In part one of this two-part blog series, we considered the Alberta Court of Queen’s Bench decision denying certification in Setoguchi v Uber B.V[1] where the court found that the personal information disclosed in the data breach at issue did not rise to the level of sensitive information that would result in harm to the proposed class members. In that case, the court concluded, no harm, no class action. More recently, Belobaba J. reached a similar conclusion in his decision denying certification in the proposed class action in Simpson v Facebook[2], finding that where there was no evidence that members of the class were actually personally affected by a data breach, there could be no class action.
In Facebook, the court considered a proposed class action arising from the very high profile data breach involving Facebook, and the consulting firm Cambridge Analytica, events which made headlines across the globe in 2016. The data breaches at issue were connected to the 2016 US election campaign, during which US voters were targeted with messages tailored to influence the outcome of the election. The targeting and tailoring was done using personal data collected from Facebook users, which was accessed without the users’ knowledge or consent through a third party application called “thisisyourdigitallife” (the “app”).[3] The fallout resulted in many government inquires, privacy commissioner reports and class actions.
The Proposed Class Actions
The fallout of the unauthorized collection of personal information impacted Canadians. Of the estimated 87 million Facebook users whose data was accessed in the breach, approximately 622,161 were Facebook users living in Canada, 272 of whom actually installed the app and another 621,889 “friends” whose personal data was obtained because the app gained “cascading access” to this information.[4] As a result, three class actions were commenced in Ontario, with a carriage order resulting in two actions proceeding, and one being stayed.[5]
Mr. Donegani was granted carriage of a proposed class action on behalf of Facebook users world-wide whose personal information was improperly obtained “either directly or indirectly” by third parties. Facebook users who voluntarily downloaded a third-party app were excluded. The class included everyone else with one important carve-out: “Canadian residents whose Facebook Information was shared with Cambridge Analytica Group” (the “Donegani Action”).
Ms. Simpson was granted carriage of a proposed class action on behalf of “Canadian residents whose Facebook Information was shared with Cambridge Analytica Group” (the “Simpson Action”). The plaintiff alleged that Canadian Facebook users’ personal data was improperly shared with Cambridge Analytica, which was a breach of Facebook’s own terms of use and constituted a breach of the privacy of class members. The plaintiff relied on the tort of intrusion upon seclusion, seeking symbolic or moral damages of $622 million and $62 million in punitive damages.[6]
No Evidence
The test for certification of a class proceeding requires the plaintiff to show some basis in fact, or “some evidence”, to support its claim. In this case, the plaintiff had to show some evidence to support the allegation that Canadian users’ personal data was shared with Cambridge Analytica.[7] The primary proposed common issue specifically contemplated whether the sharing of Canadian’s personal data with Cambridge Analytica constituted an invasion of privacy or an intrusion upon seclusion.[8] If the proposed common issues could not be certified, than the proposed class action could not be certified.[9]
Over the course of the certification hearing, the court found it apparent that the plaintiff had no evidence that any Canadian user’s personal data had actually been shared with Cambridge Analytica.[10] As a result, the plaintiff tried to shift focus to argue that Facebook violated users’ privacy by willfully or recklessly providing the third-party app with unauthorized access to Facebook user’s personal information, whether or not any such information was actually used.[11] The court would not permit the plaintiff to pursue this argument further as such an allegation would be captured by the Donegani Action, which had been granted carriage of all claims relating to personal information obtained by third party apps. The court also rejected the plaintiff’s submission that the third party app, thisisyourdigitallife, was an ‘affiliate’ of Cambridge Analytica noting that the submission was contrary to the Carriage Orders and Statements of Claim.[12]
The court found that the plaintiff’s failure to provide any evidence that Canadian users’ personal data was shared with Cambridge Analytica, was enough to deny certification.[13] The court noted:
The applicable law on this point is not in dispute. It is fundamental to class action certification that the plaintiff adduce some evidence (some basis-in-fact) for both the existence and commonality of each of the proposed common issues. Here, the focus is on the first part of this requirement, the evidentiary basis for the existence of a proposed common issue. As the Court of Appeal noted in Fulawka:
While the evidentiary basis for establishing the existence of a common issue is not as high as proof on a balance of probabilities, there must nonetheless be some evidentiary basis indicating that a common issue exists beyond a bare assertion in the pleadings.
No such evidence has been presented.
It follows that there is no basis in fact for any of the proposed common issues that ask whether the defendants invaded any class member’s privacy, whether at common law under the tort of intrusion upon seclusion or in breach of provincial privacy statutes. None of these PCIs can be certified. Absent common issues, there is no justification for a class proceeding.[14]
Conclusion
In the result, the court found there was no evidence of the existence of the breach of privacy and denied certification in this case. Notably, Justice Belobaba does not close the door to these types of privacy class actions stating, “the dismissal of this certification motion does not diminish the paramount importance of protecting individual privacy and personal data. An individual’s ability to control their personal information is intimately connected to individual autonomy, dignity and privacy. Significant invasions of personal privacy are serious matters and deserve regulatory and judicial attention. If Facebook, in breach of its own policies and procedures, recklessly allowed third-party apps to improperly access users’ personal data, it should be held accountable by all appropriate means, including class actions.”[15]
Cases like Facebook and Uber, discussed in part one of this two-part series, provide important guidance on the landscape of privacy class actions in Canada. Although the risk and damages posed by cyber incidents and privacy breaches are relatively new, the law with respect to establishing a claim arising out of such incidents remains the same. A successful certification motion must overcome two hurdles by demonstrating some evidence: (1) that the class members were affected by the alleged breach; and (2) that the class members suffered actual harm, either due to the sensitivity of the information or the nature of the disclosure.
Facebook in particular demonstrates that, if the proposed class action cannot overcome the initial hurdle of showing some basis in fact for the existence of the primary proposed common issue, (in this case, the disclosure of personal information to Cambridge Analytica), then the certification motion will fail. As in the Uber case, evidence that the breach occurred alone is unlikely to be sufficient to meet this threshold. Plaintiffs will have to show some evidence of the alleged breach, some evidence that they were personally affected by the breach, and some evidence that the proposed class members suffered actual harm (more than nominal or everyday inconvenience) to ultimately be successful at certification.
[1] Setoguchi v Uber B.V., 2012 ABQB 18.
[2] Simpson v Facebook, 2021 ONSC 968.
[3] Ibid at para 2.
[4] Ibid at para 5.
[5] Ibid at para 7.
[6] Ibid at para 12.
[7] Ibid at para 25.
[8] Ibid at para 25.
[9] Ibid at para 26.
[10] Ibid at para 19.
[11] Ibid at para 30.
[12] Ibid at para 37.
[13] Ibid at para 42.
[14] Ibid at paras 43 – 45.
[15] Ibid at para 49.
