Canadian Businesses Increasingly Exposed To Privacy Breach Class Actions Absent Traditional Forms Of Damages

Two privacy breach class actions recently certified against the Federal Government — Condon and John Doe — demonstrate a timing dilemma faced by all Canadian corporations hit with these sorts of claims. On the one hand, whether any proposed privacy breach class member will be successful in proving legally recognizable damage is open to considerable debate. On the other, the key merits questions will often be deferred, class certification addressing the form of action as opposed to its substantive validity. Accordingly, defendants need to carefully weigh whether, and when, to move for summary dismissal.

A Lost Hard Drive — Condon v. Canada1

Condon is the Federal Court of Canada's first "intrusion upon seclusion" privacy breach class action. An unencrypted hard drive containing personal information of 583,000 students, having received loans from the student program, was reported lost from a filing cabinet. Upon being notified, plaintiffs claimed costs incurred in preventing identity theft; out-of-pocket expenses; and unspecified amounts for inconvenience, frustration, anxiety and increased risk of identity theft.

Despite the motion judge having certified an "intrusion upon seclusion" class action, the proposed representative plaintiffs appealed. They requested, in addition, certification of common issues in negligence and for breach of confidence.2 The Federal Court of Appeal allowed the appeal. Having noted the absence of any evidence personal information has been inappropriately accessed or that any plaintiff has been a victim of fraud or identity theft,3 the appeal court still criticized the motion judge for having weighed the claim's merits, finding no compensable damage. The Court of Appeal held that a mere pleading of out-of-pocket expenses is sufficient, such that negligence and breach of confidence could be part of the certified common issues.

The Revealing Letter Envelope — John Doe v. Canada4

In the second case, plaintiffs sue Health Canada for having breached privacy by inadvertently disclosing their participation in a marijuana medical access program. Each class member, approximately 40,000 individuals, was sent a letter in an envelope identifying them as a program licensee.5 The class action advances six causes of action against Health Canada: breach of contract, negligence, breach of confidence, intrusion upon seclusion, "publicity given to private life", and breach of a Charter right to privacy.6 The Federal Court certified all...