SCC Rejects Data Breach Class Action Appeals
On July 12th, 2023, the Supreme Court of Canada denied leave to appeal to the plaintiffs in four land-mark data breach class actions: Setoguchi v Uber from the Alberta Court of Appeal, and Owsianik v Equifax, Winder v Marriot and Obodo v Trans Union from the Ontario Court of Appeal.
The refusal by the Supreme Court to hear appeals in these cases leaves the Court of Appeal decisions in each matter as the final word on topics that will have positive repercussions for companies and organizations across Canada facing the threat of class actions following a data breach:
- In Setoguchi v Uber, the Alberta Court of Appeal upheld the dismissal of the certification application in a proposed data breach class action. The Appellant argued that the loss of any personal information, without any subsequent harm to or negative impact on class members, entitled those class members to, at a minimum, “baseline” damages of $100 per person (totaling around $80,000,000). The Court of Appeal carefully scrutinized the Appellant’s pleadings and determined her novel theory of harm should not be recognized in law. You can read our detailed analysis of the Setoguchi decision here.
- In Owsianik v Equifax, Winder v Marriot and Obodo v Trans Union, the Ontario Court of Appeal held that a defendant who collects personal information from customers, and who is then the victim of a third party hack, cannot be liable to those customers for the tort of intrusion upon seclusion. This is important because the tort of intrusion is actionable without proof of harm. You can read our detailed analysis of these three decisions here.
These decisions will limit the risk that companies and organizations that have suffered a data breach will inevitably face multiple proposed class actions. Rather, litigation should follow only where there is real evidence that the accessed information was used to the detriment of some persons. This new reality should not discourage organizations from the necessity of protecting sensitive information that is received and retained – regardless of whether anyone suffers harm as a result of a data breach, organizations are still subject to a robust privacy regulatory framework, and face potentially significant costs and penalties for non-compliance. But this change in the law is a benefit to all Canadians, as it will improve access to justice for those in need of a remedy, and avoid the use of Court resources to manage lawsuits brought on behalf of persons who have no need of a legal remedy.
McCarthy Tétrault LLP acted as counsel for Uber in Setoguchi v Uber, with a team led by Kara L. Smyth, which included Dana M. Peebles and Cassidy Bishop, together with Uber in-house counsel Ryan MacIsaac.