Teresa Scassa - Blog

Tuesday, 06 October 2020 13:56

BC Court of Appeal is Open to Broadening Privacy Recourse

Written by  Teresa Scassa
Rate this item
(0 votes)

 

The BC Court of Appeal has handed down a decision that shakes up certain assumptions about recourse for privacy-related harms in that province – and perhaps in other provinces as well.

The decision relates to a class action lawsuit filed after a data breach. The defendant had stored an unencrypted copy of a database containing customer personal information on its website. The personal information included: “names, addresses, email addresses, telephone numbers, dates of birth, social insurance numbers, occupations, and, in the case of credit card applicants, their mothers' birth names.” (at para 4) This information was accessed by hackers. By the time of this decision, some of the information had been used in phishing scams but the full extent of its use is still unknown.

As is typical in privacy class action lawsuits, the plaintiffs sought certification on multiple grounds. These included: “breach of contract, negligence, breach of privacy, intrusion upon seclusion, beach of confidence, unjust enrichment and waiver of tort.” (at para 6) The motions judge certified only claims in contract, negligence, and the federal common law of privacy.

The defendants appealed, arguing that the remaining grounds were not viable and that the action should not have been certified. They also argued that a class action lawsuit was not the preferable procedure for the resolution of the common issues. While the plaintiffs cross-appealed the dismissal of the claim for breach of confidence, they did not appeal the decision that there was no recourse for breach of privacy or the tort of intrusion upon seclusion under BC law.

This post focuses what I consider to be the three most interesting issues in the case. These are: whether there is recourse for data breaches other than via data protection legislation; whether the tort of breach of privacy exists in B.C.; and whether there is a federal common law of privacy.

1. Is PIPEDA a complete code

The defendants argued that the class action lawsuit was not the preferred procedure because the federal Personal Information Protection and Electronic Documents Act (PIPEDA) constituted a “complete code in respect of the collection, retention, and disclosure of personal information by federally-regulated businesses, and that no action, apart from the application to the Federal Court contemplated by the Act can be brought in respect of a data breach.” (at para 18) Justice Groberman, writing for the unanimous Court, noted that while it was possible for a statute to constitute a complete code intended to fully regulate a particular domain, it is not inevitable. He observed that the Ontario Court of Appeal decision in Hopkins v. Kay had earlier determined that Ontario’s Personal Health Information Protection Act (PHIPA) did not constitute a complete code when it came to regulating personal health information, allowing a lawsuit to proceed against a hospital for a data breach. In Hopkins, the Ontario Court of Appeal noted that PHIPA was primarily oriented towards addressing systemic issues in the handling of personal health information, rather than dealing with individual disputes. Although there was a complaints mechanism in the statute, the Commissioner had the discretion to decline to investigate a complaint if a more appropriate procedure were available. Justice Groberman noted that PIPEDA contained a similar provision in s. 12. He observed that “[t]his language, far from suggesting that the PIPEDA is a complete code, acknowledges that other remedies continue to be available, and gives the Commissioner the discretion to abstain from conducting an investigation where an adequate alternative remedy is available to the complainant.” (at para 28) In his view, PIPEDA is similarly oriented towards addressing systemic problems and preventing future breaches, and that “[w]hile there is a mechanism to resolve individual complaints, it is an adjunct to the legislative scheme, not its focus.” (at para 29) He also found it significant that PIPEDA addressed private rather than public sector data protection. He stated: “[w]ithin a private law scheme, it seems to me that we should exercise even greater caution before concluding that a statute is intended to abolish existing private law rights.” (at para 30) He concluded that nothing in PIPEDA precluded other forms of recourse for privacy harms.

2. Do common law privacy torts exist in BC?

In 2012 the Ontario Court of Appeal recognized the privacy tort of intrusion upon seclusion in Jones v. Tsige. However, since British Columbia has a statutory privacy tort in its Privacy Act, the motions judge (like other BC judges before him) concluded that the statutory tort displaced any possible common law tort in BC. Justice Groberman was clearly disappointed that the plaintiffs had chosen not to appeal this conclusion. He stated: “In my view, the time may well have come for this Court to revisit its jurisprudence on the tort of breach of privacy.” (at para 55) He proceeded to review the case law usually cited as supporting the view that there is no common law tort of breach of privacy in BC. He distinguished the 2003 decision in Hung v. Gardiner on the basis that in that case the judge at first instance had simply stated that he was not convinced by the authorities provided that such a tort existed in BC. On appeal, the BCCA agreed with the judge’s conclusion on an issue of absolute privilege, and found it unnecessary to consider any of the other grounds of appeal.

The BCCA decision in Mohl v. University of British Columbia is more difficult to distinguish because in that case the BCCA stated “[t]here is no common-law claim for breach of privacy. The claim must rest on the provisions of the [Privacy] Act.” (Mohl at para 13) Nevertheless, Justice Groberman indicated that while this statement was broad, “it is not entirely clear that it was intended to be a bold statement of general principle as opposed to a conclusion with respect to the specific circumstances of Mr. Mohl's case. In any event, the observation was not critical to this Court's reasoning.” (at para 62)

Justice Groberman concluded that “The thread of cases in this Court that hold that there is no tort of breach of privacy, in short, is a very thin one.” (at para 64) He also noted that the privacy context had considerably changed, particularly with the Ontario Court of Appeal’s decision in Jones v. Tsige. He stated:

It may be that in a bygone era, a legal claim to privacy could be seen as an unnecessary concession to those who were reclusive or overly sensitive to publicity, though I doubt that that was ever an accurate reflection of reality. Today, personal data has assumed a critical role in people's lives, and a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic. (at para 66)

He indicated that the Court of Appeal might be inclined to reconsider the issue were it to be raised before them, although he could not do so in this case since the plaintiffs had not appealed the judge’s ruling on this point.

3. There is no federal common law of privacy

However keen Justice Groberman might have been to hear arguments on the common law tort of privacy, he overturned the certification of the privacy claims as they related to the federal common law of privacy. He characterized this approach as ‘creative’, but inappropriate. He noted that while common law principles might evolve in areas of federal law (e.g. maritime law), in cases where there was shared jurisdiction such as in privacy law, there was no separate body of federal common law distinct from provincial common law. He stated “there is only a single common law, and it applies within both federal and provincial spheres.” (at para 76) More specifically, he stated:

Where an area of law could be regulated by either level of government, it is not sensible to describe the situation in which neither has enacted legislation as being a situation of either "federal" or "provincial" common law. It is simply a situation of the "common law" applying. The plaintiffs cannot choose whether to bring their claims under "federal" or "provincial" common law as if these were two different regimes. (at para 86)

Because the claim advanced by the plaintiff had nothing to do with any specific area of federal jurisdiction, Justice Groberman rejected the idea that a cause of action arose under “federal” common law.

Overall, this decision is an interesting one. Clearly the Court of Appeal is sending strong signals that it is time to rethink recourse for breach of privacy in the province. It may now be that there is both a statutory and a common law action for breach of privacy. If this is so, it will be interesting to see what scope is given to the newly recognized common law tort. “Complete code” arguments have arisen in other lawsuits relating to breach of privacy; the BCCA’s response in this case adds to a growing body of jurisprudence that rejects the idea that data protection laws provide the only legal recourse for the mishandling of personal data. Finally, a number of class action lawsuits have asserted the “federal common law of privacy”, even though it has been entirely unclear what this is. The BCCA suggests that it is a fabrication and that no such distinct area of common law exists.

Login to post comments

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law