British Columbia Supreme Court Certifies Privacy Class Action, Restricting Claims to Statutory Privacy Tort

There has been a new development in a class action that we previously covered (see: Recklessness as a Willful Violation of Privacy: B.C. Court of Appeal Decision has Implications for Private and Public Sector Organizations). The development is G.D. v. South Coast British Columbia Transportation Authority, 2026 BCSC 773 and it has implications for  public and private sector organizations that collect, store, or manage sensitive personal information in British Columbia. The decision suggests that plaintiffs may be able to advance statutory privacy claims beyond certification based solely on allegations of inadequate safeguarding, with “access” being interpreted broadly at the certification stage. It also reinforces the possibility of aggregate damages awards despite the absence of individualized proof of loss.

Background

The plaintiffs sought certification of a class action on behalf of individuals whose sensitive personal information may have been compromised in a 2020 ransomware attack on the defendant’s computer systems.

The claim alleged that there was unauthorized access to various categories of personal information, including payroll, sensitive employee data, third-party information, and scanned cheques. The defendant responded by offering credit monitoring, information sessions, and notification letters to almost 40,000 individuals.

Procedural History

On June 5, 2023, the British Columbia Supreme Court initially dismissed the plaintiffs’ certification application, finding that claims under s. 1 of the Privacy Act, R.S.B.C. 1996, c. 373. and negligence were bound to fail.^[1]

On July 4, 2024, the British Columbia Court of Appeal allowed the appeal, ruling it is arguable that a data custodian may be liable for violating privacy if personal information is not properly safeguarded, based on reasonable expectations of privacy and the custodian’s actions or omissions. The court also noted it is arguable the custodian has a duty of care, and compensation may be possible due to the sensitivity of the breached information.^[2]

On March 6, 2025, the Supreme Court of Canada declined to grant leave to appeal.^[3]

Subsequently, the plaintiffs revised their claim to proceed solely with the cause of action under s. 1 of the Privacy Act.

Motion for Certification

The Court permitted the plaintiffs’ renewed certification application to proceed but limited their claim through several findings, including:

• Cause of Action - The claim under the Privacy Act was the only cause of action permitted to proceed. The statement of claim did not include material facts regarding employment, agency, or any other recognized category sufficient to support a claim for vicarious liability for the actions of the unknown criminal hacker.^[4]
• Class Definition - While the plaintiffs initially suggested using the term “persons impacted,” the Court found this language too vague. As a result, the Court approved a revised definition to limit the class to “all persons who were notified by the Defendant that their sensitive personal information may have been compromised.”^[5]
• Common Issue “Access” - Regarding the issue of whether class members’ sensitive personal information was “accessed” by unauthorized parties, the evidence indicated that the defendant acknowledged folders and files were accessed but contested whether specific information had been viewed or copied. The court determined that “access” does not require proof of copying or viewing, but rather exposure alone is sufficient.^[6] It remains open to the trial judge to conclude that the sensitive information of certain class members was not “accessed”; however, this does not preclude certification.^[7]
• Common Issue “Wilful” - The Court reaffirmed that certification is not the appropriate stage to determine the interpretation of “wilful” within the Privacy Act, consistent with recent guidance from the Court of Appeal in  Jiang v. Peoples Trust Company, 2017 BCCA 119.^[8]
• Damages - The Court agreed to certify damages common issues including whether damages can be assessed in aggregate. Building on recent decisions^[9] the court reaffirmed that general and nominal damages for breaches of privacy may be awarded on an aggregate basis—even without concrete evidence of harm or loss.^[10] However, the Court refused to certify a claim for moral damages for stress and anxiety since none of the plaintiffs claimed to have suffered psychological harm, finding insufficient evidence to support any assertion of serious or prolonged stress and anxiety.
• Preferable Procedure and Behaviour Modification - Although the evidence showed that the defendant made efforts to provide a credit monitoring package as part of its response to the data breach, the Court found that the class proceeding was still the preferable procedure. The credit monitoring was not considered a substitute for legal remedies.^[11]

Take Aways

The British Columbia Supreme Court’s decision reflects a continued willingness to allow data breach class actions to proceed in British Columbia.

At the same time, the ruling underscores a tightening of the causes of action available to plaintiffs, with claims increasingly confined to narrower statutory or privacy-based grounds.

Notably, the Court’s reasoning maintains that mere exposure of data may constitute “access” for the purposes of certification of a statutory cause of action under the Privacy Act—maintaining a low bar at this preliminary stage.

Finally, the decision reinforces the broader trend toward recognizing aggregate damages for data breaches, even in the absence of proven individual harm, and draws a clear distinction between legal remedies and voluntary corporate responses such as credit monitoring.

^[1] G.D. v South Coast British Columbia Transportation Authority, 2023 BCSC 958 (CanLII).

^[2] G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252 (CanLII).

^[3] South Coast British Columbia Transportation Authority v. G.D., et al., 2025 CanLII 17288 (SCC).

^[4] G.D. v South Coast British Columbia Transportation Authority, 2026 BCSC 773 (CanLII), at para 15.

^[5] G.D. v South Coast British Columbia Transportation Authority, 2026 BCSC 773 (CanLII), at para 20.

^[6] G.D. v South Coast British Columbia Transportation Authority, 2026 BCSC 773 (CanLII), at para 25.

^[7] G.D. v South Coast British Columbia Transportation Authority, 2026 BCSC 773 (CanLII), at para 28.

^[8] G.D. v South Coast British Columbia Transportation Authority, 2026 BCSC 773 (CanLII), at para 36.

^[9] See Ari v. Insurance Corporation of British Columbia, 2022 BCSC 1475.

^[10] G.D. v South Coast British Columbia Transportation Authority, 2026 BCSC 773 (CanLII), at para 41.

^[11] G.D. v South Coast British Columbia Transportation Authority, 2026 BCSC 773 (CanLII), at para 67.