In a recent ruling in a proposed privacy class action, the Supreme Court of British Columbia struck out the plaintiff’s claim that the Insurance Corporation of British Columbia negligently failed to protect personal information in accordance with provincial privacy legislation. The Court’s analysis may have broader implications for the viability of privacy class actions across Canada.
No Tort of Negligent Breach of Privacy Statute
In Ari v. Insurance Corporation of British Columbia,1 the plaintiff alleged that an employee of the defendant breached common law and statutory rights to privacy by accessing for an improper purpose the personal information held by the ICBC. The claim alleged that many in the proposed class of plaintiffs whose information was improperly accessed were then victims of shootings, arson and other property damage. The plaintiffs sought to hold the ICBC vicariously liable for its employee’s misconduct.
The plaintiff claimed that ICBC negligently failed to protect personal information as required under the Freedom of Information and Protection of Privacy Act (FIPPA). The Act requires public bodies to make reasonable security arrangements to protect against unauthorized access, collection, use, disclosure or disposal of personal information in their custody or control.
The B.C. Court struck out the negligence claim for failing to disclose a cause of action, citing the Supreme Court of Canada’s rulings in R. v. Saskatchewan Wheat Pool2 and Holland v. Saskatchewan3 that held there is no nominate tort of breach of statute and that policy decisions concerning the actions to be taken to comply with legislation are not actionable. The Court rejected the plaintiff’s position that his claim was based on ICBC’s operational, not policy, decisions implementing the requirements of the Act.
Implications for Privacy Class Actions Across Canada
The analysis in Ari may prove helpful to defendants facing privacy class actions in other jurisdictions. Privacy class actions have been proliferating in jurisdictions across Canada in recent years. So too have complaints to the Office of the Privacy Commissioner of Canada in respect of compliance with the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). If the claim of a proposed class is based on statutory duties set out in PIPEDA or provincial privacy legislation, defendants may seek to strike those claims for disclosing no cause of action, as was done in Ari. If this can be done at an early stage of class proceedings, defendants can avoid the time, expense and inconvenience of further proceedings leading up to certification.
No Common Law Tort of Breach of Privacy in B.C.
Consistent with earlier B.C. jurisprudence, the Court also held that despite the recognition of a common law invasion of privacy tort in Ontario and Nova Scotia, the "clear status of the law in British Columbia [is] that the tort for invasion of privacy does not exist." As in the Ontario case of Jones v. Tsige,4 this decision may prompt the British Columbia Court of Appeal to consider whether it is time "to confirm the existence of a right of action for intrusion upon seclusion" in addition to statutory claims that are available in B.C.
The Ari case does not end with this ruling. The Court did not strike other claims, which will proceed, including the plaintiffs’ vicarious liability claim against ICBC in respect of its employee’s alleged breach under FIPPA.
1 2013 BCSC 1308 [Ari].
3 2008 SCC 42.
4 2012 ONCA 32, para. 65.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2020 by Torys LLP.
All rights reserved.