B.C. Court of Appeal Finds that Allegedly Reckless Database Custodians may be Liable for "Wilful Violations" of Privacy Under the Privacy ActIn a pair of decisions released on July 5, 2024, the B.C. Court of Appeal (BCCA) found that an alleged reckless failure to safeguard personal information may be sufficient to make out Privacy Act claims of "wilful violation" of privacy against database defendants who are victims of data hacks. In doing so, the BCCA interpreted statutory Privacy Act claims to be potentially broader than the common law tort of intrusion upon seclusion, which the Ontario Court of Appeal in its 2022 "trilogy" of decisions in Owsianik, Obodo and Winder limited to claims against the hacker who committed the "intrusion", not the database defendant who allegedly failed to prevent it. In G.D. v South Coast British Columbia Transportation Authority, 2024 BCCA 252 [South Coast], the BCCA overturned the chambers judge’s finding that the plaintiff's claims under B.C.'s Privacy Act were bound to fail at the pleadings stage. In Campbell v Capital One Financial Corporation, 2024 BCCA 253 [Capital One], the same Division of the BCCA upheld the chambers judge's finding that claims under the British Columbia, Saskatchewan and Newfoundland Privacy Acts were not bound to fail. In both decisions, the BCCA held it was at least arguable that an alleged "reckless" failure on the part of a database defendant to safeguard putative class members' private information could amount to a “wilful violation” of privacy under the Privacy Act. The Court commented that, while jurisprudence interpreting common law "intrusion" upon seclusion may ultimately be useful in interpreting the scope of a “wilful violation" of privacy under the Privacy Act, statutory Privacy Act claims and common law claims were not identical, and the common law jurisprudence did not make the Privacy Act claims bound to fail at the pleadings stage. The BCCA also made broad statements expressing views on the policy goals of privacy claims and how they should evolve. In Capital One, the BCCA commented that "[a] purposive reading of the Privacy Acts may militate in favour of including data custodians within the statutory tort as society and technology evolve". In South Coast, the BCCA commented: "… I see the floodgates argument differently, and that is as a flood of unprotected personal information flowing out of the control of the persons whose information it is, and into the hands of bad actors, unless the law responds adequately." Have time to read more?
Authors
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs. For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com. |