A recent decision by the Alberta Court of Appeal in a data breach class action may have positive repercussions for companies across Canada facing the threat of class actions following a data breach.

In a unanimous decision in Setoguchi v Uber, the Court upheld the dismissal of the certification application by the Honourable Associate Chief Justice J.D. Rooke (the “Certification Judge”). In doing so, the Court affirmed that the test under s. 5(1)(a) (valid cause of action) is not a perfunctory exercise, and carefully scrutinized the Appellant’s pleadings to determine whether her novel theory of harm should be recognized in law. Further, the Court affirmed it was open to the Certification Judge to determine that, in the absence of any opportunity for compensable class-wide harm, a class proceeding was not the preferable procedure.

In the reasoning and result, this decision reflects the recent emphasis, in Canadian Courts, on the “gatekeeper” role of certification judges in ensuring that the certification hearing is a meaningful screening device.  

Background

In late 2016, Uber was attacked by outside actors who accessed the names, telephone numbers and email addresses of a number of users globally (including several hundred thousand customers in Canada). Uber made a payment in exchange for assurances that the accessed data  would be destroyed.

In the 4 years between the breach and the certification application, and the 2 years between the certification application and the appeal, neither the Plaintiff nor any member of the proposed Class had come forward with proof of economic loss or psychological harm arising out of the data incident.

In 2021, the Certification Judge denied certification. After concluding that “not only is there no evidence of harm or loss, there is evidence that there is no harm or loss”, the Certification Judge found that in such circumstances, it would not be “preferable” to litigate the claims of all Class Members together, emphasizing the new culture of proportionality, and the systemic value of weeding out unmeritorious and de minimis claims. You can read our analysis of the lower court decision, here.

By the time the matter reached appeal, the Plaintiff had narrowed her case to two class-wide allegations: (1) breach of contract, for which class-wide nominal damages were available; and (2) negligence for  failing to protect  personal information. In the absence of any evidence of economic harm or loss, the Plaintiff argued that  because personal information has inherent value the theft of any personal information is itself a class-wide compensable harm, for which “baseline damages” could be awarded.  

Analysis

The Court of Appeal dismissed the appeal on two bases. First, the Court found the Appellant’s pleading failed to disclose a cause of action in negligence. Second, with only the breach of contract claim to be pursued at a common issues trial, the Court found no appealable error in the Certification Judge’s conclusion that a class proceeding was not the preferable procedure in the circumstances.

1. No claim in negligence

Although the Court of Appeal was not prepared to import the requirement for “some basis in fact” or evidence of harm into the test under s. 5(1)(a), it noted that the Appellant’s pleading did not automatically survive the s. 5(1)(a) analysis. While the cause of action in breach of contract was fully pleaded, the Court concluded the Appellant’s cause of action in negligence was not. Noting that damages are an essential element of a claim in negligence, the Court found that the Appellant failed to plead any specific injury that is compensable at law.

First, the Court considered the wording of the Statement of Claim, which stated that members of the class had “suffered significant loss and damages including harm and injury to their interests”. This loss was stated to include “the unauthorized release, disclosure and use of their personal information.” The Court of Appeal found this was not sufficient:

[34]           A fundamental purpose of pleadings is to outline the case a defendant must meet. When a cause of action includes damage as one of its requirements, a plaintiff is required to plead facts sufficient to amount at law to damage. Pleadings alleging negligence, for instance, “must be supported by facts capable of sustaining a determination that a duty was owed, that an act or omission occurred breaching that duty, and that damages resulted” … This means that a negligence claim can be struck where the plaintiff fails to plead an injury that is recognized as being compensable at law … It is no more sufficient for a plaintiff to plead “damages” or “injury” than it is to plead the existence of a “duty of care”; both are bare legal conclusions that require sufficient facts to sustain them. In this regard, the Amended Statement of Claim is deficient; it fails to particularize the harm or damages suffered as a result of the hack, how such loss or damage was caused by Uber, and the remedies sought for each cause of action. This is essential information for the determination of whether particular causes of action can survive scrutiny under s 5(1)(a). [citations omitted]

Next, the Court considered the Appellant’s argument that theft of personal information was compensable harm per se and could be assumed on a class-wide basis—even if the personal information is not private information. As this theory of harm (and liability) was novel, the Appellant argued that her theory of harm ought to be considered at a common issues trial.

The Court of Appeal disagreed. Relying on recent precedent from the Supreme Court of Canada and other appellate courts, the Court emphasized that novel claims should not be permitted to proceed just because they are novel. Rather, the Court stated:

[46] Aside from creating or perpetuating legal uncertainty, failing to determine a question of law at the pleadings stage, when appropriate to do so, is antithetical to the call in Hryniak v Mauldin, 2014 SCC 7 for affordable, timely and just resolution of disputes. In the boundless landscape of scarce judicial resources, there is nothing to be gained by certifying suspect novel claims, the validity of which will only be determined at a merits trial that may never occur. As noted by Stratas JA in Coote v Lawyers’ Professional Indemnity Company, 2013 FCA 143 at para 13: “[d]evoting resources to one case for no good reason deprives the others for no good reason”…

The Court found that the loss of personal information in this case, standing alone, could not amount to compensable harm at law.

The Court also considered the Appellant’s argument that harm arose because information in the hands of criminals may make class members more susceptible to fraud such as phishing scams. After noting the creation of risk or prospect of future harm is generally not actionable, the Court concluded that even if class members are marginally “worse off” for having their personal information exposed, “damage in tort law must be ‘real’ as opposed to merely ‘negligible’ or ‘trivial’ in order to be actionable.”

Lastly, the Court noted that while the Appellant did plead some pecuniary losses that are “potentially compensable at law in negligence”, such as, for example, out-of-pocket expenses for credit monitoring, the Appellant did not pursue this harm on a class-wide basis. Thus, the negligence claim was not capable of being certified on the basis of this type of harm.

As a result, the Court found the Appellant’s claim in negligence did not survive s. 5(1)(a) as she failed to plead a legally compensable harm on a class-wide basis, which is a required element for a cause of action in negligence.

2. A class proceeding not the preferable procedure

That left only the Plaintiff’s breach of contract claim, seeking nominal damages, for the proposed common issues trial. The Court agreed with the Certification Judge that in the circumstances of this case, a class proceeding was not the preferable procedure to resolve that claim:

[73] Certification of claims for nominal damages in breach of contract are usually made in the context of other causes of action also being certified. When the entirety of the class action is for nominal damages, the court can properly ask what purpose the action serves in the context of the objectives of class proceedings: Flesch at para 89.

The Court of Appeal found it was open to the Certification Judge to conclude on the facts of this case that access to justice concerns did not prevail, as the damages sought were nominal only, and the considerable judicial resources required for a class proceeding were not justified due to the nature of the claim and its impact on class members. Further, the Court agreed that the extensive regulatory penalties already imposed on Uber, along with negative press coverage, were sufficient to achieve the goal of behaviour modification.

Ultimately, the Court concluded that the Certification Judge did not engage in an assessment of “the merits of the action”, but rather took “a critical look at the entirety of the action and what it hopes to achieve”. With deference to the Certification Judge’s discretionary conclusion on preferable procedure, the Court dismissed the appeal.