In the past, we have written about third-party data breaches and the tort of intrusion upon seclusion.  The application of that tort in the context of such breaches has repeatedly come before the Court of Appeal in recent years, most recently in Del Giudice v. Thompson.  That case outlines some key principles concerning class actions involving third-party data breaches worth noting.

The case concerned allegations that in March 2019, an individual formerly employed with the Amazon Web Services respondents (“Amazon Web”) hacked a database containing personal information collected by a group of the respondent Capital One companies (“Capital One”).  The data allegedly had been collected from people applying for Capital One credit cards and then stored by Capital One on Amazon Web servers.  The pleadings indicated that the hacker then posted some of that information publicly.  The breach allegedly affected about six million Canadians.

The plaintiffs commenced a proposed class action in relation to the data breach and pleaded 19 causes of action, including intrusion upon seclusion, misappropriation of personality, breach of trust and negligence.  The certification motion was bifurcated, and in the first phase, the motion judge considered whether the plaintiffs had satisfied the cause of action criteria set out in section 5(1)(a) of the Class Proceedings Act.  Ultimately, the judge concluded that the amended statement of claim should be struck for several reasons, including failing to plead viable causes of action against Amazon Web or Capital One.  The motion to certify was also dismissed. The plaintiffs appealed.

In considering this particular issue, the Court of Appeal reviewed the law surrounding the various causes of action pleaded by the plaintiffs.  As the Court noted, to prove the tort of intrusion upon seclusion, a plaintiff must prove that the defendant intentionally or recklessly intruded “into the seclusion of the plaintiff in his or other private affairs or concerns” without lawful justification.  The plaintiff must also prove that this intrusion “would be highly offensive, causing distress, humiliation or anguish to a reasonable person.”

Court of Appeal References Its Own 2022 Trilogy Dealing With Intrusion Upon Seclusion

The Court referenced the trilogy of cases decided in 2022 in relation to this particular tort, namely Oswsianik v. Equifax Canada Co., Obodo v. TransUnion of Canada, Inc. and Winder v. Marriot International, Inc.  Those cases established that “a hack of a database by a third party does not constitute intrusion upon seclusion by the database operator.”  The plaintiffs argued that those earlier cases concerned negligent custodianship of data. In contrast, the case at hand concerned “the improper retention and misuse of data,” including the “improper aggregation” of that data and its transfer to the platform of a third party; however, the Court of Appeal noted that, regardless, a key element of the tort was missing, namely the requirement that the conduct in question is of a “highly offensive nature, causing distress, humiliation, or anguish to a reasonable person.”  The Court noted that Capital One sought information from credit card applicants, which was then aggregated and “inputted into algorithms to be used for marketing purposes.”  This did not result in any part of anyone’s “biographical core” being exposed.  As such, intrusion upon seclusion was not a viable cause of action in the circumstances.

Pleadings Did Not Ground an Allegation of Misappropriation of Personality

The plaintiffs also pleaded the tort of misappropriation of personality.  The Court noted, however, that this particular tort is intended to protect against “the usurpation of a plaintiff’s right to control or market his or her personality for commercial purposes.”  As the Court observed, no party in the case was alleged to have lost any such commercial interests due to the alleged data misuse.

Various other causes of action were also rejected by the Court of Appeal, including conversion, breach of fiduciary duty and breach of confidence.

Court of Appeal Confirms Pleadings Did Not Sufficiently Ground Claims for Damages

The plaintiffs also pleaded negligence and breach of a duty to warn, and the comments of the Court of Appeal in this regard are worth noting.  To establish negligence, a plaintiff must prove that the defendants owed them a duty of care and that the defendants breached the standard of care expected of them.  Further, the plaintiffs must establish that the breach caused “compensable damage.”  In this case, the plaintiffs pleaded that this damage consisted of loss arising from the “risk of future identity theft or fraud” and actual losses from identity theft/fraud that had already occurred, inconvenience, lost time and “distress, humiliation and anguish.”

The Court of Appeal noted that claims in negligence “for a future loss from the risk of future identity theft and fraud” were not viable since most of the members of the plaintiffs’ class would only have suffered “a risk of future loss.”  Instead, as the Court of Appeal noted in citing Atlantic Lottery Corp. Inc. v. Babstock, there is only a right “not to suffer damage that results from exposure to unreasonable risk.”

Further, the pleadings did not set out any basis to conclude that any class members had suffered actual pecuniary loss due to being defrauded.  As a result, the motions judge was deemed correct to dismiss that aspect of the claim.

Plaintiffs Argue Damages Were Recoverable As Economic Loss

Lastly, the Court of Appeal rejected the plaintiffs’ argument that a claim of emotional distress resulting from a breach of duty in the context of a data breach case was sufficient to establish negligence absent something more.  Such a claim can succeed where a pecuniary loss has also been alleged, but that was not the case here.  

While the plaintiffs argued that damages were also recoverable as pure economic loss arising out of negligent service performance, the Court of Appeal agreed with the motion judge that the pleadings did not allege any service provided by Capital One concerning the plaintiffs’ data.  Likewise, there was no allegation of any service provided by Amazon Web to the plaintiffs.

Accordingly, the Court of Appeal agreed that the pleadings did not disclose a viable cause of action and dismissed the appeal for other reasons.

Toronto Class Action Lawyers Advising On Data Breaches and Other Complex Matters

The team at Milosevic & Associates in Toronto is available to provide effective representation in class action litigation.  They have extensive experience providing strategic and practical advice in various matters, including data breaches.  Contact us online or by phone at (416) 916-1387 for a consultation.

Get in Touch

Scotia Plaza, 40 King St W #3602, Toronto, ON M5H 3Y2
Phone: (416) 916-1387 /