The Federal Court of Appeal recently allowed an appeal expanding the scope of a certified privacy class action relating to the loss of personal data of Canada Student Loans recipients. The case, Condon v. Canada(Condon), had previously been certified as a class action, but only with respect to claims based in breach of contract and intrusion upon seclusion (see our February 2012 Blakes Bulletin: Ontario Court of Appeal Recognizes New Privacy Tort).The class appealed, and the Court of Appeal held that claims based in negligence and breach of confidence should also proceed to trial, despite the absence of any evidence that class members have become victims of identity theft or otherwise suffered any tangible losses.
Condon was originally certified as a class proceeding by the Federal Court in March 2014. The action arises out of an announcement in 2012 by Human Resources and Skills Development Canada (HRSDC) that it had lost an unencrypted external hard drive containing the personal information of approximately 583,000 individuals who had participated in the Canada Student Loans program (including names, addresses, dates of birth, social insurance numbers, and student loan balances). HRSDC had not been able to recover the hard drive or determine what had happened to it.
The plaintiffs commenced an action against the federal Crown relying on various causes of action including breach of contract (i.e. the class members’ student loan agreements, which contained terms on how personal information would be stored, disclosed and destroyed), negligence, breach of confidence, and intrusion upon seclusion. HRSDC acknowledged the data loss and had already offered affected individuals various fraud-prevention services. However, no evidence was led on the certification motion to suggest that any class member had become the victim of identity theft or suffered any tangible loss.
The Federal Court certified the claims for breach of contract and intrusion upon seclusion, on the basis that proof of damages is not an essential element of either of those causes of action. However, the certification motion judge found that the absence of compensable damages was fatal to the plaintiffs’ claims in negligence and breach of confidence. Accordingly, she found that that these claims did not disclose a reasonable cause of action and could not be certified. Despite their success in having the action certified, the plaintiffs appealed, arguing that the Federal Court should have also certified the negligence and breach of confidence claims. The federal government abandoned its cross-appeal.
On appeal, the Federal Court of Appeal held that the certification motions judge had erred by relying on the absence of evidence of damages to deny certification of the negligence and breach of confidence claims. The Court of Appeal found that the motions judge should have analyzed the issue based only on the allegations made in the statement of claim, which are to be taken as true for the purposes of determining whether the pleadings disclose a reasonable cause of action (the first criterion for certification of a class proceeding). The statement of claim alleged that class members had sustained damages in the form of “costs incurred in preventing identity theft” and unspecified “out-of-pocket expenses.” The Court of Appeal considered these pleadings of damages to be sufficient for the purposes of the certification criteria, and held there was therefore no basis not to include the claims for negligence and breach of confidence in the class proceeding.
Notably, in its brief reasons, the Court of Appeal did not consider whether the damages alleged constitute legally compensable injuries, even assuming for the purposes of the certification motion that they were in fact incurred by class members. In the past, similar cases (in both Canada and the U.S.) have held that mere exposure to a risk of identity theft or fraud is not a compensable injury in the absence of some provable loss, and denied certification where the only damages alleged were costs associated with credit monitoring. None of these prior cases were addressed in Condon. Moreover, the Court of Appeal did not address whether the plaintiffs’ alleged damages were a recoverable form of pure economic loss.
The Court of Appeal also failed to consider whether the plaintiffs’ claims for negligence and breach of confidence met any of the other criteria for certification of a class action. In particular, the Court of Appeal did not address whether the evidence filed on the certification motion established “some basis in fact” that the claims in negligence and breach of confidence presented common issues of fact or law — the Court of Appeal did not engage with the evidentiary record at all in its decision. While a certification judge is not permitted to evaluate the merits of a case on the certification motion, an absence of any evidence that class members suffered damages would usually be considered as part of the common issues criterion.
While certain causes of action relied upon in privacy class actions do not require proof of loss as an essential element of the claim, Condon reflects a departure from prior case law with respect to causes of action that do require proof of damages. Tort law has traditionally been focused on redressing tangible losses. With privacy class actions becoming increasingly common in Canada, courts will likely be called upon to more squarely consider and rule upon what constitutes a compensable loss for class members in this context.