Recently, my colleagues Sean Griffin and Ann-Elisabeth Simard considered the Evans v Bank of Nova Scotia (“Evans”) decision wherein the Ontario Supreme Court (the “Court”) certified a class action proceeding for allegations concerning a breach of privacy rights through the tort of intrusion upon seclusion first set out in Jones v Tsige (“Jones”). You can access his blog here.
Evans has set a precedent for the low threshold required to be met for certification in class actions concerning breaches of information privacy. In this blog, we will canvass the implications of the Evans decision on organizations in various provinces and how organization can mitigate the risks of a class action resulting from a privacy breach.
Low Threshold For Class Action Certification
The availability of the tort of intrusion upon seclusion as a class action matter should concern companies because of the low threshold for class action certification. Furthermore, as discussed in a previous blog, since the Jones test does not require proof of damage, the likelihood that the common law tort of intrusion upon seclusion could be a basis of action in certain provinces is high.
Tort Of Intrusion Upon Seclusion Not Available In All Provinces
(a) British Columbia
The common law tort of inclusion upon seclusion per Jones is not recognized in all Canadian provinces. For instance, the Supreme Court of British Columbia held in Demcak v Vo that there is no common law tort of invasion of privacy. Instead, British Columbia, along with four other provinces, has a statutory tort for the invasion of privacy. While the British Columbia statutory provisions outlining this tort are similar to those elements in Jones, it is possible that the statutory cause of action will preclude the common law tort.
Despite the fact that the tort of inclusion upon seclusion is not available in British Columbia, the Supreme Court of British Columbia has recently certified a class action against Facebook regarding alleged violations of the British Columbia Privacy Act, with a massive estimated class of 1.8 million people. For more information about this case, you can read our blog here.
In Martin v General Teamsters, Local Union No 362, 2011 ABQB 412, the Alberta Court of Queen’s Bench rejected the common law tort of invasion of privacy even though there is no statutory equivalent in Alberta; instead, the court held that if any damages could be awarded for invasion of privacy, the only recourse available is under the Personal Information Protection Act after the Privacy Commissioner finds that a breach of privacy has occurred.
As Sharpe JA noted in Jones, “The question of whether the common law should recognize a cause of action in tort for invasion of privacy has been debated for the past one hundred and twenty years.”
(c) Other Provinces
The debate in Canada is clearly far from over, and it will be interesting to see whether other jurisdictions adopt a common law cause of action and allow certifications of class proceedings (as in Ontario), enact a statutory cause of action and allow certifications under the statutory regime (as in British Columbia), or both.
Tips for Businesses
The recent certification of privacy class actions demonstrates the need for organizations to be diligent in guarding against privacy breaches and obtaining consent. The following guidelines may assist businesses in protecting data containing personal information and limiting exposure to liability due to breach of privacy:
- Develop a breach protocol that is amended periodically to account for improvements in technology.
- Incorporate a notification procedure in the breach protocol in order to report breaches to the applicable Privacy Commissioner. Even in jurisdictions where such notification is not strictly required by law, it is prudent to notify the Privacy Commissioner (or affected individuals) of data breaches where such notification would help mitigate the harm arising from the breach.
- Ensure that all contracts with third parties include provisions that require the third party to immediately inform the organization of any breach or suspected breach. Inform third parties of the breach protocol once it is developed.
- Ensure that record retention and destruction policies comply with existing privacy law requirements. To ensure compliance, destroy or ‘anonymize’ all personal information after such information is no longer needed and no longer legally required to be retained.
- Undertake employee training initiatives to ensure familiarity and compliance with all privacy policies and practices.
For businesses looking to develop or update their privacy policies and procedures, the following guidelines may be of assistance:
- Build a security program that protects the confidentiality, integrity, and availability of all information, not just personal information.
- Develop classification standards so that personal and non-personal information, as well as, sensitive and non-sensitive personal information can be easily identified.
- Ensure that proper security controls are in place and conduct risk assessments of all personal information.
For more tips on how to prepare and respond to privacy breaches, see our article on responding to privacy breaches.