In Tucci v Peoples Trust Company, 2020 BCCA 246 ("Tucci"), the Court of Appeal for British Columbia signaled that it might be willing to recognize a common law tort of breach of privacy. As the British Columbia Privacy Act already provides for a statutory tort of "wilful" violation of privacy, it is unclear what a common law privacy tort would add to the protection of individuals' privacy interests, unless the British Columbia courts would view a common law tort as broader in scope than the statutory cause of action.
Facts and certification decision
We previously commented on the certification decision in Tucci. The facts are relatively straightforward. Peoples Trust Company ("Peoples Trust") - a federally-regulated trust company - collected personal information from its customers. As a result of cyberattacks in 2013, hackers were able to obtain a "considerable amount of personal information" about some customers. As a result, a class action was commenced on behalf of the customers affected by the data breach.
The representative plaintiffs relied on a number of causes of action in support of the claim, including a claim at common law for breach of privacy and, in particular, intrusion upon seclusion. The plaintiffs did not plead the statutory tort of breach of privacy under the British Columbia Privacy Act, which requires proof of a wilful violation of privacy. While the certification judge refused to certify the breach of privacy claim under British Columbia common law on the basis that it does not recognize this cause of action, the judge certified a breach of privacy claim under the federal common law. The judge also certified claims for breach of contract and negligence.
Court of Appeal analysis of breach of privacy at common law
The B.C. Court of Appeal's analysis of the breach of privacy at common law issue hinged on three analytical steps.
First, the Court had to determine whether the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") precludes a common law cause of action to enforce private law obligations between private parties. Since Peoples Trust is a federally regulated business, PIPEDA applies to it. Peoples Trust argued that PIPEDA is a complete code and precludes the ability to bring any common law cause of action that pertains to the data breach. Any party with a claim anchored in the data breach, Peoples Trust argued, must resort to the mechanisms found in PIPEDA. The Court of Appeal did not accept this argument. Rather, it held that, at least in relation to claims between private parties, there is nothing in PIPEDA that reflects a legislative intention to "abolish private law duties or to eliminate the ability of aggrieved parties to pursue common law causes of action". In other words, the Court of Appeal was of the view that PIPEDA is not a complete code in the context of claims between private parties and so common law claims can be pursued.
Second, the Court of Appeal addressed whether there is a distinct federal common law that was applicable to the claims at hand. This issue was important because British Columbia jurisprudence has historically held that there is no common law cause of action for breach of privacy in British Columbia. The issue was framed on the basis of federal, as opposed to British Columbia, common law to overcome this jurisprudential hurdle. The Court of Appeal, however, did not accept this approach. Rather, it held that there is only one common law in Canada. This common law can only be supplanted by valid legislation from a level of government that has the constitutional authority to do so. As mentioned above, the Court of Appeal was of the view that PIPEDA does not displace the common law in this case. Further, the plaintiffs do not seem to have pled any other privacy statute, including the British Columbia Privacy Act. Therefore, these statutes were inapplicable for the purposes of the analysis. Effectively then, the Court of Appeal was of the view that there is only one common law in Canada and that there are no statutory regimes before it that would supplant the common law.
Third, the Court of Appeal provided non-binding comments about whether the common law recognizes, or should recognize, a claim for breach of privacy, including for intrusion upon seclusion. The Court of Appeal did not decide the issue because the plaintiffs did not appeal the certification judge's holding that, in British Columbia, there is no recognized common law tort for breach of privacy, including intrusion upon seclusion. Instead, the Court of Appeal suggested that it might be time for the Court to reconsider its prior jurisprudence on the issue. The Court of Appeal noted that its prior caselaw that seems to suggest there is no common law tort for breach of privacy was a "thin one," contained "little analysis" of the question, and the appellants' claims in all of the decided cases "failed for multiple reasons". The Court of Appeal further suggested that recognizing a common law cause of action for breach of privacy accords with the increasingly critical role that personal data plays in individuals' lives.
It is unclear why the plaintiffs in Tucci did not advance a claim under the statutory privacy tort under the British Columbia Privacy Act. The plaintiffs may have believed that it would not be possible to establish a "wilful" violation of privacy by Peoples Trust in circumstances where Peoples Trust had been the target of cyberattacks and where the plaintiffs were alleging that the intrusion occurred because of negligence, not wilful or intentional conduct by Peoples Trust.
The B.C. Court of Appeal's willingness to reconsider the existence of a common law tort of breach of privacy in British Columbia raises questions about what scope exists for a common law tort of breach of privacy when the statutory tort may adequately protect the privacy interests of individuals. In considering a common law privacy tort, the British Columbia courts may have to consider whether it would be limited to the privacy interest protected by the intrusion upon seclusion tort recognized in Ontario or whether it encompasses other privacy interests. The British Columbia courts may also have to consider whether the Privacy Act "occupies the field", such that there is no scope for recognition of a common law tort. If a common law privacy tort is recognized in British Columbia, parties involved in national privacy class actions - both in British Columbia and other courts - would have to consider how the common law cause of action in British Columbia interacts with both the statutory tort as well as common law and statutory torts in other provinces.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.