In this installment of our class action series, we explore trends in Canadian privacy class actions and point out similarities and differences in the approaches taken in the United States and Canada in these types of lawsuits.
Canadian privacy class actions have been on the rise for the last decade, emerging from a wealth of new technologies, novel business practices, new legislation and common law torts, and an ever-growing body of jurisprudence south of the border. In both Canada and the U.S., privacy class actions largely fall into three categories:
claims that challenge a corporation’s business practices (e.g., cookies, targeted advertising);
claims that arise from accidental breaches (e.g., lost storage devices); and
claims relating to intentional, targeted misconduct (e.g., hacking, employee snooping).
In all categories, the size of the classes and the quantum of damages claimed tend to be large—actions involving approximately 1 million consumers and seeking $1 billion in damages are not uncommon. Importantly however, most cases settle for a fraction of the compensation sought. Generally, plaintiffs must establish some evidence of actual harm and may not simply seek damages for mere fear of identity theft, although no decisions have yet tested the line between harm and mere fear in a trial on the merits.1 Although moral damages for humiliation or anxiety arising from privacy violations are sometimes awarded, they are nominal—in the range of $2,000–$20,000 per claim.
Canadian privacy class actions challenging business models and practices relating to the handling of personal information are frequently commenced but the jurisprudence in this area is limited: although courts are increasingly willing to find privacy claims that meet the low bar for certification, few proceedings to date have been decided on their merits.2
Online services or products that actively encourage users to provide, use and share personal information—notably social media companies—are particularly exposed to this type of claim. Other recent examples of privacy class actions related to business practices include the unauthorized collection of intimate data related to the use of sexual aid products,3 unauthorized access to client financial information by an insurance company,4 and Google’s collection of cellular location data without user consent and even when location services were disabled.5
Recently, a class action was commenced against We-Vibe (operating as Standard Innovation Corporation). The Statement of Claim alleges that highly intimate and sensitive user data related to the company’s sexual aid products was collected, used, and stored without consent.7 In 2017, a settlement was reached in the U.S. related to the same complaint for approximately US$3.75 million.8
Between 2007 and 2010, Google Street View allegedly collected snippets of electronic data sent or received through an unsecured wireless network while scanning these networks to verify the location of Street View cars. In May 2018, the Superior Court of Québec approved a $1 million settlement in this case, the majority of which was intended to fund a research project at the University of Ottawa and the University of Montréal related to internet data protection and privacy.9 A similar class action commenced in the U.S. in 2010 and as of June 2018, the parties were reported to have reached a preliminary settlement that is rumoured to include donations to non-profit organizations; however, a settlement amount was not publicly provided.10
From misplacing a hard drive to the inadvertent transmission of customer information, accidental privacy breaches and related class actions often result from mishaps by employees or contractors.11 These claims frequently allege negligence, intentional torts of invasion of privacy, failure to meet institutional and industry security standards, and test the scope of employers’ vicarious liability for the conduct of personnel.
In both Canada and the U.S., mishap privacy class actions are less common than those falling into the other two categories. One recent Canadian example involves the disclosure of personal health information of prospective participants in a research study, including information that identified these individuals as HIV-positive.12 The information was disclosed because the organization failed to send study recruitment materials in a secure manner to protect the privacy of the recipients.
Privacy breaches and accompanying class proceedings also follow intentional activity such as the theft of devices or files containing personal information, third-party breaches into databases containing private and confidential information, the sale of contact information to third parties, and employee snooping for personal or romantic reasons.13 Many recent privacy class actions have arisen from intrusions into the computer systems of social media giants such as Facebook,14 web service providers such as Yahoo,15 financial institutions, credit reporting agencies such as Equifax,16 and high-profile retailers such as Walmart and the Home Depot.17
Canadian courts appear to be conscious of the proliferation of privacy class actions and the need to distinguish spurious claims from those in which class members suffered actual harm.
The 2016 Ontario decision approving the settlement in the Home Depot payment system breach provides guidance to companies on breach response techniques that will minimize litigation risks. Following the discovery of malware on its in-store payment systems in 2014, the Home Depot promptly issued press releases, notified customers by email, publicly apologized, and offered credit monitoring and identity theft insurance without requiring proof of loss or card compromise. The Ontario court, approving the settlement of the class action that followed the breach, noted the “responsible, prompt, generous and exemplary” response of the Home Depot to the criminal acts and indicated that the class action members’ likelihood of success in terms of proving liability or consequent damages was “in the range of negligible to remote.” Although made in the context of a settlement approval rather than a hearing on the merits, this case suggests Canadian courts are conscious of the proliferation of privacy class actions and the need to distinguish spurious claims from those in which class members suffered actual harm.
In contrast, in the U.S., consumer claims arising out of the same incident settled for up to $13 million plus the cost of credit monitoring services for victims of the breach and implementation of security practice changes.18 Additionally, U.S. financial institutions brought a class action against the Home Depot for the costs of issuing credit cards and reimbursements for fraudulent charges to victims of the breach. In 2017, this claim settled for $25 million.19
A recent British Columbia decision sheds light on what plaintiffs are required to prove in terms of damages in privacy class action lawsuits. The Supreme Court of British Columbia recently certified a class action against a trust company for inadequately securing client personal information.20 The trust company experienced a system breach by cybercriminals who used the personal information to contact individuals through text messages purporting to be from the defendant trust company.21 The class in this case alleged the text messages were attempts at “phishing,” and sought damages for mental distress, among other forms of damages. The Court commented that the mental distress alleged by the plaintiff did not rise to the level of “serious and prolonged and […] above the ordinary annoyances” referred to in Supreme Court of Canada case Mustapha,22 and that “inconvenience, frustration and anxiety are part of normal life.”23
According to a recent U.S. law report, the trend in terms of finding standing in privacy class actions is favourable towards plaintiffs.24 This trend holds true even where consumers do not suffer economic loss or experience identity theft and despite the U.S. Supreme Court’s ruling in Spokeo in 2016 that plaintiffs must show “injury-in-fact” that is “concrete” and “particularized.”25 This trend has been attributed to both the increased incidence of larger and more frequent breaches that would otherwise leave many without legal recourse, as well as to evolving notions of harm to include property violations.26 These observations were made at the stage of a motion to dismiss, and therefore, like in Canada, there is currently little insight into how courts will view the nature of damages in a decision on the merits.
Additional Cross-Border Comments
Compared to Canada, many more privacy class actions are commenced in the U.S. due to a more litigious climate and higher population. Canadian class actions are growing in number, but Canada is still developing its statutory causes of actions related to misuses of technology, while the data breach privacy class actions in the U.S. are largely founded on statutes such as the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. Unlike the U.S., Canada has an expansive federal regulatory regime—the Personal Information Protection and Electronic Documents Act, which provides a simple administrative procedure for complaints and remedies, arguably making class actions less preferable. The European Union (EU) General Data Protection Regulation (GDPR), which purports to extend to organizations based outside the EU that offer goods or services to individuals in the EU or to those who engage in practices that monitor online behaviour of individuals in the EU, may impact privacy litigation and force business to modify their practices in the U.S. and Canada.
1Larose v. Banque Nationale de Canada, 2010 QCCS 5385.
2 See e.g., Douez v. Facebook, Inc., 2014 BCSC 953 (certification), 2017 SCC 33 (holding forum selection clause unenforceable); 2018 BCCA 186 (appeal from certification); Albilia v. Apple Inc., 2013 QCCS 2805; Union des Consommateursc. Bell Canada, 2011 QCCS 1118; Latham v. Facebook et al., Ontario Superior Court of Justice, Court File No. CV-14-501879 (2014); Tocco et al. v. Bell Mobility, Ontario Superior Court of Justice, Court File No. CV-15-00022122 (2015).
3L.S. and M.C. v. Standard Innovation Corporation, Ontario Superior Court of Justice, Court File No. 17-72314-e (2017).
4Haikola v. The Personal Insurance Company and Desjardins General Insurance Group Inc., Federal Court, Court File No. T-382-18 (2018).
5Warner v. Google LLC, Supreme Court of British Columbia, Court File No. VLC-S-S-1711066 (2017).
6 See e.g., Haikola v. The Personal Insurance Company and Desjardins General Insurance Group Inc., Federal Court, Court File No. T-382-18 (2018); Warner v. Google LLC, Supreme Court of British Columbia, Court File No. VLC-S-S-1711066 (2017); L.S. and M.C. v. Standard Innovation Corporation, Ontario Superior Court of Justice, Court File No. 17-72314-e (2017); Benmouffok, et al. v. Life Insurance Company Manufacturers, et al., Ontario Superior Court of Justice, Court File No. 17073294 CP (2017); Silvestri v. Facebook, Inc., No. C10-00429 (N.D. Cal. 2010).
7L.S. and M.C. v. Standard Innovation Corporation, Ontario Superior Court of Justice, Court File No. 17-72314-e (2017).
8 Christina Davis, “Vibrator Maker Will Pay $3.75M to Settle Privacy Class Action”, (2017) Top Class Actions, online: <https://topclassactions.com/lawsuit-settlements/lawsuit-news/534274-vibrator-maker-pay-3-75m-settle-privacy-class-action/>.
9Elkoby v. Google Canada Corp. and Google Inc., Quebec Superior Court, Court File No. 500-06-000567-111 (2018) (judgment approving settlement).
10 See re Google LLC Street View Electronic Communications Litigation, No. 3:10-md-02184-CRB (N.D. Ca. Jun. 15, 2018) (joint motion for administrative relief to file under seal). Wendy Davis, “Google Likely to Resolve WiFi Snooping Case With Nonprofit Donations” (2018) Digital News Daily, online: <https://www.mediapost.com/publications/article/320928/google-likely-to-resolve-wifi-snooping-case-with-n.html>.
11 See e.g., M.M. v. Lanark, Leeds and Grenville Children’s Aid Society, 2017 ONSC 7665; MacEachern v. Ford Motor Company of Canada, Ltd. and John Doe Corporation, Ontario Superior Court of Justice, Court File No. CV-13-18955-CP (2013); Waters v. DaimlerChrysler Services Canada Inc., 2009 SKQB 263; Belley v. TD Auto Finance Services Inc., 2015 QCCS 168; Rowlands v. Durham Region Health, 2011 ONSC 719 (certification), 2012 ONSC 3948 (settlement approval); Condon v. Canada, 2014 FC 250; Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2014 QCCS 4061.
12John Doe 1 v. The University of British Columbia, Supreme Court of British Columbia, Court File No. S177329 (2017).
13 See e.g., Daniells v McLellan, 2017 ONSC 3466 (certification); Evans v. The Bank of Nova Scotia, 2014 ONSC 2135; Jones v. Tsige, 2012 ONCA 32.
14Steven Chamberlain v. Facebook, Inc. and Facebook Canada Inc., Ontario Superior Court of Justice, Court File No. CV-18-598747009 (2018).
15 See e.g., Demers v. Yahoo! Inc. and Yahoo! Canada Co., Québec Superior Court, Court File No. 500-06-000842-175 (2017); Natalia Karasik v. Yahoo! Inc. and Yahoo! Canada Co., Ontario Superior Court of Justice, Court File No. CV-16-566248-00CP (2017).
16Temple v. Equifax, Inc. and Equifax Canada Co., Supreme Court of British Columbia, Court File No. VLC-S-S-180347 (2018); Agnew Americano v. Equifax Canada Co. and Equifax, Inc., Ontario Superior Court of Justice, Court File No. CV-17-00582551-00CP (2017); Robert Dwight Johnson v. Equifax, Inc. and Equifax Canada Co., Court of Queen’s Bench for Saskatchewan, Court File No. QBG 2290 of 2017; Daniel Li c. Equifax, Inc. et Equifax Canada Co., Québec Superior Court, Court File No. 500-06-000885-174 (2017).
17Drew v. Walmart Canada Inc., 2016 ONSC 8067 (certification for settlement purposes), 2017 ONSC 3308 (judgment approving settlement); Maksimovic v. Sony of Canada Ltd., 2013 ONSC 4604; Theriault v. The Home Depot et al., Québec Superior Court, Court File N0. 500-06-000711-149 (2014); Lozanski v. The Home Depot et al., Ontario Superior Court of Justice, Court File No. CV-14-512624-00CP (2014).
18 Order Granting Final Approval of Class Action Settlement and Final Judgment, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 260 (adopting settlement agreement, ECF No. 181-2).
19 See Final Order and Judgment at 3–6, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 22, 2017), ECF No. 343 (adopting settlement agreement, ECF No. 327-3).
20Tucci v. Peoples Trust Company, 2017 BCSC 1525.
22Mustapha v. Culligan of Canada Ltd., 2008 SCC 27,  2 SCR 114 at para 9.
23Tucci v. Peoples Trust Company, 2017 BCSC 1525 at para 198.
24 Travis LeBlanc & John R Knight, “A Wake-Up Call: Data Breach Standing is Getting Easier” (2018) 4:1 The Cybersecurity Law Report 1.
25Spokeo, Inc. v. Robins, (2016) 136 S. Ct. 1540 (Supreme Court).
26 Travis LeBlanc & John R Knight, “A Wake-Up Call: Data Breach Standing is Getting Easier” (2018) 4:1 The Cybersecurity Law Report 1.