Privacy class actions 2021: More misuse-of-information claims, certification used as screening tool

What lawyers saw in privacy class actions over the last year

Privacy class actions 2021: More misuse-of-information claims, certification used as screening tool
Kirsten Thompson, Robert Carson

An uptick in misuse-of-information claims and recognition by courts that certification is a meaningful screening device, are among the trends lawyers saw in privacy class actions in 2021.

The proliferation of data breaches has coincided with the rise of the internet and digital technology. But in a number of decisions in 2021, judges have acknowledged that a privacy class action should not automatically follow from a data incident, says Robert Carson, a litigator at Osler. He adds that courts have also emphasized that evidence of harm to class members – “beyond speculation of possible harm or general inconvenience or frustration” – is a requirement for class actions.

While privacy class actions used to be composed primarily of privacy breaches, Kirsten Thompson says there has been a rise of claims around misuse of information. These claims are brought when a company collects personal information for one purpose, then uses it for another. This leads to allegations of inadequate consent and improper use and disclosure, says Thompson, who is national lead of the Transformative Technologies and Data Strategy group at Dentons.

“Companies are having to have a robust information governance practice: mapping out and understanding where personal information is coming from, going, and how it will be used and with whom it will be shared,” she says.

Along with class actions, individual privacy litigation is also on the rise, says Thompson. Enacted in 2021, Quebec’s Bill 64 includes a private right of action, “which will almost certainly result in more litigation,” she says.

Among the proposed class actions dismissed at the certification stage was Simpson v. Facebook, Inc., out of the Ontario Superior Court. The plaintiff had been granted carriage on behalf of Canadians who had their Facebook accounts shared with Cambridge Analytica. But Justice Edward Belobaba dismissed the certification motion, finding there was “no evidence on the record” that any Canadian had personal data shared with the data analytics firm.

“The dismissal of this certification motion is simply a reminder to class counsel that while certification remains a low hurdle it is nonetheless a hurdle,” said Justice Belobaba.

“Again, reinforcing the point that certification is meant to be a meaningful screening device,” says Carson, whose practice is focussed on corporate and securities litigation and class action defence.

Also stemming from the Cambridge Analytica scandal was Kish v. Facebook, Inc., in which Saskatchewan Court of Queen’s Bench Justice Timothy Keene denied the certification motion. In Québec, Facebook successfully defended a class action alleging its tools “illegally excluded certain users from employment and housing opportunities,” rejected as “hypothetical and speculative” by the court, said Osler’s Class Actions Legal Year in Review. Osler acted for Facebook in all three cases.

Two other decisions demonstrated how plaintiffs must present evidence of “actual harm” to be certified, said Osler’s article. At the Court of Queen’s Bench of Alberta, the proposed class action in Setoguchi v. Uber targeted the ride-hailing company because of a data breach. As there was no evidence the hacker had used anyone’s personal information, Associate Chief Justice John Rooke found there was no tangible harm, merely speculation that there might be loss or harm in the future.

In Setoguchi v. Uber, Justice Rooke described the “gatekeeping function of certification and the need to weed out unmeritorious and de minimis claims at the certification stage,” says Carson. He points to Justice Rooke’s statement in the decision: “I believe that there must be some evidence or basis in fact, in support of real, not de minimis compensable harm or loss, leading to a claim that is at least arguable and that certification must not be allowed without it. Otherwise, a class proceeding could be a mere fishing trip, based on speculation, without any evidence of fish being present.”

Lamoureux v. IIROC, from the Québec Superior Court, which dealt with an inspector who had lost a laptop containing information about thousands of Canadians, was similarly dismissed. No laptop was ever found and the class members “fears and worries” about the possible identity theft were deemed not to be injuries which rose above “general inconveniences,” said Osler’s article.

*with files from Elizabeth Raymer

Recent articles & video

Law firm managers struggling to fill roles as demand for lawyers continues: recruiter report

Stikeman Elliott, McCarthy Tétrault assist in Osino’s $368 million sale to China’s Yintai

BC Supreme Court orders full compensation for victim in three-car collision

Alberta Court of Appeal upholds jurisdiction in cross-border divorce case

Federal Court denies anonymity for Uyghur applicants in permanent residence case

BC woman wins Provincial Court case against dentist for unauthorized and negligent dental work

Most Read Articles

BC lawyer ordered to pay up for attempting to use ChatGPT ‘hallucinations’ in application

Artificial intelligence hallucinations in legal research may become a thing of the past

BC Supreme Court deals with complex property and separation agreement dispute

US court says Baker & McKenzie LLP can face malpractice suit in Chicago