Recently, my colleague Sean Griffin canvassed the decision Evans v Bank of Nova Scotia (“Evans”) wherein the Ontario Supreme Court certified a class action proceeding for allegations concerning a breach of privacy rights through the tort of intrusion upon seclusion first set out in Jones v Tsige (“Jones”). See his blog here.
Evans has set a precedent for the low bar of certification in class actions concerning breaches of information privacy. In this blog, we will canvass the implications the Evans decision on organizations in various provisions and how organization can mitigate the risks of a class action privacy breach.
Low Threshold For Class Action Certification
The availability of the tort of intrusion upon seclusion as a class action matter should concern companies given the generally low threshold for class action certification. Furthermore, as discussed in a previous blog, the Jones test does not require proof of damage, increasing the likelihood that the common law tort of intrusion upon seclusion could be a basis of action in certain provinces.
Tort Of Intrusion Upon Seclusion Not Available In All Provinces
(a) British Columbia
The common law tort of inclusion upon seclusion per Jones is not recognized in all Canadian provinces. For instance, the Supreme Court of British Columbia held in Demcak v Vo that there is no common law tort of invasion of privacy. Instead, BC, along with four other provinces, has a statutory tort for the invasion of privacy. While the BC statutory provisions outlining this tort are similar to those elements in Jones, it is possible that the statutory cause of action will preclude the common law tort.
Despite the fact that the tort of inclusion upon seclusion is not available in British Columbia, the Supreme Court of British Columbia has recently certified a class action against Facebook regarding alleged violations of the British Columbia Privacy Act, with a massive estimated class of 1.8 million people. For more information about this case, you can read our blog here.
In Martin v General Teamsters, Local Union No 362, 2011 ABQB 412, the Alberta Court of Queen’s Bench rejected the common law tort of invasion of privacy even though there is no statutory equivalent in Alberta; rather, the court held that if any damages could be awarded for invasion of privacy, the only recourse is under the Personal Information Protection Act after the Privacy Commissioner finds that there was a breach of privacy
As Sharpe JA noted in Jones, “The question of whether the common law should recognize a cause of action in tort for invasion of privacy has been debated for the past one hundred and twenty years.”
The debate in Canada is clearly far from over, and it will be interesting to see whether other jurisdictions adopt a common law cause of action and allow certifications of class proceedings (as in Ontario), enact a statutory cause of action and allow certifications under the statutory regime (as in BC), or both.
Tips for Businesses
The recent certification of privacy class actions demonstrates the need for organizations to be diligent in guarding against privacy breaches and obtaining consent. Here are some guidelines that may assist businesses in protecting data containing personal information and limit privacy liability:
- Develop a breach protocol that is amended periodically to account for improvements in technology.
- Incorporate a notification procedure in the breach protocol in order to report breaches to the applicable Privacy Commissioner. Even in jurisdictions where such notification is not strictly required by law, it may be advisable to notify the Privacy Commissioner (or affected individuals) of data breaches where such notification to Privacy Commissioners or individuals would help mitigate the harm arising from the breach.
- Ensure that all contracts with third parties include provisions that require the third party contractor to immediately inform the organization of any breach or suspected breach. Inform third parties of the breach protocol once it is developed.
- Ensure that record retention and destruction policies comply with existing privacy law requirements. To ensure compliance, destroy or ‘anonymize’ all personal information once it is no longer needed or legally required to be retained.
- Undertake employee training initiatives to ensure familiarity and compliance with all policies and practices.
For businesses looking to develop policies and procedures, the following guidelines may be of assistance:
- Build a security program that protects the confidentiality, integrity, and availability of all information, not just personal information.
- Develop classification standards so that personal and non-personal information, as well as, sensitive and non-sensitive personal information can be easily identified.
- Ensure that proper security controls are in place and conduct risk assessments of all personal information.