By Chloe Korol
With our near-total dependency on the internet, it is likely that every Canadian citizen will have their personal information stolen or otherwise unlawfully accessed. Whether we are entering our social insurance number to apply for a credit card, accessing our test results from a recent medical appointment, or uploading our vacation photos to Facebook, we are allowing our information to be collected, stored, and vulnerable to theft from cyberhackers. Such thefts present a seemingly strong case for privacy breach class actions as they squarely fulfill the three main goals of such proceedings: they provide access to justice by consolidating what can be millions of individual claims, which thereby leverages judicial resources, and they are capable of imposing measures that ensure the defendants modify their cybersecurity practices. However, regardless of how necessary a class action may be to pursue privacy breach claims, many courts have recently denied them certification by finding that such claims do not disclose a cause of action.
Owsianik v Equifax Canada Co., 2022 ONCA 813 and Setoguchi v Uber BV, 2023 ABCA 45 are two such examples. Both Appeal Courts denied certification by finding the claims do not amount to the torts of intrusion upon seclusion and negligence, respectively. I argue that in each case, the Court fails to fully appreciate the complexities of mass online privacy breaches at the certification stage. In neither case is it plain and obvious the claims could not succeed.
In Owsianik, the Court considered a group of three appeals where the plaintiffs pled intrusion upon seclusion against Equifax Canada, TransUnion of Canada, and Marriott International, who were alleged to be reckless in their maintaining of online databases that stored the plaintiff’s stolen information. The relatively new tort of intrusion upon seclusion is defined as an intentional or reckless invasion of the private affairs of another, without lawful justification, in circumstances in which a reasonable person would regard the invasion as highly offensive and causing distress, humiliation or anguish. The Court found there was an invasion of the plaintiffs’ private affairs, and such an invasion would cause distress and anguish. In fact, the Court comments that unlike the remedies available for negligence or breach of contract, the damages for this tort are indeed well-suited to an award on a class-wide basis. However, because it was hackers, not the defendants, who intentionally engaged in the conduct that resulted in the intrusion, the action could not succeed and therefore certification must be denied.
The Court analogizes to a scenario where a garage operator who negligently leaves keys in a vehicle is held accountable for theft when an opportunistic stranger steals the car from the garage parking lot. Expanding the tort to include the garage operator, or the defendants in this matter, exposes them to indeterminate liability. But does such an analogy hold up when considering the recklessness of a defendant whose databases are stolen in a cyberattack? For instance, unlike the garage operator, a database owner has intricate and low-cost security tools: requiring two-factor authentication, robust user passwords, and regular security audits. Also, unlike the garage operator, a database owner takes on responsibility for the massive amounts of users’ personal information that strikes at the core of a person’s concept of privacy. To properly determine the scope of the tort, further expert evidence brought at a trial of common issues could illuminate the intricacies and extent of the alleged reckless conduct.
In Setoguchi, the plaintiffs alleged Uber was negligent when they failed to provide proper security for the databases that held the drivers’ personal information that was stolen in a cyberattack. The Court held that while Uber owed the plaintiffs a duty of care, the class members could not articulate a “class-wide harm” that was sustained as a result of the theft. The Court noted that there was no evidence that the stolen information was misused and that the risk of its misuse in the future on its own does amount to damages. Further, the Court did not accept that there is any inherent value in personal information that is already publicly available.
While it may be that damages cannot be sought for the risk of misuse of personal information, the stress and anxiety caused by this risk reflect the inherent value of such information and thus articulates a class-wide harm. This argument would benefit from a full factual record that reflects the vulnerability of users who, like many plaintiffs in privacy breaches, must share their information with companies such as Uber to maintain employment and otherwise function in modern society. Additionally, methodologies for determining these types of damages on an aggregate basis are available, the validity of which can be fully examined at trial (see Sweet v Canada, 2022 FC 1228 at para 25).
Although as a policy matter class actions are necessary to achieve redress for privacy breaches, in practice courts have been reluctant to certify such cases. Nonetheless, without providing effective remedies to individuals for privacy breaches, we risk such conduct becoming commonplace and greater erosion of our concept of privacy. Courts must recognize that in our unprecedented age of information, they are required to carefully consider the factual matrix in which our technology-reliant society operates.