

Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331

Read more about the case: Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331

Facts

The Insurance Corporation of British Columbia (ICBC) is appealing a decision in which it was found liable for its employee breaching the privacy of ICBC customers by selling private information linking the customers' licence plates to their home addresses. Several of these customers were then targeted with arson and shooting attacks. On appeal, ICBC maintained that the judge erred in concluding that the information was private, in imposing vicarious liability and in finding that general damages could be determined on a class basis.

Decision

The Court of Appeal for British Columbia dismissed the appeal, stating that the trial judge had not erred in his conclusions on all arguments raised by the appellant. Namely, the Court stated that no mistakes were made in concluding that the sold information was private within the meaning of the Privacy Act; ICBC customers had a reasonable expectation that the information they provided the appellant would only be used for legitimate ICBC business purposes. They otherwise had the right to control the use of their personal information. Moreover, the Court stated that the judge did not err in imposing vicarious liability as policy reasons support the imposition of liability.

Key Takeaway

The employee's conduct in selling some of the information to third parties for a criminal purpose tainted all of her actions in accessing the customers' files without a legitimate business purpose.

The decision also confirms that the Privacy Act does not require proof of actual damage. General damages can be awarded on a class basis, without requiring individualized proof.

G.D. v. South Coast British Columbia Transportation Authority, 2023 BCSC 958

Read more about the case: G.D. v. South Coast British Columbia Transportation Authority, 2023 BCSC 958

Facts

The plaintiffs are former employees of the defendant South Coast British Columbia Transportation Authority, and they seek certification of their proposed class proceeding under the Class Proceedings Act on their own behalf and on behalf of all other persons whose personal information was compromised by or as a result of a data security breach in 2020 that affected the computer networks and systems of the defendant.

In December 2020, TransLink's IT team discovered ransomware on their network, confirming that part of its IT infrastructure had been the target of a ransomware attack. Despite their cybersecurity program, cybercriminals gained access to TransLink's network security and inserted the ransomware after a successful phishing attempt on one of TransLink's operating subsidiaries' employees. The defendant took many steps to respond to the threat. The plaintiffs asserted the following causes of action: violation of statutory obligations to safeguard privacy, negligence, civil tort of conversion and unjust enrichment. Mainly, the plaintiffs pleaded that the defendant caused or enabled the data breach as it violated its own privacy policy standards.

Decision

The court held that the claims are bound to fail and therefore dismissed the plaintiffs' application for certification.

Key Takeaway

The court stated that the target of statutory tort in a database breach context can only be the hacker, and not the database defendant.

Broutzas v. Rouge Valley Health System, 2023 ONSC 540

Read more about the case: Broutzas v. Rouge Valley Health System, 2023 ONSC 540

Facts

The plaintiffs are women who gave birth at either a hospital within the Rouge Valley Health System or at the Scarborough and Rouge Hospital between 2009 and 2014, and whose personal information was accessed and disclosed by rogue employees of the hospitals to salespeople of Registered Educational Savings Plans (RESPs) without their consent. They brought two proposed class actions against the hospitals, the rogue employees, the RESP salespeople and the RESP companies, alleging the tort of intrusion upon seclusion and seeking damages. The motions judge dismissed their certification motions, finding that they did not satisfy the criteria under section 5 of the Class Proceedings Act, 1992. The plaintiffs appealed from the dismissal, focusing on the tort claim against the individual defendants and the corresponding vicarious liability claims against the hospitals and the RESP companies.

Decision

The Divisional Court agreed with the motions judge that the rogue employees did not access or disclose confidential medical information about the plaintiffs, but only contact information that was personal and not private, in the context of this case. The Court also agreed that a reasonable person would not regard the intrusion as highly offensive, causing distress, humiliation or anguish, as required by the third element of the tort. The Court found that the motions judge did not err in concluding that there was no cause of action against the RESP salespeople, who did not intrude upon the plaintiffs' seclusion, and that the scope of the tort did not need to be extended to them. The Court also found that the motions judge did not err in finding that the RESP companies could not be vicariously liable for the actions of the RESP salespeople.

Key Takeaway

The key takeaway from this decision is that the tort of intrusion upon seclusion is limited to deliberate and significant invasions of personal privacy that a reasonable person would find highly offensive.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More