Written By Katherine Booth and Edward Hulshof

In a pair of decisions released on July 5, 2024, the B.C. Court of Appeal found that an alleged reckless failure to safeguard personal information may be sufficient to make out Privacy Act claims of "wilful violation" of privacy against database defendants who are victims of data hacks. In doing so, the BCCA interpreted statutory Privacy Act claims to be potentially broader than the common law tort of intrusion upon seclusion, which the Ontario Court of Appeal in its 2022 "trilogy" of decisions in Owsianik, Obodo and Winder limited to claims against the hacker who committed the "intrusion", not the database defendant who allegedly failed to prevent it.

In G.D. v South Coast British Columbia Transportation Authority, 2024 BCCA 252 [South Coast], the BCCA overturned the chambers judge’s finding that the plaintiff's claims under B.C.'s Privacy Act were bound to fail at the pleadings stage. In Campbell v Capital One Financial Corporation, 2024 BCCA 253 [Capital One], the same Division of the BCCA upheld the chambers judge's finding that claims under the British Columbia, Saskatchewan and Newfoundland Privacy Acts were not bound to fail.

In both decisions, the BCCA held it was at least arguable that an alleged "reckless" failure on the part of a database defendant to safeguard putative class members' private information could amount to a “wilful violation” of privacy under the Privacy Act. The Court commented that, while jurisprudence interpreting common law "intrusion" upon seclusion may ultimately be useful in interpreting the scope of a “wilful violation" of privacy under the Privacy Act, statutory Privacy Act claims and common law claims were not identical, and the common law jurisprudence did not make the Privacy Act claims bound to fail at the pleadings stage.

The BCCA also made broad statements expressing views on the policy goals of privacy claims and how they should evolve. In Capital One, the BCCA commented that "[a] purposive reading of the Privacy Acts may militate in favour of including data custodians within the statutory tort as society and technology evolve". In South Coast, the BCCA commented: "… I see the floodgates argument differently, and that is as a flood of unprotected personal information flowing out of the control of the persons whose information it is, and into the hands of bad actors, unless the law responds adequately."

Have time to read more?

• In Capital One, the plaintiff did not allege that a reckless storage of personal information by a data custodian, that is then hacked by a third party, can ground a claim based on the common law tort of intrusion upon seclusion. The BCCA declined to address the question of whether the common law tort of intrusion upon seclusion was available in British Columbia in light of the existence of the statutory tort for wilful violation of privacy under B.C.'s Privacy Act.
• In Capital One, the BCCA made a few other important findings. First, The BCCA confirmed a defendant will not be jointly and severally liable under B.C.'s Negligence Act for another alleged tortfeasor's conduct where the two tortfeasors' alleged conduct gives rise to different kinds of damage. Here, the hacker's intrusion upon seclusion was alleged to have caused moral damage (in the absence of actual harm), whereas the only claim against Capital One was for common law negligence (which is only made out if the alleged negligence causes actual harm). Second, the BCCA confirmed that Capital One could not be liable for breach of confidence, because the plaintiff's claim alleged that the harm ("detriment") suffered by putative class members was caused by the hacker's actions, not Capital One's. Third, the BCCA confirmed that the B.C. Supreme Court had jurisdiction to adjudicate claims under the Manitoba and Newfoundland Privacy Acts.
• Parallel class proceedings were filed against Capital One in Ontario and Quebec. The claim was struck in the Ontario case on the basis that the claims, including common law intrusion upon seclusion and torts under Privacy Acts, were bound to fail (Del Giudice v Thompson, 2021 ONSC 5379, upheld on appeal in 2024 ONCA 70). At the Court of Appeal, the ONCA observed with respect to the British Columbia, Newfoundland and Saskatchewan Privacy Act claims that, although it was pleaded that the respondents were negligent or reckless in failing to safeguard data, there was no pleading that the violation was wilful. The action in Quebec was authorized as a class proceeding (Royer v. Capital One Bank (Canada Branch), 2023 QCCS 2993).