With two recent failed digital privacy class-action certifications, litigators say certification is becoming a higher hurdle to pass
Though privacy class actions have surged since 2012, and PIPEDA’s new mandatory breach-reporting requirements should keep applications rolling in, two recent failed certifications show judges may be stingier at the certification stage, say litigators.
Though it had previously existed in the United States, the tort of intrusion upon seclusion has been in play in Canada since the 2012 Ontario Court of Appeal case Jones v. Tsige. In this invasion of privacy case, the two parties were both employees at the same bank and the dispute began when Tsige shacked-up with Jones’s ex-husband and used her position at work to access Jones’ personal banking information 174 times. The appeal centred on whether the lower-court judge erred in taking the position that Ontario law does not recognize a tort for breach of privacy – a question that has been debated for 120 years, said the ruling by Justice Robert Sharpe. His overturning the decision to dismiss the claim created that tort.
Jones v. Tsige has provoked numerous privacy law suits – aided by the rise of technology capable of collecting, holding and monetizing data, organizations of all kinds digitizing their records systems and Canada’s new Personal Information Protection and Electronic Documents Act.
“There certainly was an increase in these types of claims brought, in general, be it in a class action format, on an individual setting, post 2012,” says Scott Robinson a class action and international arbitration lawyer in McCarthy Tétrault LLP’s national litigation group.
Jones v. Tsige has been significant for class-action practice because it made it possible for a plaintiff to get up to $20,000 without proof of economic loss, if they could prove the information intruded on was “particularly sensitive” and caused emotional or mental distress, says Catherine Beagan Flood, partner at Blake Cassels & Graydon LLP in Toronto.
Since Jones v. Tsige, digital privacy incidents have ranged from rogue employees accessing customer files, to people posting intimate photos of their ex-lovers without consent, says Beagan Flood. Also proliferating are thieves hacking into the computer systems of organizations, stealing data and demanding a ransom for the return of the information, she says.
“We, unfortunately, are increasingly seeing ransom demands,” she says. “In some cases, it’s a hacker who has encrypted a system, in some cases it's a hacker whose stolen data. And then in some cases, it's someone just making up a story and hoping that if they ask for a small enough amount of Bitcoin people will just pay it rather than take the risk that they actually have something.”
While Beagan Flood says Canada is seeing a “steady stream” of privacy class actions, the view of privacy by courts is evolving.
“I think that courts are increasingly recognizing that privacy is inherently subjective and individual,” says Beagan Flood. “And so, while there are some types of privacy cases that are certifiable, there will be other cases where you're dealing with situations either where there's no damages, or where if there are damages, they’re so individual, that they should be dealt with through small claims or through the Privacy Commissioner process instead of through class proceedings.”
Two examples of judges taking a harder line on allowing certifications for privacy breaches class actions are Broutzas v. Rouge Valley Health System and Kaplan v. Casino Rama, says Beagan Flood.
In the latter case, doubly unfortunate was Casino Rama – first the victim of a cyber-attack, where hackers stole information on their employees, vendors and patrons and asked for a ransom in exchange for the data’s return. Rebuffed in their ransom request, the thief posted the personal information of more than 10,000 people online, creating a class to pursue Casino Rama for the breach of privacy.
Though Justice Edward Belobaba said he found there was a valid case to be made for negligence, breach of contract and intrusion upon seclusion, he said it was the hacker and not Casino Rama who invaded the class members’ privacy. More importantly, as the intrusion would have to be shown to be offensive to a reasonable person class-wide, there was “no evidence” that scope of consistent harm could established without individual inquiries, said the decision.
Casino Rama’s response to the hack was “prompt and exemplary,” says Nicole Henderson, who is a class-action litigator with a focus on cyber-security and product liability and partner at Blake, Cassels & Graydon LLP. They notified law enforcement, regulatory agencies and everyone affected by the cyber-attack and offered some free credit-monitoring, she says.
“Nonetheless, you see a class action arrive anyway,” she says.
In Kaplan v. Casino Rama, Belobaba said that though class action was not the preferable recourse, class members still had the option of individual actions, in small claims court and under PIPEDA.
Beagan Flood and Henderson were counsel in the Broutzas v. Rouge Valley Health System case, for one of the defendants, Knowledge First Financial Inc. Broutzas was about a hospital employee unlawfully accessing patient records and selling the contact information of recent newborns so the buyer could try to sell the parents registered education savings plans.
But Justice Paul Perell of the Ontario Superior Court found that the contact information, though personal, was not private information.
“The information that was allegedly intruded upon, was not inherently sensitive or embarrassing or humiliating,” says Henderson. “Perell, looking at that as a breach of privacy claim, noted… most people don't treat their contact information as inherently private. It's something that's routinely shared.”
“Here, you saw Justice Perell, and very candidly, say there may be intrusion here, but based on what I've seen, there really wasn't seclusion,” Robinson says. “This isn't going to pass muster.”
Perell was “expressly grappling” with the evidentiary disputes between the parties in Broutzas, and this is a trend Robinson says is widely present in Canadian class-action cases.
“Especially when you're seeing evidence being proposed both by the plaintiffs, but rebuttal evidence being proposed by the defendants, you're seeing courts in general in Canadian class actions now starting to grapple with evidentiary disputes at certification as opposed to just rubber stamping it and moving it on,” Robinson says.
“I don't know if this is necessarily confined to a privacy class-action realm. I think it's indicative of a trend you're seeing generally in Canadian class action jurisprudence, and it is, what the motion is designed to be,” he says.
A class action is a procedural vehicle and certification is only a procedural motion to evaluate whether a case should be packaged as a class action, before moving on the merits-based phase of the proceedings, says Robinson. But these can be “massive motions,” with “incredible sums of money” at stake and he says the extent of the cases has been growing over time.
“The certification motion, now – compared to what it was in the mid-90s, for example – It's usually a much larger beast,” Robinson says.
The certification judge is meant to be a “gatekeeper,” he says. But even though certification motions have a “somewhat lower” evidentiary threshold – a some-basis-in-fact standard – than the “normal civil setting” – which operates on a balance of probabilities – the legislature did not design these processes to be easy, says Robinson.
“Certification is not meant to be a rubber stamp,” he says.
Two recent privacy class-action failures
There has been a flood of privacy class action law suits, since the Ontario Court of Appeal established the tort of intrusion upon seclusion. These new cases have been spurred by rising technology and the ability and lucrative potential for businesses and other organizations, of extracting and holding massive amounts of personal data on customers, suppliers and every other party involved in operations. However, lawyers say judges are becoming more scrutinizing at the certification stage.
Casino Rama Cyberattack
What transpired in Broutzas v. Rouge Valley Health System and Kaplan v. Casino Rama is an increasingly common cyber-attack, says Beagan Flood. Digital information on customers and others was stolen by a hacker who demanded from Casino Rama a ransom for its return. Casino Rama’s response was “exemplary” says Nicole Henderson, a class-action litigator with a focus on cyber-security and product liability and partner at Blake, Cassels & Graydon LLP. Ultimately, the class-action formed against them failed.