The premier weekly newspaper for the legal profession in Ontario
Issue link: https://digital.lawtimesnews.com/i/1044029
Law Times • OcTOber 29, 2018 Page 11 www.lawtimesnews.com Privacy-breach class actions may see an uptick BY MARG. BRUINEMAN For Law Times S ome lawyers are expect- ing that new mandatory breach reporting under Canada's privacy legisla- tion may result in an increase in the number of privacy class actions, which are still in their relative infancy and continue to evolve. The breaches of security safe- guards provisions of the Digital Privacy Act under the Personal Information Protection and Elec- tronic Documents Act, which comes into effect Nov. 1, makes it mandatory for organizations to report any breaches and to notify those who are impacted. Molly Reynolds, a privacy lawyer with Torys LLP in To- ronto, believes the new report- ing obligations could increase the volume of class actions be- cause class-action lawyers will be aware of more incidents that pose a risk of harm to Cana- dians. And that may well lead to more negative exposure for those companies, she says. "I think what we're going to see is certainly an increase in the volume of class actions. I think we're going to see also more pub- licity of those class actions," she says. The result, she adds, is an increased risk of litigation for Canadian private sector com- panies, which would be accom- panied by the potential of repu- tational harm resulting from negative media attention after the breach is reported. Sajjad Nematollahi, whose class actions practice with Sis- kinds LLP in Toronto includes privacy-breach transactions, says he is not so sure the number of class-action cases will increase with the new rules. He says com- panies have been reporting pri- vacy breaches prior to the imple- mentation of mandatory report- ing rules. "We'll have to wait and see how this unfolds in terms of whether and to what extent this contributes to increased pub- lic reporting of the privacy and data breaches," he says. "Some of the major breaches have been reported notwithstanding that under PIPEDA there was not a mandatory breach reporting re- quirement." Nematollahi says he can see, however, how this area of law might become more attractive to lawyers as more information is released into the public domain, although analysis of the breach really determines whether or not there is merit to pursue any claims. Randy Sutton, partner and global co-head of Norton Rose Fulbright Canada LLP's national class actions team in Toronto, has noticed that high-profile breaches typically attract class actions. The difference come No- vember, he says, is that smaller breaches will become public with the mandatory reporting. But he says plaintiffs will hesitate pursu- ing class actions on those smaller breaches if they're not likely to produce many benefits or value. And although proof of harm isn't necessary, the demonstrat- ed damages may not be signifi- cant, so there's often not a huge value assigned to these cases on the settlements, says Sutton. "I'm not sure they will be sig- nificant enough, generally, for there to be much of an uptick in terms of the number of class actions," he says. "My sense of it is, if it's a big enough issue, it will become public and the class- action lawyers will have known about it and they will have brought those cases." Sutton says Alberta, which already makes reporting breach notifications mandatory, hasn't had a disproportional number of class actions there. But privacy class actions are still in the early stages of their development and issues such as regulatory regime, private rights of action and contractual rights still need to develop to further frame the future foundation for class actions, he says. Historically, privacy class- action settlements have carried relatively low price tags in terms of the amounts paid out to class members, says Reynolds. "A primary reason for this is that class members are rarely able to prove out-of-pocket ex- penses or actual harm such as financial fraud arising from data breaches or privacy violations, so most of the compensation is on account of credit monitoring or nominal payments for time spent protecting themselves," says Reynolds. But because damages in privacy class actions have resulted in settlement and have not yet been subject to ju- dicial consideration, how a court approaches damages in privacy class actions remains an open question, says Nematollahi. He points to the 2011 Ontar- io Court of Appeal decision in Jones v. Tsige, which established the tort for the invasion of per- sonal privacy "intrusion upon seclusion" in which proof of damages is not necessary. While there are class actions advancing that tort, none has gone to trial. "We don't know in the con- text of class action how the courts will treat the quantum of the damages, but, nonetheless, we have the benefit of some ju- dicial consideration of the tort in individual privacy violation cas- es. There have been a number of cases that have been determined and, in those individual cases, we've seen damages awarded anywhere between $100 [and] $15,000," he says. Toronto plaintiff class-action lawyer Jean-Marc Leclerc, a partner with Sotos LLP, isn't so sure mandatory reporting will result in an increase in privacy transactions, although he says it may provide opportunities for lawyers to further explore breaches to see if there is merit in pursuing class actions. He says companies have been disclosing breaches of privacy even though, until this point, there has been no requirement for them to do so on a federal level. "The fact that Canada is add- ing a mandatory requirement is helpful . . . but it for sure doesn't haven't have the teeth [that], for example, the European Union has instituted as far as mandatory reporting is concerned," he says. He points to a recent Face- book breach revealed this fall. Facebook learned about a pri- vacy intrusion and reported it to the public within a week to avoid huge fines allowed by EU privacy legislation. "I don't think we have in Canada laws that have teeth like that. But the good part about the fact that the European Union has such rules is that, if you need to follow the strict standards that are applicable in the European Union, then, by definition, Ca- nadians and people in other ju- risdictions are likely to get the benefit of it, assuming we're talk- ing about businesses with world- wide operations," says Leclerc. The issue, he says, is that the new Canadian rule requires companies to report a breach where there is "a real risk of sig- nificant harm" — which is a sub- jective interpretation. "The language of the report- ing requirements has a fair bit of wiggle room from the company's perspective. If the company is of the view that the breach doesn't pose 'a real risk of significant harm,' then, under the new regu- lations, it doesn't have to report. So, the devil will be in the details as to how people interpret that and whether they err on the side of caution," he says. Leclerc says the fines in Can- ada are not so significant when compared to the consequences that can f low from a class ac- tion that could be brought. He also feels that the intrusion upon seclusion tort — in which actual harm does not have to be proven in privacy breaches — hasn't been fully explored. This leaves room for the potential for in- creased consequences from class actions, he says. "From my perspective, the question that defence counsel raised about actual harm in these cases is a red herring and what I tend to focus on in my privacy class actions. One big part of this is behaviour modi- fication because I don't think companies are taking privacy very seriously. I don't think companies are protecting peo- ple's privacy," he says. LT FOCUS Molly Reynolds says new reporting obli- gations around privacy breaches could increase the volume of class actions because class-action lawyers will be aware of more incidents that pose a risk of harm to Canadians. Available risk-free for 30 days Online: store.thomsonreuters.ca Call Toll-Free: 1-800-387-5164 | In Toronto: 416-609-3800 © 2018 Thomson Reuters Canada Limited 00252WV-A93433-CM New Edition Aboriginal Law Handbook, 5th Edition Olthuis Kleer Townshend LLP New in this edition • Rapidly evolving issues related to the duty to consult Aboriginal communities, including emerging national and international standards related to "free, prior and informed consent" • New developments in the field of Aboriginal economic development including the evolution of impact benefit agreements, emerging structures for Aboriginal corporations and resource revenue sharing, trusts structures that support community development, and taxation issues specific to Aboriginal communities • Aboriginal family and social issues including marriage, separation, and divorce, child welfare, wills and estates, and human rights and privacy • Aboriginal education including the legacy of residential schools, and the work of the Truth and Reconciliation Commission • Aboriginal justice issues, including inquiries and commissions on Aboriginal issues, criminal procedure in an Aboriginal context, Aboriginal justice initiatives, and injunctions and blockades The 5 th edition includes the following case law: • Bernard v. R., Canada (Attorney General) v. Fontaine, Chippewas of the Thames First Nation v. Enbridge Pipelines Inc., Clyde River (Hamlet) v. Petroleum Geo Services Inc., Descheneaux c. Canada (Procureur général), First Nation of Nacho Nyak Dun v. Yukon, Gehl v. Canada, Goodswimmer v. Canada (Attorney General), Kahkewistahaw First Nation v. Taypotat, Ktunaxa Nation v. British Columbia (Forests, Lands and Natural Resource Operations), Ross v. Saskatchewan, Tsilhqot'in Nation v. British Columbia It also includes a new introductory chapter by the distinguished former Canadian parliamentarian and Ontario premier, Bob Rae. Order # L7798-8650-65203 $150 Softcover September 2018 approx. 880 pages 978-0-7798-8650-0 Shipping and handling are extra. Price(s) subject to change without notice and subject to applicable taxes.