In this installment of Dentons’ quarterly privacy litigation digest, we review recent key privacy decisions, including: a decision of the Alberta Court of King’s Bench considering, for the first time, the constitutionality of the “publicly available” provision in Alberta’s private sector privacy legislation; a BC Court of Appeal decision regarding aggregate damages awards in privacy-related class actions without proof of consequential loss or harm; and a decision of the BC Supreme Court considering the admissibility and weight to be given to the findings of privacy regulators in the context of a class action certification.

In our previous issue, we canvassed privacy litigation trends including: the requirement for actual “intrusion” to make out a claim of intrusion upon seclusion; BC case law finding that the province’s private sector privacy legislation, does not violate s. 2(a) of the Canadian Charter of Rights and Freedoms by requiring religious organizations to provide an individual’s personal information that is in their control upon request; and another BC case holding that banks and other institutions that use customers’ personal information for legitimate business purposes are not in breach of BC’s privacy laws.

Recent key privacy decisions:

  • Clearview AI Inc v. Alberta (Information and Privacy Commissioner), 2025 ABKB 287: Clearview AI Inc (Clearview) is a US company that offers its facial recognition software and database to customers. In a joint report, the privacy commissioners of Alberta, British Columbia, Québec and Canada found that Clearview’s practice of “scraping” images from the internet breached privacy laws in each jurisdiction, including Alberta’s Personal Information Protection Act (PIPA). PIPA and the regulation thereunder (the PIPA Regulation) includes an exception to the general rule that an organization must obtain consent to collect, use and disclose personal information if that information is “publicly available,” as that term is defined in the PIPA Regulation. However, the Alberta Office of the Information and Privacy Commissioner (OIPC) concluded that information posted online was not included in the definition of “publicly available.” Since Clearview did not obtain consent for its collection and use of online information, the OIPC found Clearview had breached PIPA. The OIPC ordered Clearview to, among other things, cease offering the facial recognition services to clients in Alberta and delete images and biometric information that was collected from individuals in Alberta (the Order).

    Clearview applied for judicial review of the Order, arguing that the OIPC’s interpretation of “publicly available” in PIPA and the PIPA Regulation was unreasonable, and violated s. 2(b) of the Charter (freedom of expression) because it amounts to a complete prohibition on the collection, use and disclosure of personal information that is publicly available on the internet even for reasonable purposes. The Alberta Court of King’s Bench found that based on the statutory language of PIPA and the PIPA Regulation, the OIPC’s interpretation of “publicly available” was reasonable.

    The Court found that Clearview’s practices, including scraping the internet, constituted expressive activity that was unjustifiably limited by PIPA. The Court determined the appropriate remedy was to amend the PIPA Regulation, such that the use of information and images posted to the internet (without otherwise being subject to privacy settings) no longer requires consent.  

    However, the Court concluded that Clearview did not have a reasonable purpose for collecting, using, and disclosing the online personal information as required under PIPA. Therefore, notwithstanding the Court’s declaration on the unconstitutionality of certain provisions of PIPA and the PIPA Regulation, Clearview’s application to quash the Order was dismissed. See Dentons’ blog analyzing this decision here.
  • Insurance Corporation of British Columbia v. Ari, 2025 BCCA 131: In this decision, the BC Court of Appeal upheld a damages award of CA$15,000 per class member without proof of consequential loss or harm for breach of privacy under the BC Privacy Act. The underlying class action arose after an employee of the Insurance Corporation of British Columbia (ICBC) accessed and disclosed the private information certain policy holders without authorization.

    ICBC was found vicariously liable for its employee’s breach of privacy of ICBC customers under the Privacy Act (2022 BCSC 1475, aff’d 2023 BCCA 331, the Liability Judgment). In the Liability Judgment, the trial judge ruled that general damages could be awarded against ICBC on a class-wide (aggregate) basis; however, did not fix the amount of the damages. This was determined in a subsequent decision (2024 BCSC 964, the Damages Judgment) that considered section 1 of the Privacy Act, which creates an intentional tort that is actionable without proof of damages. In the Damages Judgment, the plaintiff sought an aggregate damages award of CA$25,000 per class member. ICBC argued that aggregate damages should be limited to a nominal amount of CA$500 per class member for the “mere fact their privacy was violated.” The BC Supreme Court concluded in the Damages Judgment that ICBC’s position would “trivialize” the privacy interest that was violated, was inadequate to serve the public purpose of the Privacy Act—encouraging persons to respect the privacy of others—and would render section 1 of the Privacy Act meaningless. The Court ordered an award of CA$15,000 per class member.

    On appeal from the Damages Judgment, the BC Court of Appeal upheld the award, finding that general damages may be awarded without proof of consequential loss where the seriousness of the violation of the right calls out for vindication, deterrence and compensation for harm to the plaintiff’s intangible interests. The Court concluded this is particularly so in the case of privacy, because when privacy rights are violated there is a harm to the plaintiff’s privacy interest, even if the plaintiff is never aware of it.
  • Cleaver v. The Cadillac Fairview Corporation Limited, 2025 BCSC 910: This claim arose from a pilot project in which some Cadillac Fairview malls used cameras in wayfinding directories to anonymously count the number of visitors and estimate rough gender and age ranges. Following the end of the pilot project, the privacy commissioners of Canada, Alberta and BC launched a joint investigation into the project, which concluded that despite evidence of the anonymous nature of the information processing, Cadillac Fairview was responsible for creating over 5 million unique biometric identifiers without notice or consent, contrary to private sector privacy legislation.The plaintiffs commenced a proposed class action alleging that Cadillac Fairview secretly mined biometric data from visitors to their malls, thus breaching their privacy rights. The plaintiffs advanced claims for intrusion upon seclusion, statutory privacy causes of action, negligence and breach of Québec law.

    The Court dismissed the certification application, finding that there was no identifiable class (sufficient alone to dispose of the application) and that most of the causes of action were bound to fail. Additionally, the Court found no basis in fact for the allegation that Cadillac Fairview had created unique biometric identifiers (i.e. collected or used any personal information). The Court found that the privacy commissioners’ report was admissible, but not for the truth of its contents. As a consequence, since the plaintiff’s expert essentially reiterated the privacy commissioners’ report, it’s the Court determined that it would be an error to indirectly accept the truth of the privacy commissioners’ report contents by relying on an expert opinion that is based on them. Therefore, the only evidence before the Court on this point was that of Cadillac Fairview’s expert, who concluded that the pilot project had not created or collected biometric or personal information. Finally, the Court found a class proceeding was not the preferable procedure. See Dentons’ blog analyzing this decision here.

Key takeaways

  1. Courts are not limited to awarding nominal damages for breach of privacy under the BC Privacy Act without proof of consequential loss or harm. In Ari, the BC Court of Appeal upheld an aggregate damages award of CA$15,000 per class member without proof of loss or harm under the provisions of the BC Privacy Act. The Court of Appeal found that the damages were justified because they serve to deter and compensate for the loss of privacy itself. The decision is significant for jurisdictions such as BC that have statutory torts for breach of privacy by suggesting that a potential class-wide damages award will not be limited to a nominal amount, particularly where the privacy breach is intentional. The decision also highlights the risk to companies that collect and store personal information of being found vicariously liable for the deliberate wrongful acts of employees who access such information for improper purposes.
  2. Alberta court finds that information posted online without privacy settings can be used by organizations without first seeking consent, provided such use is reasonable. In Clearview, the Alberta Court of King’s Bench found that certain provisions under Alberta’s private sector privacy law infringe the right to freedom of expression under s. 2(b) of the Charter, because they required organizations to obtain consent prior to the use of “publicly available” information posted online. The Court struck down the provision to remove the consent requirement. This decision will have implications outside Alberta, since federal and BC privacy legislation have similar (but not identical) provisions. Although consent is no longer required, at least in Alberta, for organizations to use information that is “publicly available” online, the purpose of such use must still be “reasonable.”
  3. The findings of a privacy regulator are not admissible in court for the truth of their contents, and cannot, without more, provide the factual foundation for a privacy-related class action. In the Cleaver decision,the BC Supreme Court dismissed a certification application in a proposed class action alleging that a pilot project in mall directories had used “facial recognition” technology that violated visitors’ privacy rights. Despite a joint report by the privacy commissioners of Canada, BC and Alberta finding that the defendant had created unique biometric identifiers without notice or consent, contrary to private sector privacy legislation, the plaintiffs failed to establish some basis in fact that the defendant had done so before the Court. This decision is important because it establishes that the findings of a privacy regulator alone are not sufficient to meet the test to certify a privacy class action.

For more information, please contact the authors, Kelly Osaka and Kathryn Gullason.

Print Friendly, PDF & Email
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Kelly Osaka

About Kelly Osaka

Kelly is co-leader of both the Litigation and Dispute Resolution group in Calgary and the Privacy and Cybersecurity subgroup, she is also a member of the Privacy and Cybersecurity group. An experienced commercial litigator, Kelly has particular expertise in class action defence, shareholder disputes, cyber breach coaching, cyber risk analysis, governance best practices, professional negligence, and regulatory investigations.

Full bio

Kathryn Gullason

About Kathryn Gullason

Kathryn Gullason (She/Her/Hers) is a research associate in the Litigation & Dispute Resolution group at Dentons. She supports the Firm’s lawyers and clients, researching complex legal issues, preparing opinions for clients, developing submissions for court and other proceedings, tracking legal developments in the Firm’s key practice areas and drafting legal insights.

Full bio

RELATED POSTS