The breaches of security safeguards provisions of the Digital Privacy Act under the Personal Information Protection and Electronic Documents Act, which comes into effect Nov. 1, makes it mandatory for organizations to report any breaches and to notify those who are impacted.
Molly Reynolds, a privacy lawyer with Torys LLP in Toronto, believes the new reporting obligations could increase the volume of class actions because class-action lawyers will be aware of more incidents that pose a risk of harm to Canadians. And that may well lead to more negative exposure for those companies, she says.
“I think what we’re going to see is certainly an increase in the volume of class actions. I think we’re going to see also more publicity of those class actions,” she says.
The result, she adds, is an increased risk of litigation for Canadian private sector companies, which would be accompanied by the potential of reputational harm resulting from negative media attention after the breach is reported.
Sajjad Nematollahi, whose class actions practice with Siskinds LLP in Toronto includes privacy-breach transactions, says he is not so sure the number of class-action cases will increase with the new rules. He says companies have been reporting privacy breaches prior to the implementation of mandatory reporting rules.
“We’ll have to wait and see how this unfolds in terms of whether and to what extent this contributes to increased public reporting of the privacy and data breaches,” he says. “Some of the major breaches have been reported notwithstanding that under PIPEDA there was not a mandatory breach reporting requirement.”
Nematollahi says he can see, however, how this area of law might become more attractive to lawyers as more information is released into the public domain, although analysis of the breach really determines whether or not there is merit to pursue any claims.
Randy Sutton, partner and global co-head of Norton Rose Fulbright Canada LLP’s national class actions team in Toronto, has noticed that high-profile breaches typically attract class actions.
The difference come November, he says, is that smaller breaches will become public with the mandatory reporting. But he says plaintiffs will hesitate pursuing class actions on those smaller breaches if they’re not likely to produce many benefits or value.
And although proof of harm isn’t necessary, the demonstrated damages may not be significant, so there’s often not a huge value assigned to these cases on the settlements, says Sutton.
“I’m not sure they will be significant enough, generally, for there to be much of an uptick in terms of the number of class actions,” he says. “My sense of it is, if it’s a big enough issue, it will become public and the class-action lawyers will have known about it and they will have brought those cases.”
Sutton says Alberta, which already makes reporting breach notifications mandatory, hasn’t had a disproportional number of class actions there.
But privacy class actions are still in the early stages of their development and issues such as regulatory regime, private rights of action and contractual rights still need to develop to further frame the future foundation for class actions, he says.
Historically, privacy class-action settlements have carried relatively low price tags in terms of the amounts paid out to class members, says Reynolds.
“A primary reason for this is that class members are rarely able to prove out-of-pocket expenses or actual harm such as financial fraud arising from data breaches or privacy violations, so most of the compensation is on account of credit monitoring or nominal payments for time spent protecting themselves,” says Reynolds. But because damages in privacy class actions have resulted in settlement and have not yet been subject to judicial consideration, how a court approaches damages in privacy class actions remains an open question, says Nematollahi.
He points to the 2011 Ontario Court of Appeal decision in Jones v. Tsige, which established the tort for the invasion of personal privacy “intrusion upon seclusion” in which proof of damages is not necessary. While there are class actions advancing that tort, none has gone to trial.
“We don’t know in the context of class action how the courts will treat the quantum of the damages, but, nonetheless, we have the benefit of some judicial consideration of the tort in individual privacy violation cases. There have been a number of cases that have been determined and, in those individual cases, we’ve seen damages awarded anywhere between $100 [and] $15,000,” he says.
Toronto plaintiff class-action lawyer Jean-Marc Leclerc, a partner with Sotos LLP, isn’t so sure mandatory reporting will result in an increase in privacy transactions, although he says it may provide opportunities for lawyers to further explore breaches to see if there is merit in pursuing class actions.
He says companies have been disclosing breaches of privacy even though, until this point, there has been no requirement for them to do so on a federal level.
“The fact that Canada is adding a mandatory requirement is helpful . . . but it for sure doesn’t haven’t have the teeth [that], for example, the European Union has instituted as far as mandatory reporting is concerned,” he says.
He points to a recent Facebook breach revealed this fall. Facebook learned about a privacy intrusion and reported it to the public within a week to avoid huge fines allowed by EU privacy legislation.
“I don’t think we have in Canada laws that have teeth like that. But the good part about the fact that the European Union has such rules is that, if you need to follow the strict standards that are applicable in the European Union, then, by definition, Canadians and people in other jurisdictions are likely to get the benefit of it, assuming we’re talking about businesses with worldwide operations,” says Leclerc.
The issue, he says, is that the new Canadian rule requires companies to report a breach where there is “a real risk of significant harm” — which is a subjective interpretation.
“The language of the reporting requirements has a fair bit of wiggle room from the company’s perspective. If the company is of the view that the breach doesn’t pose ‘a real risk of significant harm,’ then, under the new regulations, it doesn’t have to report. So, the devil will be in the details as to how people interpret that and whether they err on the side of caution,” he says.
Leclerc says the fines in Canada are not so significant when compared to the consequences that can flow from a class action that could be brought. He also feels that the intrusion upon seclusion tort — in which actual harm does not have to be proven in privacy breaches — hasn’t been fully explored. This leaves room for the potential for increased consequences from class actions, he says.
“From my perspective, the question that defence counsel raised about actual harm in these cases is a red herring and what I tend to focus on in my privacy class actions. One big part of this is behaviour modification because I don’t think companies are taking privacy very seriously. I don’t think companies are protecting people’s privacy,” he says.