Organizations who are the victims of data breaches are often named as defendants in privacy class actions, even when the stolen information was never misused by the third party hackers. Plaintiffs in such "no loss" data breach class actions typically bring common law claims in intrusion upon seclusion and claims under provincial privacy legislation, seeking "moral" damages that can be awarded without proof of loss. 1
Appellate courts have policed the limits of privacy claims – for example, as detailed in our recent bulletin, Fasken represented the successful respondent in Owsianik v. Equifax Canada Co. 2 , a landmark privacy case in which the Ontario Court of Appeal refused to extend the tort of intrusion upon seclusion to data custodians who were victims of data breaches.
The Alberta Court of Appeal has now released its decision in Setoguchi v. Uber B.V. 3 , another proposed "no loss" data breach class action. The plaintiff in Uber advanced a negligence claim based on a novel "first loss" damages theory that, if recognized, would have allowed the class to recover "baseline" damages – compensation solely for the fact that information was subject to unauthorized access. Consistent with Owsianik, the Alberta Court of Appeal rejected the "first loss" theory of damages, and with it the plaintiff's attempt to seek compensation without harm.
Background
The Uber action arose from a 2016 data breach involving unauthorized access to personal and other information of users and drivers that had been collected and stored in a "cloud" by Uber. The plaintiff alleged that Uber did not notify class members or regulators of this data breach, instead choosing to make a ransom payment to the hackers on the promise that the stolen information would be destroyed. The incident was discovered and publicized by the media in 2017. Uber's Chief Security Officer was convicted of charges in the United States for covering up the breach.4
Alberta Court of Queen's Bench Denies Certification
The plaintiff commenced a proposed class action against Uber, ultimately seeking certification only in respect of claims in negligence and breach of contract. The Alberta Court of Queen's Bench dismissed the plaintiff's certification application principally because the plaintiff failed to adduce any evidence of class-wide harm, finding that "on this record, I not only find no evidence of any actual harm or loss, but do find evidence of no actual harm or loss...[emphasis in original]."5
Alberta Court of Appeal Dismisses Appeal
The Alberta Court of Appeal dismissed the plaintiff's appeal from the certification judge's decision. It held that the plaintiff had failed to plead a viable cause of action in negligence and that the certification judge did not err in finding that a class action was not the preferable procedure for resolving a standalone contractual claim for nominal damages.
The preliminary issue before the Court of Appeal was how the "plain and obvious" test was to be applied in the context of a supposedly novel claim. The plaintiff submitted that her novel damages claim should be allowed to proceed on the basis that "no court has ever said, after a full merits trial, that loss of personal information per se is not compensable loss."6
The Alberta Court of Appeal rejected this argument. In building upon Owsianik, the Alberta appellate court held that the "absence of a precedent ruling that a particular claim is not a recognized cause of action does not mean that it is a recognized cause of action", and that certification judges must conduct a first principles analysis at the pleading stage to ensure that such supposedly novel claims have a reasonable prospect of being recognized in law.7
The Court of Appeal held that the "first loss" damages claimed by the plaintiff were not a form of damages compensable in negligence and that, absent a pleading of compensable loss, the plaintiff's negligence claim was certain to fail.
In striking the plaintiff's negligence claim, the Court reaffirmed the long-standing principle that the "proof of negligent conduct without consequences will not ground a claim in negligence" and that damages claimed for the risk of future harm or the increased risk of harm are not generally recognized in Canadian tort law.8 This well-established principle precluded recognition of the plaintiff's "first loss" damages theory, which the Court characterized as an attempt to avoid proving pecuniary damages or actual loss based on a theory of damages that was effectively "the other side of the same coin" of a moral damages award. The Court of Appeal rejected this attempt to read out the proof of loss element from the negligence tort, finding that:9
...A claim for either nominal or symbolic damages cannot ground a claim in negligence. We do not agree that the facts pleaded "cry out for a remedy". The appellant is attempting to maneuver around her inability to demonstrate actual harm or loss from the data breach, by advancing a theory of damages not recognized in law. If accepted, this would be no mere incremental development of the law; rather, a "giant step in a very different direction": Equifax at para 63.
Key Takeaways
The Alberta Court of Appeal's decision in Uber continues the recent trend among Canadian courts to refuse certification of "no loss" data breach class actions and is a welcome development for all organizations that collect and store personal and other information.
The implications of the Uber decision also extend to application of the "plain and obvious" test, particularly in the context of supposedly novel claims. Through its clear endorsement of the Ontario Court of Appeal decision in Owsianik, the Alberta Court of Appeal has directed certification judges in Alberta to meaningfully screen claims at the pleadings stage, and to only certify claims that have a reasonable chance of being recognized in law when tried on their merits.
Footnotes
1. Jones v. Tsige, 2012 ONCA 32 at para. 87; see also: Owsianik v. Equifax Canada Co., 2022 ONCA 813 at para. 77.
2. 2022 ONCA 813.
3. 2023 ABCA 45.
4. See e.g. https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach
5. 2021 ABQB 18 at para. 28.
6. 2023 ABCA 45 at paras. 37-40.
7. 2023 ABCA 45 at paras. 41-46.
8. 2023 ABCA 45 at paras. 53-54.
9. 2022 ABCA 45 at para. 59.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
