By Isabela Bibulovic, 3L, Lincoln Alexander School of Law
Introduction
Data breaches have become acute in the post-covid age. In just two years, ransomware payments have increased in Canada 51.6% but “only 42% of organizations who paid the ransom had their data completely restored” (National Cyber Threat Assessment 2023-2024). Legislators have imposed compliance requirements on private-sector entities following data breaches (Personal Information Protection and Electronic Documents Act [PIPEDA]) but affected users often find themselves without compensation. Consequently, many have turned to class actions.
Overview
Class actions enable multiple individuals (class members) to collectively pursue legal action, effective against powerful opposing parties. For a class action to proceed it must first be “certified” by a judge. The application of class actions to technological threats has encountered challenges, often involving intricate legal technicalities too remote for the general public to care (ex: appropriateness of an intrusion upon seclusion claim if the intrusion is from third-party hackers). However, a recent decision out of Alberta should peak your interest.
Imagine a scenario: a data breach compromises your personal information stored on a corporation’s server. After a ransom payment, the hackers return your information to the organization, assuring that it wasn’t disclosed. Years pass and no fraud or identity theft occurs. Did you suffer a harm or loss? Currently, the law says no.
In Setoguchi v Uber BV, 2023 ABCA 45, a class action brought the foremost test on whether the law comprehends the modern threats to personal information. This case spotlights the common law’s misconception of harm in the digital age (read more here for an overview of Setoguchi).
Despite evidentiary disagreements in Setoguchi, both levels of court agreed that while “the hackers accessed and stole the personal information… the appellant had provided no evidence of actual harm or loss” because “there was no evidence the information compromised in the hack was released to anyone other than the hackers in the four years since the hack” (Setoguchi ABCA at para 21). In essence, harm will only be established if there is damage resulting from the data breach.
The inherent harm in a data breach is the loss of control over personal information
The current legal understanding of harm in data breaches fails to recognize the loss of control over personal information as a significant harm. The “cramped understanding of harm harkens back to early conceptions of the common law. Nineteenth-century tort claims required proof of physical injury or property loss” (Risk and Anxiety: A Theory of Data-Breach Harms at 754). However, the defining characteristics of harm have changed, from control over property to control over identity. Control presumes the ability to choose.
Choice is fading. In 2023, the Privacy Commissioner of Canada, cautioned: “In this digital age, the world is at our fingertips, and the price of that convenience is often the sharing of personal information. But… are people aware of [the risks] before they make the choice to share?” A few years earlier, the Commissioner in his letter to the Standing Committee on Access to Information, Privacy and Ethics, described: “In the age of big data… it is no longer entirely clear who is processing our data and for what purposes.” Aggravating matters further, according to the 2020-21 Survey of Canadians on Privacy-Related Issues “the majority of Canadians feel they have not very much or no control at all over how their personal information is used by companies (61%) or by government (65%).”
The above realities have yet to be fully recognized by our courts. To illustrate, the certification judge in Setoguchi noted that the information obtained in the data breach is not private and thus there is no actual loss, because it is information that could have been obtained in “telephone directories of the past” (Setoguchi ABQB at para 45). In response, telephone directories functioned under a subscriber model, where users could opt-out from having their personal information publicly disclosed. There was control over personal information.
In a digital age characterized by rampant loss of control, requiring additional harm or loss from data breaches would be akin to saying to an injured person that unless they can show broken bones, the individual is not injured. The data breach in and of itself is the harm because of the loss of control over personal information.
Recent developments in jurisprudence
The loss of control over personal information as an inherent harm is not a foreign legal concept. Privacy itself is defined in jurisprudence as the right of an individual to control personal information.
In 2021, the Federal Court of Canada affirmed that the focus of privacy legislation such as PIPEDA “is on ensuring that individuals can control their personal information, which is intimately connected to their individual autonomy, dignity and privacy” (2021 FC 723 at para 39). Quebec’s Charter of Human Rights and Freedoms contains express protection for “private life”: “Toute personne a droit au respect de sa vie privée.” Notably, this provision allowed the Uber class action pursued in Setoguchi to be certified in Quebec (Fortier c. Uber Canada Inc., 2021 QCCS 4053).
Conclusion
The harm in a data breach is not solely fraud, or a substantial future risk. Rather, the harm is loss of the right to control personal information. Data breach class actions are the most likely vehicle to move courts toward developing the common law in this regard. Courts should not wait for broken bones when injuries are visible and reoccurring.