2024
Court of Appeal finds claims of violation of privacy and negligence arguable in the wake of privacy breach
In the recent decision G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252 (“GD v. Translink”) the British Columbia Court of Appeal (“BCCA”) found that it is at least arguable that an organization which collects and holds third-party personal information, without adequately protecting that information from a data breach, is liable for the statutory tort of violation of privacy. The BCCA also found that it was at least arguable that a claim based on negligence for breach of a common law duty of care could be advanced along the same lines.
Background
In December 2020, South Coast British Columbia Transportation Authority (“TransLink”) was subject to a cyber attack in which the appellants’ – former TransLink employees – personal information was compromised.
In response to the breach, several former TransLink employees filed a proposed class action. The plaintiffs’ were required to demonstrate that their pleadings disclose a cause of action. The plaintiffs asserted four causes of action: violation of privacy, negligence, conversion, and unjust enrichment. The British Columbia Supreme Court (“BCSC”) found that each claim was bound to fail, therefore the plaintiffs’ pleadings did not disclose a cause of action under the Privacy Act or in negligence.
For more detail on the BCSC decision please see our September 2023 newsletter article “Limits on Liability: Recent Court Decision Considers Public Body’s Liability in the Wake of Privacy Breach”.
The Decision
The BCCA was tasked with determining whether the judge in the BCSC decision erred in concluding that it was plain and obvious that:
- The appellants claim under s. 1(1) of the Privacy Act was bound to fail.
- The appellants' claim in common law negligence was bound to fail.
Issue 1 – Violation of Privacy
The BCSC found that only the cyber attacker, not the entity storing third party personal information, would be liable for violation of privacy under the Privacy Act. The BCCA disagreed, finding that the allegations TransLink wilfully violated the privacy of the plaintiffs and class members, contrary to the Privacy Act, were sufficiently pleaded to sustain a cause of action.
The BCCA concluded that it was at least arguable that an entity’s failure to take reasonable measures to safeguard private information that it collects against a breach is itself a violation of a person's privacy.
The BCCA considered the proper interpretation of the Privacy Act. Section 1(1) of the Privacy Act provides:
1 (1) “It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another”
The BCCA found that the BCSC’s interpretation of section 1(1) was too narrow, and that the purpose of the Act is to protect privacy interests by ensuring that harms to those interests do not go without a remedy. The BCCA also found that the term “wilfully” could include reckless behaviour, or behaviour based on an unreasonable belief.
The Court concluded that, depending on the facts found at trial, it is arguable that a trial judge could find TransLink wilfully violated the reasonable expectations of privacy of the class members within the meaning of the Privacy Act by its reckless conduct enabling the data breach. It is arguable that a person’s reasonable expectation of privacy could include the expectation that their personal information and privacy will be protected by the entity to whom they entrusted it to. Therefore, depending on the circumstances, it is at least arguable that a claim of wilful violation of privacy against an organization who has collected private information, but failed to safeguard it from an unrelated cyber attacker, could succeed.
Issue 2 - Negligence
The BCCA disagreed with the BCSC’s decision that the cause of action in negligence was bound to fail. The BCCA found that if it was proven TransLink had failed to meet its obligations to protect the appellants’ privacy, that would inform the analysis of the appellants’ reasonable privacy expectations when they provided their information to TransLink, and whether TransLink’s conduct was a wilful violation of privacy.
The BCCA also found that the BCSC had overlooked the separate claim pleaded in negligence based on a common law duty of care, which did not rely on a breach of section 30 of Freedom of Information and Protection of Privacy Act (“FIPPA”). A common law duty of care can exist alongside a statutory duty, therefore FIPPA does not displace the common law for civil claims arising from breaches of privacy or careless storage of personal information by public bodies.
To establish a common law tort in negligence there must be a duty of care between the parties through a sufficiently proximate relationship and a reasonable foreseeability of harm. There also must not be any residual policy considerations that would negate or limit the scope of that duty.
Due to the sufficient proximity in the relationship between the defendant and the plaintiffs, the novelty of the cause of action, and the sensitivity of the information allegedly taken, the BCCA held that it was not plain and obvious the negligence claim would fail. The pleading of the claim was restored and the certification application was remitted to the trial court.
Key Takeaways:
The BCCA’s decision in GD v. TransLink opens the door for the advancement of claims of statutory tort of breach of privacy and common law negligence in the event of a data breach. We say the BCCA “opened the door” to such claims because it did not find that those claims exist at law, rather, it found that there was an arguable case that they exist at law. While local governments should take note of the potential for increased liability in the event of a data breach, any alarm bells should be tempered by two points.
First, it is important to note that while the BCCA has cleared the way for a potential finding of breach of privacy or common law negligence in this case, these claims have not yet successfully been made. The decision in GD v. TransLink held that such claims were not bound to fail. It was not a finding on the actual merits of those claims. The matter has been remitted back to the trial court to consider the remaining elements of certification for a class proceeding. In the event that the class proceeding is certified, only then will the claims for common law negligence and breach of privacy under the Privacy Act be adjudicated.
Second, while the decision in GD v. TransLink may open the door for new causes of action in relation to a data breach, it does not suggest that public bodies are to be held to a higher standard with regards to safeguarding against a data breach. The same obligations that exist under FIPPA for public bodies to make reasonable security arrangements – proportional to the sensitivity of the personal information in question – against unauthorized collection, use, disclosure or disposal of information in the public body’s custody or control remain applicable.
Ultimately, the decision in GD v. TransLink serves as a strong reminder to local governments of the necessity and importance of taking strong and proactive steps to prevent data breaches, and mitigate the harm such a breach would cause. The precise evolution of the law in BC surrounding privacy liability in the wake of this decision remains to be seen.
James Barth & Aishling Carson