ARTICLE
22 May 2025

2025 Mid-Year Update: Five Privacy Law Developments

TM
Torkin Manes LLP

Contributor

Torkin Manes LLP logo
Torkin Manes LLP is a full service, mid-sized law firm based in downtown Toronto. Our clientele ranges from public and private corporations, to financial institutions, to professional practices, to individuals. We have built our firm from the ground up—by understanding our clients’ business needs, being results-oriented, practical, smart, cost-effective and responsive.
Explore Firm Details
Lexpert Firm Profile
We are at the mid-year point of 2025 and the privacy landscape in Canada continues to evolve. This article highlights Canada's top five notable developments in the privacy space in 2025 so far.
Canada Privacy
Roland Hung and Laura Crimi
Your Author LinkedIn Connections

We are at the mid-year point of 2025 and the privacy landscape in Canada continues to evolve. This article highlights Canada's top five notable developments in the privacy space in 2025 so far.

1. Federal Privacy Reforms

Bill C-27, which was the federal government's attempt to reform Canada's federal private sector privacy law, died when Parliament was prorogued in January 2025. It will be up to the new government to update Canada's federal privacy law, which is in dire need of retooling.

2. Clearview AI, Inc. v. Alberta (Information and Privacy Commissioner), 2025 ABKB 287

Clearview AI, Inc. v. Alberta (Information and Privacy Commissioner), 2025 ABKB 287 ("Clearview AI") is a paradigm-shifting decision that found:

  • The Personal Information Protection Act ("PIPA") blanket restrictions on collecting publicly available information from the Internet without obtaining individuals' consent were unconstitutional. This implies that search engines and companies can lawfully harvest and use personal information made publicly available online, including for training AI systems, provided the purpose is one that individuals would view as reasonable.
  • Despite Clearview AI being based in the U.S., the court applied PIPA to the company under the "real and substantial connection" test, due to its activities involving the collection of images from Alberta-based websites and social media accounts. The court concluded that Clearview AI violated PIPA, as it did not have a reasonable purpose for collecting, using and disclosing personal information.

3. Quantz v. Ontario, 2025 ONSC 90

In Quantz v. Ontario, 2025 ONSC 90 ("Quantz"), the Ontario Superior Court of Justice addressed a proposed class action stemming from a 2018 data breach within the Ontario Disability Support Program ("ODSP"). The incident involved an ODSP caseworker inadvertently emailing a spreadsheet containing personal information of approximately 45,000 clients to all Ministry caseworkers. Subsequently, another caseworker forwarded this email to 103 ODSP clients, leading to unintended disclosures.

The plaintiff sought certification of a class action, alleging claims such as intrusion upon seclusion, negligence, breach of confidence, and publication of private facts. However, the court dismissed the motion for certification. A key reason was that the tort of intrusion upon seclusion requires intentional or reckless conduct, and the disclosure in this case was accidental. The court emphasized that without deliberate action, this tort could not be established.

This decision aligns with recent jurisprudence set forth in the Equifax trilogy, where courts have limited the scope of liability for privacy breaches, particularly emphasizing the necessity of intentional conduct for certain privacy torts.

The ruling in Quantz underscores the challenges plaintiffs face in certifying class actions for data breaches resulting from inadvertent disclosures, reinforcing the legal requirement for intentionality in certain privacy-related claims.

4. Insurance Corporation of British Columbia v. Ari, 2025 BCCA 131

Insurance Corporation of British Columbia v. Ari, 2025 BCCA 131 ("ICBC"), was an appeal of a decision of the British Columbia Supreme Court awarding aggregate general damages of $15,000 for vicarious liability under British Columbia's Privacy Act for a breach of privacy that involved an employee's wilful and flagrant disregard for the plaintiff's privacy.

The Appellant, the Insurance Corporation of British Columbia ("ICBC"), was found vicariously liable for serious breach of the privacy of a number of its customers. The facts in this matter were not in dispute. An employee of the Appellant accessed the private information of 78 ICBC policy holders for "nefarious purposes." The employee sold the information of at least 45 policy holders to criminals. Between 2011 and 2012, 13 of these 45 policy holders were targeted in arson and shooting attacks.

The question on appeal was whether an aggregate award of damages for a breach of privacy under Section 1 of British Columbia's Privacy Act canbe anything more than nominal in the absence of proof of consequential harm?

The British Columbia Court of Appeal held that the aggregate damages award made by the trial judge provided compensation for the injury to the class members' privacy interests and is responsive to the seriousness of the defendant's misconduct. This decision establishes that significant damages may be awarded for privacy breaches in British Columbia even in the absence of actual harm.

5. Hvitved v. Home Depot of Canada Inc., 2025 BCSC 18

In Hvitved v. Home Depot of Canada Inc., 2025 BCSC 18 ("Hvitved"), the Plaintiff sought to certify a class action on behalf of customers who provided their email address to Home Depot of Canada Inc. ("Home Depot"), between October 2018 and October 2022, for the purpose of receiving an electronic receipt when making a purchase. The Plaintiff alleged that Home Depot violated the privacy rights of the proposed class by collecting their personal information and disclosing it to an unrelated third party, Meta Platforms Inc. ("Meta"), the operator of the Facebook platform.

Home Depot used Meta's services from October 2018 to October 2022, to better understand whether its advertising campaigns were effective in generating in-store sales. Home Depot maintained that it understood that the protocol being used would only allow Meta to link the customer information provided to a specific email account. However, the service agreements in place permitted Meta to use the information provided by Home Depot improve Meta's own products, including user profiling and targeted advertising.

The Plaintiff's application for certification was allowed in relation to only the alleged breaches of provincial privacy legislation and dismissed claims for common law intrusion upon seclusion, breach of contract and unjust enrichment.

Bonus: Creation of new Ministry of Artificial Intelligence and Digital Innovation

It is also timely to note that in addition to the legal developments set out above, Canada's newly elected Prime Minster, Mark Carney, has created the first cabinet post responsible for artificial intelligence and data innovation. This is a clear signal from the federal government that Canada aims to increase innovation and develop new and updated frameworks for a wide range of digital issues, including privacy and artificial intelligence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Roland Hung
Roland Hung
Photo of Laura Crimi
Laura Crimi
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More