Teresa Scassa - Blog

Tuesday, 03 December 2019 14:58

A troubling new twist on privacy class action lawsuits in Canada

Written by  Teresa Scassa
Rate this item
(5 votes)

Class action lawsuits for privacy breaches are becoming all the rage in Canada – this is perhaps unsurprising given the growing number of data breaches. However, a proceeding certified and settled in October 2019 stands out as significantly different from the majority of Canadian privacy class action suits.

Most privacy class action lawsuits involve data breaches. Essentially, an entity trusted with the personal information of large numbers of individuals is sued because they lost the data stored on an unsecured device, a rogue employee absconded with the data or repurposed it, a hacker circumvented their security measures, or they simply allowed information to be improperly disclosed due to lax practices or other failings. In each of these scenarios, the common factor is a data breach and improper disclosure of personal information. Haikola v. Personal Insurance Co. is a notably different. In Haikola, the alleged misconduct is the over collection of personal information in breach of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The legal issues in this case arose after the representative class plaintiff, Mr. Haikola, was involved in a car accident. In settling his claim, his insurance company asked him to consent to providing them access to his credit score with a credit reporting agency. Mr. Haikola agreed, although he felt that he had had no choice but to do so. He followed up with the insurance company on several occasions, seeking more information about why the information was required, but did not receive a satisfactory explanation. He filed a complaint with the Office of the Privacy Commissioner. The subsequent investigation led to a Report of Findings that concluded, in the words of Justice Glustein, that the insurance company’s “collection and use of credit scores during the auto insurance claim assessment process is not something that a reasonable person would consider to be appropriate.” (at para 13) The company eventually changed its practices.

Under PIPEDA, the Commissioner’s findings are not binding. Once a complainant has received a Report of Findings, they can choose to bring an application under s. 14 of PIPEDA to Federal Court for an order and/or an award of damages. After receiving his Report of Findings, Mr. Haikola took the unusual step of seeking to commence a class action lawsuit under s. 14 of PIPEDA. The defendants argued that the Federal Court had no jurisdiction under s. 14 to certify a class action lawsuit. There is no case law on this issue, and it is not at all clear that class action recourse is contemplated under s. 14.

The parties, in the meantime, negotiated a settlement agreement. However, quite apart from the issue of whether a class action suit could be certified under s. 14 of PIPEDA, it was unclear whether the Federal Court could “make an enforceable order in a PIPEDA class action against a non-governmental entity.” (at para 28) With advice from the Federal Court case management judge, the parties agreed that Mr. Haikola would commence an action in Ontario Superior Court, requesting certification of the class action lawsuit and approval of the settlement. The sole cause of action in the suit initiated in Ontario Superior Court was for breach of contract. The argument was that in the contract between the insurance company and its customers, the insurance company undertook to “”act as required or authorized by law” in the collection, use, and disclosure of the Class Members’ personal information – including information from credit reporting agencies.” (at para 56) This would include meeting its PIPEDA obligations.

The class included persons whose credit history was used as part of a claim settlement process. The insurance company identified 8,525 people who fell into this category. The settlement provided for the paying out of $2,250,000. The court estimated that if every member of the class filed a valid claim, each would receive approximately $150.

In considering whether a class action lawsuit was the preferable procedure, Justice Glustein noted that generally, for this type of privacy complaint, the normal recourse was under PIPEDA. The structure of PIPEDA is such that each affected individual would have to file a complaint; the filing of a complaint and the issuance of a report were both prerequisites to commencing an action in Federal Court. Justice Glustein considered this to be a barrier to access to justice, particularly since most individuals would have claims “of only a very modest value”. (at para 66) He found that “The common law claim proposed is preferable to each Class Member making a privacy complaint, waiting for the resolution of the complaint from the Privacy Commissioner with a formal report, and then commencing a Federal Court action.” (at para 67)

Justice Glustein certified the proceedings and approved the settlement agreement. He was certainly aware of the potential weaknesses of the plaintiff’s case – these were factors he took into account in assessing the reasonableness of the amount of the settlement. Not only were there real issues as to whether a class action lawsuit was a possible recourse for breach of PIPEDA, a proceeding under s. 14 is de novo, meaning the court would not be bound by the findings of the Privacy Commissioner. Further, the Federal Court has been parsimonious with damages under PIPEDA, awarding them only in the most “egregious” circumstances. It is, in fact, rare for a Federal Court judge to award damages unless there has been an improper disclosure of personal information. In this case, the insurance company was found to have collected too much information, but there had been no breach or loss of personal data.

This case is interesting because raises the possibility of class action lawsuits being used for privacy complaints other than data security breaches. This should put fear into the heart of any company whose general practices or policies have led them to collect too much personal information, obtain insufficient consent, or retain data for longer than necessary (to name just a few possible shortcomings). Perhaps the facts in Haikola are exceptional enough to avoid a landslide of litigation. Justice Glustein was clearly sympathetic towards a plaintiff who had doggedly pursued his privacy rights in the face of an insufficiently responsive company, and who had been vindicated by the OPC’s Report of Findings. Justice Glustein noted as well that it was the plaintiff who had sought to initiate the class action lawsuit – he had not been recruited by class counsel.

There is clearly also an element in this decision of frustration and dissatisfaction with the current state of Canadian data protection law. Justice Glustein observed: “If systemic PIPEDA breaches are not rectified by a class procedure, it is not clear what incentive large insurers and others will have to avoid overcollection of information.” (at para 88) Justice Glustein also observed that “While the Privacy Commissioner may encourage or require changes to future practices, it [sic] has very limited powers to enforce compliance through strong regulatory penalties.” (at para 88) This is certainly true, and many (including the Privacy Commissioner) have called for greater enforcement powers to strengthen PIPEDA. This comment, taken with Justice Glustein’s additional comment that the settlement imposes on the Defendants a “meaningful business cost” for the overcollection of personal information, are nothing short of a condemnation of Canada’s private sector data protection regime.

The government has heard such condemnations from the Commissioner himself, as well as from many other critics of PIPEDA. It is now hearing it from the courts. Hopefully it is paying attention. This is not just because PIPEDA obligations need stronger and more diverse enforcement options to provide meaningful privacy protection, but also because class action lawsuits are a blunt tool, ill-designed to serve carefully-tailored public policy objectives in this area.

 

 

Login to post comments

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law