In G.D. v. South Coast British Columbia Transportation Authority, the B.C. Supreme Court declined to certify a proposed class action against a B.C. public body that experienced a data security incident. The decision teaches that a plaintiff's bare assertion that a defendant willfully violated their privacy contrary to the B.C. Privacy Act cannot pass muster at the certification stage, and B.C. public bodies owe no private law duty of care to comply with s. 30 of the B.C. Freedom of Information and Protection of Privacy Act ("FIPPA"), which requires B.C. public bodies to protect personal information by making reasonable security arrangements.
Background
A group of former public sector employees filed a proposed class action against their former employer's parent company in connection with a data security incident that allegedly affected their personal information. At the certification stage, the plaintiffs made two main claims: (1) the defendant breached s. 1 of the Privacy Act by willfully and without claim of right violating their privacy; and (2) the defendant breached a private law duty of care to comply with s. 30 of FIPPA by failing to protect their personal information by making reasonable security arrangements.
A bare assertion that the defendant willfully violated privacy is insufficient
The plaintiffs alleged that the defendant's actions and omissions "knowingly or recklessly caused, enabled, or resulted in" the data security incident. But the court found that these "bald and conclusory allegations" failed to meet the standard required at the certification stage. Specifically, the plaintiffs failed to plead any material facts to support any willful violation of privacy by the defendant, as distinct from the third-party cybercriminals who willfully caused the incident. Absent any material facts that could support a willful violation of privacy by the defendant, the court concluded that the Privacy Act claim was bound to fail.
A statutory duty does not automatically create an actionable private law duty of care
The plaintiffs alleged that the defendant owed them a private law duty of care to protect their personal information based on s. 30 of FIPPA. But the court noted that B.C. courts have consistently rejected the idea that s. 30 of FIPPA creates any actionable private law duty of care. Although it requires B.C. public bodies to protect personal information by making reasonable security arrangements, it does not create an actionable private law duty of care, and public policy considerations-including the spectre of indeterminate liability for every B.C. public body that collects personal information-militate against recognizing such a duty. Absent a duty of care, the court concluded that the negligence claim was bound to fail.
Because the plaintiffs failed to meet the first requirement for certification-pleading cause of action-the court denied certification.
Key lessons
G.D. teaches two key lessons for private and public organizations in British Columbia. First, it teaches that a plaintiff's bare assertion that a defendant willfully violated their privacy contrary to the Privacy Act, which applies to both private and public organizations in British Columbia, cannot pass muster at the certification stage. Although a plaintiff need not prove their case to achieve certification, a plaintiff must at least plead materials facts that, if proven, would amount to a valid cause of action against a named defendant.
Second, it teaches that B.C. public bodies owe no private law duty of care to comply with s. 30 of FIPPA. Although B.C. public bodies have a statutory duty to protect personal information in their custody or control, this duty does not translate into a private law duty of care actionable in negligence.
To view the original article click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
