Two privacy breach class actions recently certified against the Federal Government — Condon and John Doe — demonstrate a timing dilemma faced by all Canadian corporations hit with these sorts of claims. On the one hand, whether any proposed privacy breach class member will be successful in proving legally recognizable damage is open to considerable debate. On the other, the key merits questions will often be deferred, class certification addressing the form of action as opposed to its substantive validity. Accordingly, defendants need to carefully weigh whether, and when, to move for summary dismissal.
A Lost Hard Drive — Condon v. Canada1
Condon is the Federal Court of Canada's first "intrusion upon seclusion" privacy breach class action. An unencrypted hard drive containing personal information of 583,000 students, having received loans from the student program, was reported lost from a filing cabinet. Upon being notified, plaintiffs claimed costs incurred in preventing identity theft; out-of-pocket expenses; and unspecified amounts for inconvenience, frustration, anxiety and increased risk of identity theft.
Despite the motion judge having certified an "intrusion upon seclusion" class action, the proposed representative plaintiffs appealed. They requested, in addition, certification of common issues in negligence and for breach of confidence.2 The Federal Court of Appeal allowed the appeal. Having noted the absence of any evidence personal information has been inappropriately accessed or that any plaintiff has been a victim of fraud or identity theft,3 the appeal court still criticized the motion judge for having weighed the claim's merits, finding no compensable damage. The Court of Appeal held that a mere pleading of out-of-pocket expenses is sufficient, such that negligence and breach of confidence could be part of the certified common issues.
The Revealing Letter Envelope — John Doe v. Canada4
In the second case, plaintiffs sue Health Canada for having breached privacy by inadvertently disclosing their participation in a marijuana medical access program. Each class member, approximately 40,000 individuals, was sent a letter in an envelope identifying them as a program licensee.5 The class action advances six causes of action against Health Canada: breach of contract, negligence, breach of confidence, intrusion upon seclusion, "publicity given to private life", and breach of a Charter right to privacy.6 The Federal Court certified all six as common issues, emphasizing the low threshold for certification as it does not involve a merits assessment, only requiring plaintiffs to show "some basis in fact" for each requirement.7
Citing the Condon appeal decision, the John Doe court found a very general damages plea to be sufficient to certify the claim in negligence. That class members may not be successful in proving damage at trial was not viewed as a basis for striking a negligence claim early in the litigation. With respect to the asserted "publicity given to private life" tort, the John Doe court held this claim is novel and should be allowed to proceed. On the appropriateness of advancing a class action with anonymous representative plaintiffs, and the tension between avoiding having one's privacy interests further injured through litigation and the open court principle, the John Doe court recommended that at least one "public" class representative should be identified.
Weighing Summary Dismissal
Accidental data breaches and lost or stolen unencrypted USBs, laptops, phones and hard drives have been leading, in certain circumstances, to statutorily-required notices across Canada. These notices may create an identifiable class. Class actions are presently being certified for intrusion upon seclusion when the facts suggest little or no actual damage. It is important for clients to bear in mind that on the Condon and John Doe facts, it is unlikely plaintiffs will be able to establish at the common issues trial the level of recklessness, as opposed to negligence, necessary to substantiate this new intentional tort. Accidental data breach cases will not generally justify an intrusion upon seclusion claim.
While the intentional intrusion upon seclusion tort may not require proof of traditional damages, negligence claims still do require compensable harm.8 Where a plaintiff can neither satisfy the requirement of reckless disclosure for intrusion upon seclusion nor actual damages for negligence, a defence-side summary judgment motion will often be appropriate, the timing of which is open to professional judgment.
In contrast, the intentional tort may be made out against a rogue employee who deliberately misuses personal data. But a rogue will likely have no exigible assets or insurance. The question then arises as to whether employers can be fixed with vicarious liability for criminal or other illegal employee misuse of personal information. Whether vicarious liability exists in respect of the intrusion upon seclusion tort has yet to be determined by Canadian courts.