Been Hacked? Your Organization Could be Liable for Privacy Breaches – Potential Impact of the Consumer Privacy Protection Act

Articles

By Lauren Zeleschuk and Abigail Choi

In Canada, individuals affected by a privacy breach can and do commence legal actions for compensation associated with the breach. However, the current path to compensation is the common law tort of intrusion upon seclusion, which is not designed to deal with situations where anonymous third-party hackers access personal information held by private organizations.

In this blog post, we outline the liability risks facing organizations that are targeted or may be targeted by third-party hackers, including the impact of a proposed private right of action in the proposed Consumer Privacy Protection Act*.

*The Consumer Privacy Protection Act is part of the new federal private sector privacy legislation proposed in Bill C-27, which is currently being considered by the House of Commons. If passed, it will make sweeping changes to Canada’s private sector privacy landscape by enacting the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act, and by making consequential and related amendments to other Acts.  For more information, see our Privacy, Penalties and AI Regulation – The New Digital Charter Implementation Act blog post.

Privacy Class Actions Dying, Courts Limiting the Application of the Tort of Intrusion Upon Seclusion

Currently, when a privacy breach occurs, a key avenue for individuals affected is to sue the breached organization for the tort of intrusion upon seclusion via a class action. There is some case law stating that the tort of intrusion upon seclusion does not exist in British Columbia. However, in a recent decision our Court of Appeal commented that it may be time to revisit the tort of breach of privacy: Tucci v Peoples Trust Company, 2020 BCCA 246. However, as the law currently stands, this tort does not exist in British Columbia. Instead, we have what has been described as a “very similar” tort, which is established under the Privacy Act, RSBC 1996, c. 373: see Severs v Hyp3R Inc., 2021 BCSC 2261.

However, pursuing compensation under these avenues leads to a dead end for many victims of cyberbreaches as courts across the country have been reluctant to certify privacy class actions for the tort of intrusion upon seclusion.

The elements of the tort, as summarized in Owsianik v. Equifax Canada Co., 2022 ONCA 813, are as follows:

  1. the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse (the conduct requirement);
  2. the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly (the state of mind requirement); and
  3. a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation, or anguish (the consequence requirement).

In Owsianik v. Equifax Canada Co., third-party hackers gained unauthorized access to Equifax’s customers’ personal information. The hackers accessed sensitive personal information such as social insurance numbers, driver’s licence numbers, and credit card numbers. However, the court found that the second element of the tort was not established as Equifax did not intentionally or recklessly cause the breach. The tort requires an intentional act by the defendant and, in this instance, the privacy breach was committed by third-party hackers and not the defendant, Equifax. Despite the sensitivity of the personal information accessed by the hackers, Equifax was found not liable to those affected.

In a similar fashion, other privacy breach class actions relying on the tort of intrusion upon seclusion as the cause of action have seen limited success. For example, in Setoguchi v Uber B.V., 2021 ABQB 18, the court found that the personal information subject to the breach was not sensitive enough to give rise to damages. In that case, there was no evidence of loss or real harm as a result of the breach. In another case, the court found that the risk of a future injury is not an injury that can be compensated: Li v. Equifax, 2019 QCCS 4340.

However, not all class certifications fail. In Sweet v. Canada, 2022 FC 1228, the Federal Court of Canada certified the privacy class action based on intrusion upon seclusion, among other causes of action. The action was brought against the Canadian government by taxpayers who had their CRA accounts hacked by third parties. The difference in this case was that the Canadian government ignored reports from class members and service providers, such as accounting and investment firms, of the unauthorized data breaches. Even though the action is certified, the case has not yet been heard on its merits and the Canadian government has not yet been found liable.

Growing Risk of Liability and the Proposed Private Right of Action

Based on current case law trends, it may seem that organizations are not at risk to being found liable for compensating victims of privacy breaches caused by third-parties. However, there continues to be a strong recognition in the courts and in the legislature that privacy protection is important. In Simpson v Facebook, 2021 ONSC 968, the court acknowledged the importance of safeguarding privacy in the following statement:

The dismissal of this certification motion does not diminish the paramount importance of protecting individual privacy and personal data. An individual’s ability to control their personal information is intimately connected to individual autonomy, dignity and privacy. Significant invasions of personal privacy are serious matters and deserve regulatory and judicial attention.

Further, the proposed Consumer Privacy Protection Act will provide a new avenue for individuals affected by a privacy breach to seek damages. The private right of action becomes available after the Privacy Commissioner makes a finding that the organization has contravened the Act, and that finding is either not appealed to the Data Protection Tribunal or the appeal is dismissed. As a result, organizations that contravene the proposed Consumer Privacy Protection Act by failing to put appropriate security safeguards in place to protect personal information from third-party hackers could be targeted under this private right of action by individuals affected by a privacy breach.

It is unclear how the private right of action would function and the overall risk of liability facing organizations that fail to adequately protect personal information. However, what is clear is that privacy law will continue to become more stringent, and new paths for individuals to seek compensation are being considered by the House of Commons.