In the recent decision of Doe v Her Majesty The Queen, 2015 FC 916 (“Doe”), the Federal Court granted conditional certification of a class action brought on behalf of members of the Marihuana Medical Access Program (“MMAP“). This conditional certification is notable as it, alongside the recent case Evans v. Bank of Nova Scotia (“Evans“), is one of the few class actions certified in Canada relating to breaches of privacy. Particularly of interest is the Plaintiffs’ allegation that the Defendant committed the tort of intrusion upon seclusion and of publicity given to private life, a truly novel tort in Canada. [For more on Evans, please see our post here.]
In certifying the motion, the Federal Court affirmed that class actions may be a potential venue for litigants to seek compensation for privacy breaches. Companies should be aware of this and work to strengthen their internal policies on safeguarding personal information to prevent any threat of litigation.
Although the tests for certification may vary by jurisdiction, the general principles of certification remain fairly consistent across Canada. In Doe, Phelan J considered Rule 334.16 which outlines that the Federal Court will certify a class proceeding if:
- the class action discloses a reasonable cause of action;
- there is an identifiable class of two or more persons;
- the claims of the class members raise common questions of law or fact, whether or not those common questions predominate over questions affecting only individual members;
- a class proceeding is the preferable procedure for the just and efficient resolution of the common question of law and fact; and
- there is an appropriate representative plaintiff to advance the litigation.
As part of the certification analysis, the applicant must also disclose “some basis in fact” for each of the certification claims, though the threshold requires only a minimum evidentiary basis.
The Facts in Doe
In Doe, the Plaintiffs brought a certification motion against the Government of Canada (“Government”) concerning an administrative error where the identities of MMAP participants were compromised when envelopes with their names visible were mailed out by the Government with a return address labelled to the “Marihuana Medical Access Program”. The Plaintiffs alleged six causes of action including: (1) breach of contract; (2) negligence; (3) breach of confidence; (4) intrusions upon seclusion; (5) publicity given to private life; (6) and breaches of the Charter right to privacy. The Government acknowledged the administrative error but opposed the certification on other factual grounds that Phelan J deemed an issue for trial and not certification.
The Decision in Doe
In the reasons dated July 27, 2015, the Federal Court conditionally certified the class action upon the submission of an amended statement of claim. In determining that the class be certified, Phelan J found that the Plaintiffs had adequately met the low evidentiary burden to demonstrate “some basis in fact” for their claims. He was also satisfied that the Plaintiffs had a reasonable cause of action, as it was not “plain and obvious” that the action could not succeed. Of note was Phelan J’s articulation that the novelty of the torts intrusion upon seclusion and publicity given to private life were not reasons for striking them. Phelan J certified all six causes of action, though asked for the breach of Charter rights to be amended for clarity or be withdrawn on amendment. [For more on the tort of intrusion upon seclusion, please see our post here]
Phelan J next found that the class shared common questions of law and fact and that the individual issues were not overriding enough to detract from the advantage of having the common issues determined. In examining whether a class action was the preferable procedure, Phelan J took into account the three goals of class actions (access to justice, judicial economy and behaviour modification) finding that this particular action advanced all three goals. Finally, while Phelan J took issue with the potential anonymity of the representative plaintiff, he still deigned to certify the proceeding on the assumption that there might be one representative willing to go public.
The willingness of the court to certify a class action relating to privacy breaches may have significant ramifications on how consumers seek redress when companies or agencies breach or mishandle their data. Although Canadian class actions have been significantly fewer than the numbers in the United States, especially in the area of privacy breaches, this decision indicates that the Canadian courts are at least willing to consider class actions as a potential venue for compensating victims of privacy breaches. Companies and agencies should take measures to protect the confidentiality of their data to prevent privacy breaches.
The following guidelines may assist businesses in protecting data containing personal information and limiting exposure to liability due to breach of privacy:
- Develop a breach protocol that is amended periodically to account for improvements in technology.
- Incorporate a notification procedure in the breach protocol in order to report breaches to the applicable Privacy Commissioner. Even in jurisdictions where such notification is not strictly required by law, it is prudent to notify the Privacy Commissioner (or affected individuals) of data breaches where such notification would help mitigate the harm arising from the breach.
- Ensure that all contracts with third parties include provisions that require the third party to immediately inform the organization of any breach or suspected breach. Inform third parties of the breach protocol once it is developed.
- Ensure that record retention and destruction policies comply with existing privacy law requirements. To ensure compliance, destroy or ‘anonymize’ all personal information after such information is no longer needed and no longer legally required to be retained.
- Undertake employee training initiatives to ensure familiarity and compliance with all privacy policies and practices.
For businesses looking to develop or update their privacy policies and procedures, the following guidelines may be of assistance:
- Build a security program that protects the confidentiality, integrity, and availability of all information, not just personal information.
- Develop classification standards so that personal and non-personal information, as well as, sensitive and non-sensitive personal information can be easily identified.
- Ensure that proper security controls are in place and conduct risk assessments of all personal information.