At the end of this summer, the British Columbia Court of Appeal released a decision[1] concerning what remedies may be available to individuals whose personal information is obtained by hackers from a company that did not have adequate security measures in place. Although this case is from BC, it will be relevant in Ontario and other provinces because of the court’s discussion of the interaction between common law legal principles and the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It is also significant as it reflects the trend across the country generally towards greater recognition of the importance of privacy protection.
Factual Overview
The defendant, Peoples Trust Company, is a federally regulated trust company offering a variety of financial services. In order to access these financial services, clients gave permission to Peoples to use and store their personal information. In 2013, hackers accessed one of Peoples’ databases, obtaining a large amount of sensitive personal information including names, addresses, dates of birth, social insurance numbers, and occupations. The representative plaintiffs, Gianluca Tucci and Andrew Taylor, brought a class action on behalf of Peoples’ clients affected by the data breach and sought compensation for damages caused by the improper accessing of their personal information.
In compliance with section 10.1 of PIPEDA, Peoples reported the breach to the Privacy Commissioner in a timely manner. It was established through the Commissioner’s investigation that Peoples properly notified affected clients of the breach, placed credit flags on their credit files, and had resolved their database security vulnerabilities. However, it was also determined that, at the time of the breach, Peoples did not have adequate security measures in place, as it maintained an unencrypted copy of one their databases and failed to regularly update their server.
Instead of applying to the Federal Court for a remedy as permitted under PIPEDA, the plaintiffs launched a class action in the BC Supreme Court. The certification judge certified the class and found that there were arguable claims for negligence, breach of contract, as well as breach of privacy and intrusion upon seclusion under “federal common law” (discussed further below), but not for breach of confidence, unjust enrichment, or waiver of tort. The certification judge also held that compensatory damages were not a common issue, certifying only “aggregate nominal damages” as a common issue.
Peoples appealed from the certification order and the plaintiffs cross-appealed the certification judge’s failure to certify the breach of confidence and compensatory damage claims. Although there were several issues dealt with on appeal, this article addresses the Court of Appeal’s analysis of PIPEDA and the claims for breach of privacy, intrusion upon seclusion, and breach of confidence.
PIPEDA Does Not Prevent Bringing a Civil Action in Provincial Court
Peoples argued that PIPEDA is a complete statutory code for the collection and use of personal information by federally regulated businesses and, therefore, no action can be brought other than applying to the Federal Court as permitted by the Act.
The Court of Appeal rejected this argument. The court acknowledged that where a statute directly conflicts with a common law principle, explicitly states that it is intended to displace the common law, or it is implicitly clear by its drafting that the statute is intended to be a comprehensive code, the common law will be supplanted rather than supplemented by the statute. However, referring to the Ontario Court of Appeal decision in Hopkins v Kay, 2015 ONCA 112 which dealt with a similar legislative regime for protecting personal health information, the Court concluded that rather than being a complete code the language of PIPEDA acknowledges the availability of other legal remedies. For instance, section 12(1) of PIPEDA reads:
12 (1) The Commissioner shall conduct an investigation in respect of a complaint, unless the Commissioner is of the opinion that
(a) the complainant ought first to exhaust grievance or review procedures otherwise reasonably available;
(b) the complaint could more appropriately be dealt with, initially or completely, by means of a procedure provided for under the laws of Canada, other than this Part, or the laws of a province….
In concluding that PIPEDA does not prevent bringing a civil action in provincial court for data breaches, the Court stated that the matter “involves private law relations between a commercial enterprise and private citizens. Nothing in the PIPEDA suggests that it is intended to abolish existing private law duties or to eliminate the ability of aggrieved parties to pursue common law causes of action.”
Breach of Privacy, Intrusion upon Seclusion, and the Federal Common Law
The certification judge held that there is no common law tort of breach of privacy or intrusion upon seclusion under BC law, and the plaintiffs did not appeal this conclusion. However, the certification judge also found that these causes of action could be advanced under the “federal common law.”
Although the plaintiffs did not appeal on this point, the Court of Appeal went on a lengthy obiter discussion of the common law privacy torts in BC, which suggests the court’s openness to recognizing these causes of action.
The court stated candidly that it was “unfortunate that no appeal has been taken,” as “the time may well have come for this court to revisit its jurisprudence on the tort of breach of privacy.” Further, after reviewing its own prior cases on the topic, the court stated that the “thread of cases in this Court that hold that there is no tort of breach of privacy, in short, is a very thin one.”
Significant to the court’s reasoning on this point was the Ontario Court of Appeal decision in Jones v Tsige, 2012 ONCA 32, which recognized the tort of intrusion upon seclusion in Ontario. The BC Court of Appeal agreed that as society and technology continues to advance, there is an increasing need for the legal protection of privacy. As the court put it, “personal data has assumed a critical role in people’s lives, and a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic.”
The BC Court of Appeal also commented on the notion that a common law cause of action that was not available under BC law could be advanced under “federal common law”. The court stated that, while there are some specialized domains of the common law dealing with federal matters (such as Aboriginal law and Maritime law), it is wrong to understand federal and provincial common law as separate bodies of law. A party cannot elect between provincial and federal common law, because there is no distinction between the two. As the court succinctly stated, “there is only a single common law.” As such, no claim for breach of privacy or intrusion upon seclusion can be made under federal common law rather than BC common law, since they are one in the same.
In the result, since the plaintiffs had not appealed the certification decision on the issue involving the “provincial common law” and the Court of Appeal set aside the decision on the issues invoking the “federal common law”, the class action will proceed without the claims for breach of privacy and intrusion upon seclusion.
Breach of Confidence
In addressing the breach of confidence claim, the Court of Appeal confirmed that the leading case on the requirements to establish breach of confidence is Lac Minerals Ltd. v International Corona Resources Ltd., [1989] 2 S.C.R. 574. The three required elements of the tort are:
- that the information conveyed was confidential;
- that the information was communicated in confidence; and
- that the information was misused by the party to whom it was communicated, to the detriment of the party conveying the information.
The Court of Appeal upheld the certification judge’s decision not to certify the claim for breach of confidence. The court agreed that the first two elements of the tort were present but that there was no “misuse” of the information by Peoples. In the context of a breach of confidence claim, “misuse” requires intentional conduct by the defendant. The court concluded that “other torts, such as negligence and (assuming they exist) breach of privacy and intrusion upon seclusion are more appropriate vehicles to deal with inadvertent disclosure of data.”
Conclusion
The importance of this case, in BC and beyond, lies in the Court of Appeal’s conclusions that PIPEDA does not prevent bringing a civil action in provincial court for data breaches and that there is no such thing as the “federal common law”, as distinct from provincial common law. While this latter conclusion had the effect of limiting the scope of claims that could be brought in this particular case, the Court of Appeal has clearly signaled that the door is open for the recognition of privacy related torts in BC. This is consistent with developing jurisprudence across the country and reflects the increasing concern for privacy, both by the courts and society at large, as companies and organizations increase the amount of personal data they collect while simultaneously being under greater risk of a cyber-attack. The recognition of privacy torts across the country, paired with the finding that civil actions may be brought for privacy breaches outside the PIPEDA legislative scheme, expands the potential remedies available for plaintiffs.
It will no doubt be interesting to see how this decision shapes future jurisprudence on this topic across the country. In particular, while most decisions are in the early stages of determining whether the cause of action exists, future case law developments will have to focus on how liability is to be established in the context of cyber security, i.e. what constitutes “reasonable security” and when is the duty of care breached. Finally, we predict that the development of privacy-related torts will result in a recognition of the increasing value of personal data and privacy itself, ultimately leading to an increase in damage awards on an individual basis.
[1] Tucci v Peoples Trust Company, 2020 BCCA 246
