A recent decision of the Court of Appeal for Ontario upholding a decision denying certification of a data breach class action continues the trend of proposed privacy actions failing to cross the preliminary certification hurdle.

Background

In Del Giudice v. Thompson, 2024 ONCA 70, the Court of Appeal upheld the motion judge’s decision striking out the claim without leave to amend and dismissing the certification motion against the defendant financial institution and defendant online wholesaler. In this case, an employee of one of the online wholesale, which provided services to the financial institution, allegedly hacked into a database containing personal and financial information collected by the financial institution from credit card applicants and stored in a cloud server. The alleged data breach impacted over 106 million people, including 6 million Canadians. The plaintiffs commenced a proposed class action against the former employee, the financial institution and the online wholesaler.

The Fresh as Amended Statement of Claim, which pleaded 19 (yes, 19) cause of actions, was struck by the motion judge without leave to amend on that basis that: (1) it “egregiously” contravened the rules of pleading; (2) it failed to plead any viable causes of action against the Defendants; and (3) the amendments to the statement of claim made after the carriage motion transformed a proposed data breach class proceeding into a CA$240 billion action for data misappropriation and misuse.

Court of Appeal

On appeal, the plaintiffs argued that the motion judge erred in the following:           

  1. Relying on unsworn documents in determining whether there was a reasonable cause of action;
  2. Determining that the pleadings did not support any reasonable cause of action; and
  3. Striking out 78 paragraphs of the statement of claim without leave to amend.
  1. Reliance on unsworn documents

The appellants argued that the motion judge erred in relying on unsworn statements because the defendants’ document brief contained four documents, including a privacy policy and credit card agreement, that the defendants argued were incorporated by reference into the claim. The Court of Appeal rejected the appellants’ argument, relying on established case law that a document incorporated by reference in a pleading is not evidence (it is part of the pleading) and that a judge considering an incorporated document is not making findings of fact in relying upon such documents as part of its assessment of the pleading. A claim is deemed to include any document to which it refers and forms an integral part of a plaintiff’s claim.

The appellants also argued that the documents were not incorporated by reference because they were not “central enough to the claim to form an essential element or an integral part of the claim” since the documents referred to contracts and the plaintiffs had pleaded breach of contract in the alternative. The Court of Appeal disagreed. Whether the documents were integral to the claim is assessed objectively and not according to the plaintiffs’ intentions. Theories of liability pleaded in the alternative (such as the plaintiffs’ alternative claim for breach of contract) are relevant to the analysis.

2. Pleadings did not disclose a viable cause of action

The Court of Appeal upheld the finding that the pleadings did not disclose a viable cause of action. The 19 causes of action were grouped into two categories: data misuse and data breach.

  1. Data misuse

Just after the motion judge’s ruling, the Court of Appeal released a trilogy of judgments in Owsianik v. Equifax Canada Co., 2022 ONCA 813, Obodo v. Trans Union of Canada Inc., 2022 ONCA 814 and Winder v. Marriott International, Inc., 2022 ONCA 815., which we have written about previously, see here. This trilogy established that a hack by a third party does not constitute intrusion upon seclusion by the database operator. The Court of Appeal relied on the trilogy in this case, finding that any allegation of improper retention, mistakes in safeguarding information or the misuse of that information did not satisfy the key element of intrusion upon seclusion; that the conduct is of a highly offensive nature, causing distress, humiliation, or anguish to a reasonable person. Even if the parties could succeed in arguing that there was a lack of consent on the aggregation and sale of financial information, this was not highly offensive.

The appellants relied on several other torts including misappropriation of personality, conversion, breach of fiduciary duty, breach of confidence. The Court of Appeal held that they were not viable causes of action based on the facts alleged.

ii. Data breach

The court also found that there was no viable claim in negligence. Most of the class members only suffered the risk of future loss from the risk of future identity theft and fraud. The court held that there is no right to be free from the prospect of damage, only a right not to suffer damage that results from exposure to unreasonable risk. Further, feelings of upset, disgust, anxiety, agitation or mere psychological upset that do not cause a serious and prolonged injury and that do not rise above the ordinary annoyances, anxieties and fears that people routinely experience as compensable harm are not recognized compensable harms.

The court rejected the appellants’ assertion that it was required to accept as true the pleading that 6 million class members had suffered pecuniary loss from identity theft and fraud, repeating that on a pleadings motion, “a motion judge is not required to accept as true bald pleadings that are patently ridiculous in their scope and not supported by material facts.”

The court also rejected the claim for pure economic loss. There was insufficient proximity under the branch of negligent performance of a service, as the appellants alleged. The appellants’ pleadings failed to provide facts supporting the allegation that the defendants performed a service for their data; they only alleged that it offered the plaintiffs credit services.

The appellants attempted to rely on statutory causes of action from various privacy statutes. The court also found that these did not disclose viable causes of action. First, only the Privacy Act provided a civil cause of action, which required the defendant to “wilfully…violate the privacy of another” to establish liability. The appellants failed to plead that the respondents were wilful and instead relied on the failure to safeguard data recklessly or negligently.

3. Striking out the claims without leave to amend

The court deferred to the motion judge’s decision not to grant leave to amend and dismissed the appeal. The motion judge’s decision to strike out a pleading under r. 25.11 without leave to amend is discretionary and should not be interfered with on appeal unless the motion judge erred in principle, misapprehended, failed to take account of material evidence, or reached an unreasonable conclusion. None of those grounds applied. The appellants were given ample opportunity to advance a viable claim and could not.

Key takeaways

  1. This decision limits the claims available in data breach cases where a data collector or database operator has been the subject of breach by another person and has not itself intentionally misused the information collected (say, for example, for its own marketing purposes). Organizations that collect or hold data and fail to prevent hackers are generally not intruders for the purpose of the tort of intrusion upon seclusion. A breach of confidence may only be alleged if the data collected is used for unauthorized purposes, not simply that an unauthorized person accessed it through a data breach.
  2. There are challenges in claiming negligence in privacy breaches where there is no known fraud or identity theft. Parties must show compensable harm from real damages as opposed to the risk of future harm – and also plead such harm in a specific way at the clam stage.
  3. Where a document is referenced in a claim, it can form part of the record on a pleadings motion. Documents referenced in a pleading do not need to be proven through sworn statements as they form part of the pleadings.

For more information on this topic, please contact the authors Neil Rabinovitch, Kelly Osaka and Chloe Snider.  

A special thanks to Birpal Benipal, articling student, for his assistance with this article.

Print Friendly, PDF & Email
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Neil Rabinovitch

About Neil Rabinovitch

Neil Rabinovitch is a member of the Litigation and Dispute Resolution group of Dentons’ Toronto office. His practice focuses on commercial litigation and insolvency with an emphasis on class action defence, product liability defence, cross-border restructurings, shareholder disputes, franchising, mortgage remedies, banking, real estate, commercial leasing.

Full bio

Kelly Osaka

About Kelly Osaka

Kelly is co-leader of both the Litigation and Dispute Resolution group in Calgary and the Privacy and Cybersecurity subgroup, she is also a member of the Privacy and Cybersecurity group. An experienced commercial litigator, Kelly has particular expertise in class action defence, shareholder disputes, cyber breach coaching, cyber risk analysis, governance best practices, professional negligence, and regulatory investigations.

Full bio

Chloe Snider

About Chloe Snider

Chloe Snider is a partner in Dentons’ Litigation and Dispute Resolution and Transformative Technologies groups. Her practice focuses on litigating complex commercial disputes and assisting clients manage risk. She is a strategic and critical legal thinker who works efficiently to develop practical solutions for her clients.

Full bio

RELATED POSTS