This article is part of our 2025 Privacy Breach Insights series, designed to help companies navigate the evolving privacy breach landscape. As privacy threats grow more sophisticated and regulatory scrutiny increases, companies face greater legal, financial, and operational risks. To stay ahead of these challenges, each part of this series provides actionable insights on privacy breach preparedness, compliance obligations, and risk mitigation. Explore the full series here.
Introduction
A pendulum has swung in Canadian data breach class actions. And from that swing, new trends have emerged.
Initially, Canadian courts applied a broad and liberal approach to the certification of data breach class actions (i.e., breaches where a cybercriminal hacks into a company's database and obtains its customers' personal information). Almost any data breach ("breach") incident would result in a class proceeding. But as breaches became more commonplace, courts began to apply more rigour to proposed data breach class actions. As a result, plaintiffs now face significant hurdles in trying to certify data breach class actions – particularly in Ontario and Alberta. (British Columbia's courts have indicated that they might not follow the pendulum swing – or at least not swing as far).
In response to a closing door on many data breach class actions, enterprising class counsel are focusing on more novel claims against companies. In particular, we are seeing more cases alleging that the companies themselves (not third party hackers) are collecting and using their customers' personal information in a way that breaches their customers' privacy interests.
This shift in focus toward "data misuse" cases, alongside an evolving privacy regulatory environment, may influence the types of privacy class actions we can expect to see in the future. As the legal trends and frameworks continue to evolve, it is crucial for companies to stay informed and proactively guard against potential litigation risks.
Historical Data Breach Class Actions
One of the reasons data breach class actions were so common place was that plaintiffs had been permitted to rely upon a privacy tort called "intrusion upon seclusion". Intrusion upon seclusion was a valuable tool for plaintiffs because it does not require them to prove they suffered any harm to establish liability and award damages.1 This made it very easy for data breach class actions to get certified; courts could certify class actions even without evidence of widespread – or any – financial harm to class members.
But that changed in 2022 when the Ontario Court of Appeal released a trilogy of decisions confirming that intrusion upon seclusion was not available in cases where a third party unlawfully accessed a company's database of customer information.2 The Court found the company defendants were not the ones who "invaded or intruded" on their customers' privacy – it was the third party hackers who had done so. The Alberta Court of Appeal followed suit.3
By removing intrusion upon seclusion as a viable cause of action, class action plaintiffs in Ontario and Alberta are left with claiming negligence, which requires showing that proposed class members suffered "real pecuniary damages".4 Alleged emotional distress from being the victim of a cyber-crime is not in itself sufficient to ground a claim.5 This vastly limited the number of data breach class actions and, in turn, curbed the appetite of class counsel to pursue these types of cases.
British Columbia Re-Opens the Data Breach Class Action Door
The BC Court of Appeal appears to have taken a somewhat different stance from Ontario and Alberta. While the BC Court of Appeal agreed that intrusion upon seclusion is not available against company defendants who had been unlawfully hacked, it held that companies whose databases were hacked by third parties might still be liable for statutory breach of privacy torts under the BC Privacy Act. 6
The BC Court of Appeal held that, like intrusion upon seclusion, the Privacy Act does not appear to require proof of harm to establish liability and damages. As such, BC courts may be willing to continue to certify data breach class actions against these company defendants, even absent any proof of harm to the proposed class.
Data Misuse Cases
As the door closes on many data breach class actions, enterprising class counsel have shifted their focus to other types of claims against companies that hold a significant amount of user data. In some provinces, class actions alleging data misuse are becoming more commonplace. These cases tend to allege that the company defendants collects and uses personal information in a manner inconsistent with (or entirely without) user consent.
It is not yet clear how the courts will handle these cases. Some courts have affirmed their important gatekeeping role at the certification stage, and have weeded out some of these unmeritorious claims. For example, some courts have refused to certify data misuse cases where there is no evidence that a breach occurred or that class members suffered compensable harm.7
On the other hand, some courts appear to be taking a more permissive approach to these kinds of cases at certification. For instance, in a recent proposed class action against Google in B.C., the plaintiff alleged that Google used its facial recognition technology to collect and store users' personal information and made it accessible to third parties.8 The lower court refused to certify the case, finding (among other things) that the privacy claims were not viable because there were no material facts to support the allegation that Google disclosed customers' data to a third party. But the Court of Appeal reversed that decision. It held that the plaintiff's claim that Google used the data for its own competitive advantage, and that Google could share its customers' data with third parties if it wanted to do so, was sufficient to ground a privacy claim for class members under the Privacy Act and in tort.
It is still too early to determine how these trends will unfold. We continue to monitor how the courts will apply the certification test to these types of claims.
Quebec's Distinctive Approach to Data Breach Class Actions
Quebec presents a unique and lenient environment for data breach class actions. The province's threshold for certification – or as it is referred to in Quebec, authorization – is notably more accessible for enterprising class counsel to surmount than in other Canadian provinces.
Mirroring national trends, Quebec is experiencing a wave of class actions centered on the misuse and mishandling of personal information. These actions typically revolve around allegations of excessive data collection, data breach, unauthorized disclosure to third parties, and the handling of sensitive health or biometric data. Yet, the pace of these cases often stalls as they approach the merits stage. Quebec courts, in their role as gatekeepers, have shown a strong propensity to authorize data breach class actions.
The decisions in Option Consommateurs v Google, 2022 QCCS 2308, and Option Consommateurs v Flo Health Inc, 2022 QCCS 4442, reveal a potential a shift in the way Quebec courts are addressing privacy claims. In these cases, the Superior Court authorized plaintiffs' claims for damages on the basis of the purported "value of the personal information" that had been used or disclosed. This stance diverges from the established Quebec and Canadian case law, which has traditionally required evidence of tangible harm to justify compensatory damages following the disclosure of information. The case of Homsy c Google, 2023 QCCA 1220 also saw the Quebec Court of Appeal remanding the matter to the Superior Court after the latter had initially declined authorization. The Court of Appeal took this opportunity to reiterate the teachings of the Supreme Court of Canada, which portray the authorization stage as a preliminary filtering mechanism – where the alleged facts are to be taken as averred – reinforcing the difficulty for defendants to dismiss privacy claims during this phase. Regarding the analysis of damages at the authorization stage, the Court of Appeal recently confirmed in the context of a breach that compensation for harm is dependent on the nature of the disclosed information, and such analysis is inherently contextual. The type and scope of the leaked information will determine if and what kind of compensable losses exist.9 Overall, these developments collectively serve as an indicator of the permissive nature of Quebec courts at the authorization stage.
Moreover, enterprising class counsel will most likely leverage the new provisions of Quebec's private sector privacy law introduced by Law 25 to advance privacy claims. Law 25 brings forth a host of new requirements, such as the appointment of a Chief Privacy Officer, data breach notification and record-keeping obligations, and enhanced individual rights, including data portability and the right to be forgotten. The combination of Law 25 with the province's permissive stance on authorization underscores the necessity for stringent compliance with privacy laws and regulations, reinforcing the need for companies to stay ahead of the curve in terms of data protection practices.
To view the original article click here
Footnotes
1. Jones v Tsige, 2012 ONCA 32.
2. Owsianik v Equifax Canada Co, 2022 ONCA 813; Obodo v Trans Union of Canada, Inc.; 2022 ONCA 814; and Winder v Marriot International, Inc, 2022 ONCA 815.
3. Setoguchi v Uber B.V., 2021 ABQB 18
4. Quantz v Ontario, 2025 ONSC 90 at para. 67.
5. Quantz v Ontario, 2025 ONSC 90 at para. 66.
6. GD v South Coast British Columbia Transportation Authority, 2024 BCCA 252; Campbell v Capital One Financial Corporation, 2024 BCCA 253. In Hvitved v Home Depot of Canada Inc, 2025 BCSC 18, the court recently certified only Privacy Act claims, and dismissed claims for common law intrusion upon seclusion, breach of contract, and unjust enrichment.
7. See, for example, Kish v Facebook Canada Ltd, 2021 SKQB 198; Chow v Facebook Inc, 2022 BCSC 137; Simpson v Facebook, 2021 ONSC 968.
8. Situmorang v Google, LLC, 2024 BCCA 9. The Court of Appeal overturned the order dismissing the action for disclosing no reasonable cause of action, and the matter was remitted to the BC Supreme Court to address the remaining certification issues.
9. Royer c Capital One Bank (Canada Branch), 2025 QCCA 217.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.