The Court of Queen’s Bench of Alberta’s decision in Setoguchi v. Uber B.V.[1] is one of the most recent cases to consider the state of privacy law in Canada. In it, the court held that the nature of the personal information that was the subject of a data breach was not sufficiently sensitive to give rise to claim for damages. As a result, and in the absence of evidence showing harm to class members, evidence of the data breach alone did not form the basis for certification of the class action.
The claim in Uber proposed a national class on behalf of users of or drivers for Uber. The proposed class action followed the 2016 hacking, by third parties, of Uber’s storage of the proposed class members’ personal information.[2] The claim alleged that Uber failed in its contract, common law, and statutory obligations to protect the personal data, and to ensure it was not accessed by unauthorized parties. Both personal and punitive damages were sought.[3]
Was there Harm?
In considering whether the proposed class action was appropriate for certification, the court was primarily concerned with whether there was some evidence or some basis in fact for any real harm resulting in common loss or damage.[4]
Ultimately, the court found that the proposed representative plaintiff had provided no evidence to show a breach of any truly confidential information. As a result, there was no evidence of loss related directly to the breach or consequential loss following the hack.[5]
Privacy Cases Across Canada
In denying certification, the court considered the body of privacy jurisprudence that has developed across Canada. The court noted, “to the extent that the courts have struggled [with the development of privacy cases], no matter the reason, to protect the security of truly private confidential information, I believe the real issue is the ability to separate “token” or “nominal” or “baseline” cases where there is no evidence of real harm or loss, from cases where there is actual harm or loss.”[6]
The defendants directed the court to different categories of privacy class actions, including 11 cases of Data Breaches by External Actors, of which only two had been certified.[7] The defendants argued that a review of these cases revealed that no Canadian court had ever certified a data breach class action that involved disclosure of the same or similar type of benign or public information at issue in the Uber case, i.e.: name, email address and phone number.[8]
Ultimately, Uber argued that certification was dependent on evidence of actual harm and, therefore, the sensitivity of the information accessed and the impact to class members of dissemination.[9] The court agreed and noted that it was clear from Jones v. Tsige that harm will arise in a breach of privacy case only where the breach is highly invasive, causing distress, humiliation or anguish and involves a deliberate and significant invasion of personal privacy. While proof of harm to a recognized interest is not an element of the cause of action of intrusion upon seclusion, individuals who are unusually concerned about their privacy are excluded.[10]
In considering whether the data at issue could be described as private information or “information which tends to reveal intimate details of the lifestyle and personal choices of the individual”, the court found that there was no evidence or basis in fact that any class member had, or would have had, any reasonable expectation of privacy in the subject information.[11]
In this respect, the court considered the decision in Bourbonnière c. Yahoo! Inc., 2019 QCCS 2624 at para 37, where the Quebec court found that the need to change a password following a data breach, or the embarrassment of spam mail to friends, was not sufficient to allow the matter to proceed as a class action. The court considered the cases discussed in Bourbonnière which demonstrate, “the distinction between minor and transient upset and compensable injury ... [which] must be ‘serious and prolonged’ and rise above the ordinary annoyances, anxieties and fears that a person living in society may experience”, and thus, in the result: “[t]he transient embarrassment and inconvenience ... are of the nature of ordinary annoyance and do not constitute compensable damages...”[Emphasis added].[12]
The defendant argued there was no factual evidence of any type of economic harm in the four years since the breach and directed the court to decisions where certification was granted and in which the breaches were directly linked to individual harm and the personal information was “actually very sensitive.”[13] The court noted that while not all cases for nominal damages should be “sent to the dust bin,” the court concluded that there still must be some evidence of actual harm or loss, or the claim is incomplete. In this case, the court found not only that there was no evidence of significant harm, or insignificant harm; there was evidence that loss or harm was wholly non-existent.[14]
The court also considered the decision in Li v. Equifax, 2019 QCCS 4340, noting that similar circumstances were not sufficient for certification/authorization in that case. The court noted that “the risk of a future injury developing – a hypothetical injury - is not an injury that can be compensated” distinguishing this from real harm arising out of preventing further interference with personal information.[15]
Conclusion
Several years ago, when privacy class actions began to arise, the claims appeared novel and the potential for large damage awards was daunting. However, since then a more fulsome body of jurisprudence has developed across Canada. From the growing body of case law, it appears that a successful certification motion must overcome the hurdle of demonstrating evidence of harm. As in the Uber case, evidence of the breach alone is unlikely to be sufficient to meet this threshold. If the plaintiff is unable to show that the proposed class members suffered actual harm, which is more than nominal or everyday inconvenience, they are unlikely to be successful with certification. Part of the analysis requires the court to look carefully at the type of information at issue, the nature of that information, whether the class members had a reasonable expectation of privacy with respect to the information, and whether disclosure of the personal data has resulted in demonstrable harm.
This may eventually result in two types of cases. Those in which the disclosure of the type of information at issue in and of itself amounts to a level of distress, humiliation or anguish that gives rise to a claim for damages. For example, very sensitive health information or intimate details of a sexual nature. There may also be cases in which the type of information that is the subject of the breach is somewhat more benign but it can be shown that its disclosure has resulted in actual harm. For example, financial information giving rise to identify theft, including fraudulent credit cards and incurred debt.
Ultimately, in the Uber case the court found that the disclosure of the personal information at issue in this particular data breach did not rise to the level of sensitive information that would result in harm to the proposed class members. After considering the criteria for certification under the class proceedings legislation, the court denied certification in this case.
[1] Setoguchi v. Uber B.V., 2012 ABQB 18.
[2] Ibid at para 1.
[3] Ibid at para 1.
[4] Ibid at para 2.
[5] Ibid at para 29.
[6] Ibid at para 49.
[7] Ibid at para 50.
[8] Ibid at para 50.
[9] Ibid at para 51.
[10] Ibid at para 51 citing to Jones v. Tsige, 2012 ONCA 32.
[11] Ibid at para 52.
[12] Ibid at para 53.
[13] Ibid at para 54 citing to Ari v. Insurance Corporation of British Columbia, 2013 BCSC 1308, at para 54, aff’d 2015 BCCA 468; Evans v. Bank of Nova Scotia 2014 ONSC 2135, leave to appear ref’d 2014 ONSC 7249 (Div. Ct.); Tucci v. Peoples Trust Company, 2017 BCSC 1525; and Grossman (also relied upon, at para 10, for the statement, “Your name and address are certainly not private...”).
[14] Ibid at para 55.
[15] Ibid at para 55 citing to Zuckerman v. Target Corporation, 2017 QCCS 110, at paras 73, 77-78, referenced in Equifax QC at para 28.
