One year ago today, we published a blog about the Alberta Court of Queen’s Bench decision in Setoguchi v. Uber B.V., 2021 ABQB 18 in which a certification motion was dismissed. The proposed class action involved a data breach where Uber was hacked by third-party cyber-criminals.
We are noting that anniversary by providing our comments on the recently released appellate decision. We previously noted the court’s finding decided that the nature of the personal information that was the subject of the data breach was not sufficiently sensitive to give rise to claim for damages. As a result, and in the absence of evidence showing harm to class members, the data breach alone did not form the basis for certification of the class action.
The plaintiff appealed and, in Setoguchi v Uber BV, 2023 ABCA 45, the Court of Appeal upheld the lower court’s dismissal of the certification motion and, in doing so, has provided further guidance on what is required for a class proceeding based on a data breach cyber incident to be certified.
In 2016, Uber was the victim of a cyber-attack from a third-party hacker. The breach included cyber-criminals accessing personal names, phone numbers, email addresses, and driver’s licenses. Uber received a ransom demand and paid the hackers $100,000 USD in return for an assurance that the hackers “would destroy and not disseminate” the data. Uber was also subject to regulatory orders that imposed a mandatory privacy protection program and fines of close to $200 million.
The appellant brought the action on behalf of the individuals who had their information improperly accessed in 2016. It was alleged that Uber’s third-party cloud-based storage was vulnerable to hackers and that Uber initially concealed the hack from clients and authorities. Following the certification motion, the appellant abandoned certain claims, including the tort of inclusion upon seclusion, and sought to certify only the claims in breach of contract and negligence on appeal.
The appellant argued that Uber failed to protect the personal information held in their databases. They further argued that the certification judge erred in his approach to damages, over-stepped his gatekeeping role, and erroneously treated the certification like a summary judgment. The Court of Appeal noted that the central issues in this appeal related to the certification judge’s approach to ss. 5(1)(a) and (d) of the Alberta Class Proceedings Act (“CPA”) in light of this novel claim.
The CPA outlines the five class action requirements as 1) the pleadings disclose a cause of action; 2) there is an identifiable class of two or more persons; 3) the claims of the prospective class members raise a common issue; 4) a class proceeding would be the preferable procedure for the fair and efficient resolution of the common issues; and 5) the proposed representative plaintiff is adequate. The Court of Appeal reaffirmed that if all five of the class action criteria are met, then the action must be certified. Similarly, if they are not met, then the application for certification must be dismissed.
On the motion, the judge found that the appellants had not shown evidence of actual harm or loss, which was evidenced by the fact that none of the proposed class members had been the subject of identity theft. However, the Court of Appeal was critical of this approach for imputing a requirement into the class action criteria that plaintiffs show there was harm or loss. Instead, the Court of Appeal was clear that the certification judge should have determined whether the facts outlined a viable cause of action under s. 5(1)(a) of the CPA. The court was clear that the analysis about whether there was evidence to show loss should only be analyzed when determining whether the plaintiffs successfully pleaded negligence rather than as a specific section of the class action criteria.
The court went on to analyze whether the appellants pleaded viable causes of action. It noted that negligence requires proof of loss as an element of the cause of action, and a plaintiff must, therefore, “plead facts sufficient to amount at law to damage.” The court noted that while a breach of contract claim does not require proof of loss as an element of the cause of action, negligence does. The court went on to say that pleading a bare conclusion such as “damages” or “injury” is not sufficient and requires facts to sustain them. For this reason, the Amended Statement of Claim at issue was deficient as it did not particularize the harm or damage suffered or how such loss or damage was caused by Uber.
The court cited Atlantic Lottery as an authority to tackle questions of law at the certification stage. The court stated that tackling questions such as whether a negligence claim was viable at the certification stage is key, not only for clarity purposes but also to ensure an affordable and just resolution, particularly for novel claims. While the certification stage is not the time to be overly restrictive in the interpretation of pleadings, neither can novelty insulate a claim that plainly and obviously cannot succeed. The court held that “It is plain and obvious that the loss in question is not a compensable harm recognized in law.”
The appellant argued that the members of the proposed class are at a higher risk for identity theft. However, the court stated that damages for the risk of future harm or the increased risk of harm have not generally been accepted in Canadian tort law. Based on Canadian case law, the court came to a conclusion that “The appellant has no hope of establishing that the simple loss of publicly available information like names, phone numbers, and email addresses amounts, without more, to compensable injury or loss.” The court is clear that certifying the novel claim of simply “the loss of information to criminals who have accessed and downloaded the information” would not be an incremental development in the law, but rather a “giant step.” Therefore, the court stated that the claim in negligence did not disclose a cause of action under s. 5(1)(a) of the CPA.
Breach of Contract Analysis
With respect to the breach of contract claim, the certification judge found that all criteria had been met except for preferability. As such, if the appellant were to succeed in having the breach of contract claim certified, it must show that the judge erred in the preferability analysis under s. 5(1)(d) of the CPA. Preferability refers to whether a class proceeding would be a fair, efficient, and manageable method of advancing the claim and that it would be preferable to any other reasonably available means of resolving the class members’ claims.
The certification judge determined that a class action would not be the proper avenue for multiple reasons: no benefit to judicial economy given class-wide harm could not clearly be established; determining damages might require individual assessments; no evidence of actual loss or harm; no improvement to access to justice because damages are at best nominal; and, while there may be some small benefit with respect to behavioural modification, that alone does not “bootstrap” to certification a case that seems “hopeless for recovery of actual losses.”
While the certification judge acknowledged that breach of contract claims do not require a suffered loss, in which case nominal damages are available, the Court of Appeal found that he was clearly exercising his gatekeeping function to deny certification on the basis the claim did not have what he considered to be sufficient merit or some evidence of “real harm.” Further, while the Court of Appeal recognized that breach of contract claims in cases of a data breach where a “real loss” had not been suffered have previously been certified, this has largely been in cases where other causes of action were also certified. The court ultimately stated that the “Certification judge’s decision on preferability is entitled to particular deference because it involves weighing and balancing a number of factors.”
In the end, the court is clear that it was open to the certification judge to decide that access to justice issues did not prevail, nor did the limited compensation for class members merit expending vast judicial resources. The court also stated that it was satisfied that the imposed regulatory penalties, almost $200 million, and an imposed privacy protection program were adequate to ensure behaviour modification on Uber’s part.
The Court of Appeal’s decision lends clarity to an increasingly litigious area of law that once seemed ripe for new or varied causes of action and large damage awards. With the rise in cyber-attacks, the decision confirms that plaintiffs must have a clear and viable cause of action in order to be certified and must ensure that the damages they claim are compensable at law. If the claim is a proposed class proceeding, they must also ensure that there is a compelling argument that such a claim will benefit judicial economy and access to justice in light of the amounts sought. In other words, if all that is sought are nominal damages, the expenditure of judicial resources and ‘nominal’ increase in access to justice are unlikely to be justified.
Now, after years of proposed class proceedings grounded in data breach cyber incidents, courts are disinclined to certify novel claims simply because there is no precedent to suggest they cannot proceed. Going forward, such claims must be grounded in established legal principles and analytical frameworks if they are likely to proceed, never mind succeed. The court was clear that when considering novel claims, it is important to remember that “[T]he absence of a precedent ruling that a particular claim is not a recognized cause of action does not mean that it is a recognized cause of action.” Importantly, the court has emphasized that a class action certification is a discretionary decision and is entitled to deference on review. It will be interesting to see if the Ontario courts will grant similar deference to certification judges’ decisions.