Class Action v. the People Trust Company & the Breach of Privacy & Intrusion Upon Seclusion

As you may be aware, the plaintiffs’ personal data was compromised in a data breach suffered by the defendant, the People’s Trust Company. Data breaches are occurring more readily throughout the Province and Country.

(1) The BC Supreme Court (“BCSC”)

On an application to certify a class proceeding, the BCSC judge found that the pleadings disclosed a cause of action in:

• contract; and

• negligence.

The trial judge failed to find a cause of action in breach of confidence. Instead, he found that breach of privacy and intrusion upon seclusion are not torts recognized in the law of BC, but considered that the plaintiffs could pursue those claims under federal common law. He certified the issue of aggregate nominal damages as a common issue, but held that compensable damages could only be assessed on an individual basis.

(2) The BC Court of Appeal (“BCCA”)

Certification was on an opt out basis. Peoples Trust appealed from the certification and from the opt out basis for the non-resident class in the case of Tucci v. Peoples Trust Company, 2020 BCCA 246.

The plaintiffs cross-appealed from the failure to certify the breach of confidence claim and the failure to certify aggregate compensatory damages as a common issue.

Ultimately, the BCCA permitted the Appeal and Cross-appeal allowed in part. As noted in para. 123 of the case, the Court ordered:

1. The federal statute governing personal information collection is not an exhaustive code precluding the bringing of a common law action.

2. There was no error in the judge’s certification of the breach of contract and negligence claims. He was not required to determine the applicability of a limitation of liability clause as a preliminary issue.

3. Breach of confidence must involve deliberate misuse of information, which did not occur here.

4. The jurisprudence on whether common law breach of privacy torts exist is limited, and may need to be reconsidered by the Court, but does not arise on this appeal.

5. No claim can be pursued under “federal common law”. There is a single common law in British Columbia, covering matters within federal and provincial jurisdiction.

6. Under provisions in force at the time of certification, an opt in model ought to have applied to non-residents. Given statutory changes, the issue can be reconsidered by the trial court.

7. The judge is entitled to deference on the issue of preferable procedure.

8. The certification of the claim for aggregate “nominal” damages is potentially confusing, and should simply refer to “aggregate damages”.

The BC Court of Appeal reviewed the legislation and law as follows:

The Statutory Framework

[12] The following provisions of the Class Proceedings Act were in force at the time of the judgment in the court below and are relevant to this appeal:

4 (1) The court must certify a proceeding as a class proceeding … if all of the following requirements are met:

(a) the pleadings disclose a cause of action…

(c) the claims of the class members raise common issues, whether or not those common issues predominate over issues affecting only individual members;

(d) a class proceeding would be the preferable procedure for the fair and efficient resolution of the common issues….

(2) In determining whether a class proceeding would be the preferable procedure for the fair and efficient resolution of the common issues, the court must consider all relevant matters including the following…

(d) whether other means of resolving the claims are less practical or less efficient;

(e) whether the administration of the class proceeding would create greater difficulties than those likely to be experienced if relief were sought by other means…

6 (2) A class that comprises persons resident in British Columbia and persons not resident in British Columbia must be divided into subclasses along those lines.

….8 (1) A certification order must

(a) describe the class in respect of which the order was made by setting out the class's identifying characteristics, (b) appoint the representative plaintiff for the class, (c) state the nature of the claims asserted on behalf of the class, (d) state the relief sought by the class, (e) set out the common issues for the class, (f) state the manner in which and the time within which a class member may opt out of the proceeding, (g) state the manner in which and the time within which a person who is not a resident of British Columbia may opt in to the proceeding, and (h) include any other provisions the court considers appropriate.

[13] The Act was amended by the Class Proceedings Amendment Act, 2018, S.B.C. 2018, c. 16. Significantly, that statute repealed ss. 6(2) and 8(1)(g) of the Act, thus removing the requirement to separate residents and non-residents into separate subclasses, and applying the opt out provisions to all class members. The transitional provisions in the amending statute include the following:

44 (1) If a proceeding was certified as a class proceeding before the coming into force of this section, then sections 6 (2), 8 (1) (g), 16 (2) to (5) and 19 (6) (c), as they read immediately before the coming into force of this section, apply to the proceeding. (2) If a proceeding was certified as a class proceeding before the coming into force of this section, the court may, on application by a party to the proceeding: (a) amend the certification order so that persons who would have been members of the class, but for not being resident in British Columbia, are included as members of the class, and (b) order that notice of the amended certification order be given to members of the class who are not resident in British Columbia.

[14]  The other statute that occupies a central role on this appeal is the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, commonly referred to as the “PIPEDA”. The PIPEDA is a statute that applies to businesses like Peoples Trust, that fall within the regulatory jurisdiction of the federal government. Part 1 of the PIPEDA deals with protection of personal information in the private sector. Section 3 sets out its purpose:

3 The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

[15] To that end, the PIPEDA sets out the circumstances in which an entity may collect, retain, and disclose personal information, and the purposes for which that information may be used. It also establishes a Privacy Commissioner. Section 10.1 of the Act requires an organization to report to the Commissioner any breach of security safeguards involving personal information. The Commissioner, either acting upon a complaint or by initiating a complaint, has investigative powers. Upon the conclusion of an investigation, the Commissioner prepares a report including findings and recommendations. Once the Commissioner files the report, a complainant may apply to the Federal Court for a hearing “in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report”. Section 16 of the statute gives the Federal Court broad remedial powers, including the power to award damages to a complainant.

[16] Peoples Trust reported its data breach to the Commissioner in a timely manner. The Commissioner, being satisfied that there were reasonable grounds to investigate the matter, initiated a complaint, and performed an investigation. In due course, the Commissioner produced a report.

[17] The report identified certain weaknesses in the company’s practices leading up to the breach. It considered that Peoples Trust had been cooperative, both in fulfilling its obligations to report the breach, and in its approach to the investigation and the undertaking of mitigative measures. The Commissioner, in the end, found the complaint to be “well-founded” and “resolved”. No one applied to the Federal Court for any further remedy.

…[19] While some statutes are, indeed, codes that comprehensively regulate a domain and completely replace the common law, such statutes are comparatively rare. More often statutes modify the common law in particular ways, leaving it intact except to the extent that it has been displaced. As a general rule, then, the common law and a statutory regime will be allowed to co‑exist where they do not conflict with one another.

[20] Of course, where a statute is in direct opposition to a common law principle, the two cannot co‑exist. As statutes overlay the common law, the statute will prevail in cases of direct conflict.

[21] A statute may also specifically state that it is intended to displace the common law, and such a statement will be effective. For example, the Criminal Code, R.S.C. 1985, c. C‑46 specifically sets out the rules for applying the common law in criminal cases in ss. 8 and 9.

[22] Finally, there are statutes that, while not in direct conflict with the common law, are drafted in such a way as to make it clear that they are intended to comprehensively govern an area, leaving no room for the application of the common law. Such statutes are often referred to as “comprehensive codes”. They are intended to supplant rather than supplement the common law.

Breach of Privacy and Intrusion Upon Seclusion in the Law of B.C.

[53] As I have indicated, the judge found that under the law of British Columbia, there is no cause of action for breach of privacy or intrusion upon seclusion beyond the limited statutory claim provided for in the Privacy Act, R.S.B.C. 1996, c. 373. That statutory claim has no application to this case.

[54] No appeal has been taken from the judge’s ruling...

[55] It is, in some ways, unfortunate that no appeal has been taken. In my view, the time may well have come for this Court to revisit its jurisprudence on the tort of breach of privacy.

[56] There are three decisions of this Court usually cited for the proposition that no common law tort of breach of privacy exists in B.C. The first, chronologically, is Hung v. Gardiner, 2003 BCCA 257. In the court below, in a decision indexed as 2002 BCSC 1234, a chambers judge summarily dismissed a claim that alleged numerous causes of action, including common law breach of privacy. The breach of privacy claim did not figure prominently in the chambers judge’s reasons. He said only:

[110] The plaintiff asserts a common law tort of invasion of privacy in addition to that created by the Privacy Act. She has not provided any authorities that persuade me there is a common law tort of invasion of privacy in this province.

[57] This Court dismissed the appeal, but found it unnecessary to address the issue of whether a common law tort of breach of privacy exists. Levine J.A., for the Court, said:

[4] Mr. Justice Joyce, after a summary trial under Rule 18A of the Supreme Court Rules, dismissed all of the appellant’s claims, finding that they were barred by the absolute privilege that surrounded the act of providing the report to the professional bodies. …. As I agree with that conclusion, I do not find it necessary to review his consideration of the other defences raised, or the appellant’s grounds of appeal on those matters.

[58] The decision of this Court in Hung v. Gardiner, then, does not stand for the proposition for which it is usually cited. It does not touch on the question of whether a common law action for breach of privacy exists in British Columbia.

[59] Mohl v. University of British Columbia, 2009 BCCA 249 was, like Hung v. Gardiner, an appeal brought by a self-represented litigant who was attempting to pursue a convoluted theory of liability in his claim. The case has a rather tortured history. Mr. Mohl failed a course at UBC in 1998, and, after unsuccessful appeals within the University’s administrative regime, brought a judicial review application. He was unsuccessful, both at first instance (Mohl v. Senate Committee on Appeals on Academic Standing, 2000 BCSC 1849) and on appeal (2001 BCCA 722). He then brought a lawsuit against the University, which was dismissed as an abuse of process (Mohl v. The University of British Columbia, 2004 BCSC 1238, appeal dismissed 2006 BCCA 70). After the appeal judgment in that case was released, counsel for the University gave an interview to a reporter in which he stated that Mr. Mohl had failed his practicum and was no longer a student at the University of British Columbia. Those facts were already notorious, having been alluded to in the judgments of the various courts. Mr. Mohl then brought a new action against the University, alleging that it breached his privacy by revealing that he had failed a course. A master refused to strike the claim, but on appeal, a Supreme Court chambers judge struck it. In a judgment indexed as 2008 BCSC 1234, the judge said:

[10] Mr. Mohl puts forward a claim under the Privacy Act in relation to information the University gave to Canwest Global that was later published.  The allegations are contained in paragraphs 91.7 to 94 of the proposed amended Statement of Claim. That document alleges that on February 17th, 2006, following the judgment of the Court of Appeal, counsel for the University gave information to Canwest Global including that Mohl has not been a student since getting a failing grade, and specifically, that the plaintiff had not been a student at the defendant’s University since getting a failing grade in the practicum which was information obtained from the plaintiff’s records at the University, which the defendant had a duty to keep confidential.

[11] The Privacy Act makes it a tort actionable without proof of damages, for a person to “willfully and without claim of right to violate the privacy of another”. As the Act recognizes, however, once the person starts a court action, matters that were once private can cease to be so.

[12] In Mr. Mohl’s case, the fact that he had been failed in his practicum was publicly documented in both the Court of Appeal decisions. The December 2001 decision of the Court of Appeal refers to the fact that the Senate Committee recommended Mr. Mohl should be allowed to repeat the course, but in the words of the Court of Appeal, rather than avail himself of the lifeline offered in the last paragraph of the decision, Mr. Mohl launched a petition under the Judicial [Review] Procedure Act.

[13]  I am of the opinion that, as a result of the release of information occasioned by his litigation, Mr. Mohl, in the words of Rule 19(24), has made a claim that discloses no reasonable claim and which ought to be struck out.

[60] The judgment does not specifically discuss Mr. Mohl’s common law claim for breach of privacy, though the analysis set out above would appear to be equally applicable to that claim.

[61] On appeal, this Court’s judgment with respect to the privacy claim was brief:

[13] As to the judge’s consideration of the breach of privacy claim, in my view he made no reviewable error. There is no common-law claim for breach of privacy. The claim must rest on the provisions of the [Privacy] Act.

[62] The conclusion that “[t]here is no common-law claim for breach of privacy” is, on its face, a broad one, but it is not entirely clear that it was intended to be a bold statement of general principle as opposed to a conclusion with respect to the specific circumstances of Mr. Mohl’s case. In any event, the observation was not critical to this Court’s reasoning.

[63] In Ari, as I have indicated, neither side contended that there was a common law tort of breach of privacy, and this Court was not called upon to decide that issue.

[64] The thread of cases in this Court that hold that there is no tort of breach of privacy, in short, is a very thin one. There has been little analysis in the cases, and, in all of them, the appellants failed for multiple reasons.

[65] It is also important to note that the world has changed significantly, even in the years since Hung v. Gardiner. In Jones v. Tsige, 2012 ONCA 32, the Ontario Court of Appeal recognized the tort of intrusion upon seclusion. It considered the increasing need for legal protection of privacy:

[67] For over 100 years, technological change has motivated the legal protection of the individual’s right to privacy. In modern times, the pace of technological change has accelerated exponentially. Legal scholars such as Peter Burns have written of “the pressing need to preserve ‘privacy’ which is being threatened by science and technology to the point of surrender”: “The Law and Privacy: the Canadian Experience”, at p. 1. See, also, Alan Westin, Privacy and Freedom (New York: Atheneum, 1967). The Internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic databases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled and the nature of our communications by cellphone, e-mail or text message.

[68] It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

[66] It may be that in a bygone era, a legal claim to privacy could be seen as an unnecessary concession to those who were reclusive or overly sensitive to publicity, though I doubt that that was ever an accurate reflection of reality. Today, personal data has assumed a critical role in people’s lives, and a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic.

[67] For that reason, this Court may well wish to reconsider (to the extent that its existing jurisprudence has already ruled upon) the issue of whether a common law tort of breach of privacy exists in British Columbia.

[68] As this appeal does not directly address the question of whether the torts of breach of privacy or intrusion upon seclusion exist in the law of British Columbia, the interesting question of whether the law needs to be rethought will have to await a different appeal.

See also: Leonard v The Manufacturers Life Insurance Company, 2020 BCSC 1840