NSCA says no expectation of privacy in address information

On January 28th the Nova Scotia Court of Appeal dismissed a privacy breach allegation that was based on a municipality’s admitted disclosure of address information to a related service commission so the service commission could bill for certain statutorily mandated charges. The Court held there was no reasonable expectation of privacy in the information disclosed, reasoning as follows:

Mr. Banfield’s information was not confidential, secret or anonymous. Neither did it offer a glimpse into Mr. Banfield’s intimate, personal or sensitive activities. Nor did it involve the investigation of a potential offence. Rather, it enabled a regulated public utility to invoice Mr. Banfield with rates approved under statutory authority for a legally authorized service that, in fact, Mr. Banfield received.

Banfield v. Nova Scotia (Utility and Review Board), 2020 NSCA 6 (CanLII).

BC class action alleging vicarious liability for employee’s snooping to proceed

Yesterday the Court of Appeal for British Columbia held that a class action alleging vicarious liability for breach of the British Columbia Privacy Act should not be struck.

The claim is based on an allegation that an ICBC employee improperly accessed the personal information of about 65 ICBC customers. The Court dismissed ICBC’s argument that the Privacy Act only contemplates direct liability because its statutory tort rests on wilful misconduct. The Court reasoned that a requirement of deliberate wrongdoing is not incompatible with vicarious liability.

ICBC also raised a seemingly dangerous policy question for a data breach defendant: “Should liability lie against a public body for the wrongful conduct of its employee, in these circumstances?” The Court said this question should be answered based on a full evidentiary record.

While allowing the vicarious liability claim to proceed, the Court held that the plaintiff could not found a claim on an alleged breach of the safeguarding provision in British Columbia’s public sector privacy act. It did consider whether to recognize a common law duty to abide by the safeguarding provision, but held that it should not do so based on policy grounds, including the need to defer to the comprehensive administrative remedial regime provided for by the legislature.

Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (CanLII).

BC court dismisses class action about iOS4 location services

On September 30th, the Supreme Court of British Columbia dismissed a motion for certification of a class proceeding against Apple that was about the recording of location data on Apple devices running the iOS4 operating system.

The Court applied significant rigor in weighing the proposed action against the certification criteria, giving heavy scrutiny to both the pleadings and the evidence filed in support of certification.

The Court’s finding on the common issues criterion may have broader implications. The Court acknowledged that the scope of one’s right to privacy under the BC Privacy Act is determined by the context. The plaintiff, the Court said, “has not shown any basis in fact to conclude that the reasonableness and context could be proved on a class-wide basis.” The Court reached the same conclusion regarding the “without claim/colour of right” issue – an issue that speaks to an essential element of a breach of privacy claim.

Ladas v Apple Inc., 2014 BCSC 1821 (CanLII).

HT to Barry Sookman.

Settlement approved in Canadian cyber attack suit

On June 10th, the Ontario Superior Court of Justice approved a settlement in a class action brought against Sony of Canada Ltd. and others. The action (for breach of contract) followed an April 2011 cyber attack that targeted accountholder information of approximately 4.5 million individuals enrolled in various Sony online services. The following is the Court’s summary of the settlement:

Class Members who had a credit balance in their PSN or SOE account at the time of the Intrusions but have not used any of their accounts shall receive cash payments for credit balances.
The Sony Entities will make available online game and service benefits to class members geared principally to the type of account (PSN, Qriocity, and/or SOE) held by the class member at the time of the Intrusions.
The settlement benefits are available through a simple process. To become entitled to benefits, Class Members need only to complete a claim form.
The Sony Entities will reimburse any Class Members who can demonstrate that they suffered Actual Identity Theft, as defined in the Settlement Agreement. Class Members that prove Identity Theft can submit claims for reimbursement of out-of-pocket payments (not otherwise reimbursed) for expenses that are incurred as a direct result of the Actual Identity Theft, up to a maximum of $2,500.00 per claim.
The Sony Entities are to pay for the costs associated with providing notice of the Settlement Agreement and the settlement approval hearing, all administration costs, as well as an agreed amount for plaintiffs’ lawyers’ fees and expenses ($265,000).

The parties sent a notice of certification and notice of motion for settlement approval to 3.5 million e-mail addresses. Fifteen percent of the e-mails were returned as undeliverable, 28 individuals opted out and nobody objected.

Justice Perell noted that the agreement was premised on the understanding that there has in fact been no improper use of personal information resulting in identity theft. He also said, “The Settlement Agreement reflects the state of the law, including possible damage awards, for breach of privacy/intrusion upon seclusion and loss/denial of service claims.”

Maksimovic v Sony of Canada Ltd, 2013 CanLII 41305 (ON SC).