Recent developments in the privacy class actions space favour businesses facing ongoing risks in maintaining the privacy of individuals’ information collected for business use. While businesses must continue to adhere to statutory and common law privacy laws and policies, privacy breach class action decisions in 2021 show that institutional defendants have the upper hand if class members cannot prove compensable losses. Barring new developments in the appellate courts that permit the extended application of the tort of intrusion upon seclusion, which does not require proof of loss, privacy breaches must yield a quantifiable loss or harm beyond everyday inconveniences for plaintiffs to succeed.

In Setoguchi v Uber, Justice Rooke of the Alberta Court of Queen’s Bench exercised the Court’s gatekeeping function to deny certification in an action alleging a privacy breach caused by thirdparty “hackers” gaining unauthorized access to Uber’s databases. Although the hackers accessed the personal information (names, addresses, and location data) of Uber’s users, there was no evidence of real compensable harm suffered by class members that would be “at least arguable” later. Justice Rooke made it clear that a mere breach of privacy is not enough for certification; there must be “some evidence” or “some basis in fact” for compensable harms suffered by individuals whose privacy was breached.

In his 2021 settlement approval decision in Karasik v Yahoo! Inc, Justice Perell of the Ontario Superior Court of Justice similarly recognized the importance of proof of compensable loss in privacy breach suits. After reviewing privacy class action case law, Justice Perell noted that corporate defendants like Yahoo enjoy stronger positions, considering the plaintiffs’ inability to prove actual harm. As with Setoguchi, Karasik involved a “database defendant,” meaning a privacy class action defendant whose databases were cyber-hacked by unauthorized third parties. In approving the settlement agreement in Karasik with few modifications, Justice Perell noted that, while the likelihood of certification is high in these types of cases, there had been no indication of success on the merits.

Justice Perell’s observation was soon reinforced by the judgment on the merits of Justice Lucas in Lamoureux c Investment Industry Regulatory Organization of Canada, a Superior Court of Quebec decision rendered in 2021, shortly after Karasik was released. In Lamoureux, an Investment Industry Regulatory Organization of Canada (IIROC) employee lost a work-issued laptop containing sensitive and unencrypted personal and financial information belonging to thousands of Canadians. IIROC admitted its failure to protect the data adequately, but Justice Lucas still denied recovery to class members because, among other reasons, class counsel could not show sufficiently serious or compensable losses rising above everyday reasonable expenses or inconveniences.

With plaintiffs’ success hinging on proof of compensable loss, it is no surprise that class counsel have since sought refuge under the tort of intrusion upon seclusion, a privacy tort for which proof of loss is not required. This cause of action is recognized in Ontario and, as set down by the Court of Appeal for Ontario in Jones v Tsige, is made out when the defendant intentionally or recklessly intruded, without lawful justification, on the private affairs or concerns of the plaintiff, such that a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish.

Since proof of loss is not required under the tort, class counsel have sued database defendants for intrusion upon seclusion, arguing that the tort should apply, not only to hackers, but to the institutional defendants whose databases are accessed without authority or lawful justification. This argument emerged most notably in Owsianik v Equifax Canada Co, in which a majority of the Ontario Divisional Court rejected the extension of the tort to this context because a database defendant does not commit the intrusion that is the “central element” of the tort.

In the wake of the Divisional Court’s ruling in Equifax, class counsel have suffered a series of losses arguing for the extended application of intrusion upon seclusion—most recently, in an early 2022 decision in Winder v Marriott International Inc., in which Bennett Jones acted for the defendants. The Court of Appeal for Ontario will address the question of the tort’s extension to database defendants later this year, with an appeal of Marriott and of the Divisional Court’s ruling in Equifax set to be heard in 2022.