In 2024, the B.C. Court of Appeal held in G.D. v. South Coast British Columbia Transportation Authority that it is at least arguable that data custodians, including public bodies, may be liable for invasion of privacy under the B.C. Privacy Act if they fail to adequately safeguard personal information. In March 2025, the Supreme Court of Canada refused to grant leave to appeal from the Court of Appeal's decision.
The Court of Appeal's decision has important implications for public bodies in B.C. as it: (a) overturns a B.C. Supreme Court decision that, in essence, concluded B.C.'s Freedom of Information and Protection of Privacy Act ("FIPPA") is a complete code for the privacy and data security obligations of the public sector in B.C.; and (b) opens the door to a broader scope of potential liability for every organization that controls or processes personal information.
Background
In June 2023, the B.C. Supreme Court declined to certify a proposed class action filed by a group of former public sector employees against their former employers' parent company, a B.C. public body, that had experienced a data security incident caused by an independent third party. The plaintiffs made two main claims:
- the defendant willfully invaded their privacy, committing the statutory tort of invasion of privacy established under the Privacy Act;1 and
- the defendant breached a private law duty of care to comply with section 30 of FIPPA by failing to protect their personal information by making reasonable security arrangements.2
The certification judge found the plaintiffs' "bald and conclusory allegations" that the defendant's actions and omissions "knowingly or recklessly caused, enabled, or resulted in" the data security incident were insufficient and that section 30 of FIPPA did not independently create an actionable private law duty of care.
We previously wrote about the B.C. Supreme Court decision here.
Appeal Decision
The Court of Appeal overturned the B.C. Supreme Court decision, holding that the appellants' claims that the defendant willfully violated their privacy are not bound to fail. In particular, the Court of Appeal: (a) expanded the obligations of public bodies beyond those detailed in FIPPA; and (b) broadly interpreted "willfully" under the Privacy Act to include recklessness
B.C.'s FIPPA Is Not a Complete Code
The Court of Appeal held that FIPPA "does not displace statutory or common law actions, including negligence, arising from breaches of privacy or careless storage of personal information".3
As a result, common law claims relating to privacy breaches, such as negligence, as well as statutory claims under the Privacy Act, can be made against public bodies.
When considered in light of the Court of Appeal's other major holding in this case—that reckless storage of personal information may attract liability under the Privacy Act—the Court of Appeal's decision increases the scope of potential claims that may be brought against public bodies following data breaches.
A Failure To Adequately Safeguard Personal Information May Be Considered a "Willful" Violation of Privacy Under the Privacy Act
The Court of Appeal also held that it is "at least arguable" that a failure to safeguard personal information from a data breach may amount to a "willful" violation of privacy under the Privacy Act in certain circumstances.
The Court of Appeal interpreted "willful" conduct to include failures to act, including failures of data custodians. To arrive at this conclusion, the Court of Appeal conducted a review of the proper approach to statutory interpretation, citing precedents for the interpretation that willful misconduct includes not only intentional wrongdoing, but also reckless indifference in the face of a duty to act.4 The Court of Appeal also cited guidance from developing case law and undertook a review of the origins of modern protections of privacy stemming from the "right to be left alone" as intended by the Privacy Act of 1968.
This is a different approach than in Ontario. In that province, the common law invasion of privacy tort—intrusion upon seclusion—has been limited to the action of the independent hackers who accessed the information without permission. Courts in Ontario have focused their analyses on the active conduct of invasion and intrusion in their interpretation of the common law tort. They have repeatedly held that the reckless storage of information cannot itself fall within the scope of this cause of action.5
The Court of Appeal distinguished B.C.'s statutory tort from the Ontario line of cases on the basis that the Privacy Act requires consideration of the "reasonable expectation of privacy" which impacts the interpretation of "willfully."6 This is unlike the Ontario tort's focus on the act of the invasion, which does not factor in the expectations of those whose information was accessed.
The Court of Appeal acknowledged that it is an evolution of the common law to hold that the failure to take reasonable measures to safeguard information may be a willful violation of a person's privacy. The Court also recognized the legitimate fears of potential defendants who could be subject to large damages claims for data breaches due to innocent mistakes. But, the Court of Appeal emphasized a need for the law to be interpreted in a way that keeps pace with the challenges posed by advancements in technology amidst the potential for misuses of personal information.7
As a result of the Court of Appeal's decision, organizations and public bodies that experience a data breach may be subject to more scrutiny about whether they did enough to prevent the breach or protect the personal information under their custody or control, and these data breaches may attract a wider breadth of claims.
Conclusion
G.D. was released alongside Campbell v. Capital One Financial Corporation, which also highlighted differences in approaches to privacy torts across Canada. Given the Supreme Court of Canada's refusal to grant leave from the Court of Appeal in G.D., the tests for privacy torts remain different across provinces for the time being.
Footnotes
1 Section 1(1) of the Privacy Act provides: "It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another."
2 Section 30 of FIPPA states: "A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized collection, use, disclosure or disposal."
3 G.D. at para 182.
4 G.D. at para 81.
5 The tort of intrusion upon seclusion was first adopted in Ontario in Jones v Tsige, 2012 ONCA 32 (link); and the Ontario Court of Appeal has since held that the reckless storage of personal information cannot itself be an intrusion upon seclusion in the decisions of Owsianik v. Equifax Canada Co., 2022 ONCA 813 (link), Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814 (link), and Winder v. Marriott International, Inc., 2022 ONCA 815 (link).
6 G.D. at para 119.
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.