This issue of Dentons’ quarterly privacy litigation digest summarizes important privacy decisions, including: a British Columbia (BC) Court of Appeal decision where a class action certification decision was overturned because the proposed class failed to establish a reasonable expectation of privacy in their online profiles; a decision from the Ontario Superior Court of Justice which found “use” of personal information to include encryption of data and the “loss” of personal information to include temporary unavailability of data; and a Federal Court decision which distinguished between an organization collecting information and its counsel collecting information for litigation purposes, noting in particular that posts on social media to “private” groups do not prevent courts from finding they are public and admissible for the sake of a potential proceeding under the Personal Information Protection and Electronic Documents Act (PIPEDA).
In our previous issue, we reviewed a decision of the Alberta Court of King’s Bench to consider the constitutionality of Alberta’s private sector privacy legislation for the first time (now on appeal); a BC Court of Appeal decision about aggregate damages awards in privacy-related class actions without proof of consequential loss or harm; and a BC Supreme Court decision considering the admissibility and weight to be given to privacy regulators’ findings in the context of a certification application.
Recent key privacy decisions:
RateMDs Inc. v. Bleuler, 2025 BCCA 329
In this decision, the appellants, RateMDs Inc., VerticalScope Holdings Inc., and VerticalScope Inc., successfully appealed the chambers judge’s decision to certify the action brought on behalf of health professionals who had their profiles posted on RateMDs.com as a class proceeding, leading to the action’s dismissal. The website contains the names and contact information of health professionals, ratings and reviews posted by third parties, and a comparative ranking of health professionals providing similar services in a region. The respondent, a physician who practices medicine in BC and who allegedly found her profile on the website, commenced an action against the operators of the website for a statutory cause of action under section 1 (violation of privacy) and section 3(2) (unauthorized use of name or portrait of another) of the BC Privacy Act.
The BC Court of Appeal disagreed with the chambers judge’s finding that it was not plain and obvious that the respondent did not have a reasonable expectation of privacy over the information published on the website. Although the privacy torts were novel, the Court found that the claims had no prospect of success. No material facts pleaded by the respondent established that she and the class members had a reasonable expectation of privacy in the information posted on the website. Elaborating on the decision Insurance Corporation of British Columbia v. Ari, 2025 BCCA 131 (which we discussed in our previous issue), the Court accepted that a reasonable expectation of privacy may include the right to exercise control over the use of personal information. However, the Court did not accept that Ari meant that the right to control the use of information could independently establish a violation of privacy without considering the sensitivity of the information at issue. Without a finding that the respondent had a reasonable expectation of privacy, the respondent was unable to establish her consequential right to control the use of her personal information. As a result, the Court did not find that the respondent disclosed a cause of action, failing the first requirement to certify a class proceeding under the Class Proceedings Act.
The BC Court of Appeal also found that the claim about the unauthorized use of her name was also bound to fail because no material facts were pleaded to establish that the appellants had commercially exploited the respondent’s identity to promote sales. Rather, the information published on the website is readily available online elsewhere, particularly through the website of their professional governing bodies, including the College of Physicians and Surgeons of British Columbia.
Hospital for Sick Children v. Ontario (Information and Privacy Commissioner), 2025 ONSC 5208
The Hospital for Sick Children (SickKids) and Halton Children’s Aid Society (Halton) applied for judicial review of the Information and Privacy Commissioner of Ontario’s (ON IPC) decisions that a ransomware attack, which temporarily denied hospital staff access to patient files containing personal information, constituted an “unauthorized use” and a “loss” of information pursuant to applicable laws.
In 2022, SickKids and Halton were targeted by separate ransomware attacks that prevented the viewing or access of patients’ personal information. Despite their obligations under the Personal Health Information Protection Act (PHIPA) and the Child, Youth and Family Services Act (CYFSA), the applicants provided courtesy notice to the ON IPC, and only SickKids provided public notice by an announcement on its website and social media. In finding that the incidents resulted in the unauthorized use and loss of personal information within the meaning of PHIPA and CYFSA, the ON IPC ordered Halton to post a notice on its website or issue a public release in compliance with the legislation. However, the ON IPC concluded that SickKids made appropriate public disclosure, even if the notice did not strictly comply with PHIPA’s obligation to include a statement about the right to complain to the ON IPC.
The Ontario Superior Court of Justice did not dismiss SickKids’ application as moot, despite the ON IPC’s arguments that it should be because a remedial order was never issued, but both judicial review applications and Halton’s appeal were dismissed on the merits due to the Court’s finding that there was an unauthorized use and loss of personal information that required notification pursuant to PHIPA and CYFSA.
Noble v. Synergy Credit Union Ltd., 2025 FC 1679
The individual applicant brought an application to the Federal Court under section 14 of PIPEDA, alleging, among other issues, that the respondent’s policies and practices were not compliant with PIPEDA’s Schedule 1 recommendations, the respondent misled the Office of the Privacy Commissioner of Canada (OPC) during its investigation, the respondent failed to implement corrective measures it agreed to after the OPC’s report, and the respondent continued to indiscriminately collected the applicant’s personal information. The Federal Court dismissed the application except to order the respondent to provide the applicant with specific records of her personal information as requested, including her chequing account number and balance, and a record of the applicant’s credit union membership.
The applicant was a former employee and a mortgagee of the respondent, and had a turbulent history with the respondent after she was dismissed from the company. The core issue the Federal Court examined was the applicant’s access request for the respondent to disclose her personal information where she asked for her employee file, her member file, her mortgage loan file and similarly related records, as well as audio recordings of her. The respondent had replied with some of requested records enclosed and offered explanations of those that could not be provided, but on the topic of audio recordings, answered that any electronic recordings were stored without a filing system and it effectively had no way of locating any such recordings.
A few months later, the applicant submitted her complaint to the OPC. The OPC’s report concluded that the respondent did initially fail to provide the applicant with a complete response to her access request, contrary to Principle 4.9 (Individual Access) of PIPEDA, and encouraged the respondent to provide the applicant better access to unreadable documents it had provided and implement procedures to itemize and identify audio recordings in its possession to facilitate retrieval upon request. The OPC had also found that the respondent had improperly collected the applicant’s information from a Facebook post speaking negatively about the respondent’s service fees because the group where it was posted was private. As a result, the collection of the post without the applicant’s consent violated Principle 4.4 (Limiting Collection) of PIPEDA. The respondent agreed to delete the Facebook post from the applicant’s employee file. On the issue of the respondent’s policies and practices, the OPC found the respondent failed to meet Principles 4.1 (Accountability) and 4.8 (Openness) of PIPEDA. After an external privacy audit during the OPC’s investigation, the respondent added a section to their privacy code addressing social media and committed to implement an itemized action plan with the OPC’s other corrective measures by the end of the year. The OPC advised the respondent that, based on the information it received after its report was issued, it was satisfied with the respondent’s actions to implement the corrective measures and closed the matter.
After reviewing the evidence, the Federal Court found that the applicant failed to prove that the respondent failed to diligently and honestly administer its affairs in compliance with PIPEDA. Since the OPC’s report, the respondent had implemented a recorded message advising callers that their calls would be recorded, added a section to their privacy code about social media, deleted all social media posts it had already collected, developed a Privacy Policy, and implemented employee training on PIPEDA obligations and a destruction and retention program.
The Federal Court also found that the applicant failed to show the respondent had continued to indiscriminately collect her personal information and establish that the respondent had misled the OPC by retaining her Facebook post. While the post was properly deleted from her employee file as agreed to, PIPEDA allows for the collection of information for the application of civil or criminal liability by counsel. Since respondent’s counsel had collected the information for a defamatory action against the applicant, the Federal Court did not find this collection of information to be contrary to the respondent’s representations to the OPC. Additionally, the Federal Court agreed with the respondent’s position that the post was not private since the Facebook group had about 20,000 members and was therefore public.
In response to the applicant’s complaint of not receiving records as represented by the respondent, the respondent agreed to provide the applicant with the specific records she was missing, provided they existed.
Key takeaways
- A plaintiff’s reasonable expectation of privacy must be established before a right to control personal information under the Privacy Act. In RateMDs Inc., the respondent failed to plead material facts that demonstrated that she had a reasonable expectation of privacy, which meant she had no ability to establish her right to control the use of her personal information. This decision goes against the trend of the BC Court of Appeal certifying privacy class actions and provides more insight into the elements required for certification before such applications can be granted – how it is not simply the nature of personal information that is relevant, but the context in which the information was disclosed.
- Encryption of information is considered “use” of personal information, and temporary unavailability or inaccessibility is considered “loss” of personal information. Hospital for Sick Kids demonstrates the Ontario courts’ purposive approach in interpreting notification obligations for privacy breaches under the PHIPA and CYFSA. While recognizing the potential for “notification fatigue,” the interpretation around the “use” and “loss” of personal information remains broad enough to recognize individuals’ continuing interest in their personal information, focusing on transparency and accountability of information custodians rather than the risk of harm.
- Courts continue to favour disclosure in court proceedings and ongoing PIPEDA compliance is required. Posts on social media to “private” groups do not prevent courts from finding they are public and admissible for the sake of a potential proceeding under the “except where appropriate” exception of the collection of information under section 7 of PIPEDA. The Federal Court in Noble distinguishes between an organization collecting information and its counsel collecting information for litigation purposes.
For more information, please contact the authors Kelly Osaka, Emma Irving, and Emily Zheng.
