- within Transport topic(s)
- with Senior Company Executives, HR and Inhouse Counsel
- with readers working within the Accounting & Consultancy and Healthcare industries
Editor’s note
In an era marked by digital innovation and constant connectivity, personal information has never been more accessible and easily sourced. In this environment, Chief Privacy Officers (CPOs), in-house counsel and compliance professionals have become indispensable in managing increasingly complex matters involving privacy and data management. This report explores the latest developments in Canadian privacy law, highlighting notable judicial decisions and legal trends shaping privacy law in Canada. With a curated collection of case law and emerging topics, we aim to provide CPOs with the foundation necessary to manage evolving legal standards, technological advancements and business priorities.
Through expert commentary, we examine how organizations can ensure compliance and prepare to confront the challenges that come with developing technologies and changing regulatory landscapes.
Thought leadership initiatives on the AccessPrivacy by Osler platform bring together Osler’s specialized Privacy Disputes team and National Privacy and Data Management practices. Collaboration draws on the unique perspectives of both groups providing integrated insights on privacy and data litigation issues. These include Data Litigation Roundtable events on the AccessPrivacy monthly call that complement the Privacy Jurisprudence Review, as well as workshops and roundtables discussing emerging trends in artificial intelligence and governance.
With profound expertise in litigation and privacy law, Osler can help organizations stay informed in the rapidly evolving privacy space.
The authors wish to thank Tamara Kljakic, Victoria Luxford, Simone Penney, Clare Barrowman, Marie-Laure Saliah-Linteau and Josy-Ann Therrien for their contribution to this publication.
Privacy class action: data breaches
Tucci v. Peoples Trust Company, 2025 BCSC 816
Facts
This class action, certified in August 2017, arose from allegations that Peoples Trust Company (Peoples Trust) failed to implement adequate safeguards to protect sensitive customer information collected through its online application portal.
On this application, the plaintiff, Mr. Gianluca Tucci, applied to amend the certification order to add a new common issue: whether the members of the class in British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador were entitled to damages for breach of the privacy statutes of those respective provinces.
Mr. Tucci relied on the Court of Appeal decisions, G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252 (G.D.), and Campbell v. Capital One Financial Corporation, 2024 BCCA 253 (Campbell), which held that intentional or reckless cybersecurity practices that facilitate a threat actor gaining access to a database could sustain a breach of privacy claim against a data custodian under the Privacy Act, R.S.B.C. 1996, c. 373 (B.C. Privacy Act).
Mr. Tucci argued that the holdings in G.D. and Campbell should apply by extension to similar privacy statutes in other jurisdictions.
Peoples Trust opposed the plaintiff’s application on several grounds, including: the application was an abuse of process; there were no facts pleaded to support the claim; the limitation period had expired; Mr. Tucci had not amended the pleadings; the claim was foreclosed by a limitation of liability clause; there were too many individual issues; and the claim required interpretation of extra-provincial statutes.
Decision
The Court granted the plaintiff’s application, amending the certification order to include the common issue of entitlement to damages without individual proof under provincial privacy statutes and creating a subclass for class members resident in the other class jurisdictions.
The Court found no abuse of process, holding that the decisions in G.D. and Campbell clarified the scope of liability under the B.C. Privacy Act for data custodians that are victims of cyberattacks by threat actors. The Court was satisfied that the pleadings, which had alleged that Peoples Trust was wilfully reckless in its handling of class members’ personal information, were sufficient to ground a claim under the B.C. Privacy Act and the analogous privacy statutes in the other jurisdictions.
On the limitation period argument, the Court held that since the original pleadings established the facts for the statutory tort, the claim had been tolled. The Court rejected the forum non conveniens and lack of commonality arguments, noting that the earlier certification decision had allowed a Canada-wide class proceeding and that Campbell held British Columbia has jurisdiction to adjudicate all the statutory torts.
Key takeaways
The Supreme Court affirmed that jurisprudential developments that occur in the course of ongoing class proceedings can serve to broaden the scope of the proceeding, in this case, even post-certification. The decision leaves open the possibility that the timing of such an application might be precluded if there is prejudice to the defendants, but the threshold to amend a certification order remains low in B.C.
To read this article in full, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
