Legislators and organizations should pay close attention to recent decisions from the BC Court of Appeal ("BCCA") in Campbell v. Capital One ("Capital One")1 and G.D. v. South Coast British Columbia Transportation Authority ("TransLink").2 In these decisions, it appears that the BCCA is asking whether the existing legal regime, including regulatory and civil claims processes, appropriately recognize and serve to protect the privacy rights of individuals.
As discussed in a previous post, these decisions will result in an increased liability risk for organizations storing large amounts of personal information. People whose information is compromised in a cyberattack can now bring a class action lawsuit to trial on the basis that an organization victim to an attack recklessly stored their information. This post discusses the Court's judicial activism and apparent call to lawmakers to legislate stronger remedies and enforcement procedures to protect personal information. The decisions also follow recent decisions broadening the scope of constitutional privacy rights.
A Judicial Invitation
The BCCA has plainly suggested that class-actions should be a motivator to organizations in developing their cyber-security against attacks by third-party threat actors. The Court framed the increased liability risk for organizations as a solution to the lack of statutory remedies available for people whose information is breached in cyberattacks.
Policy reasons appear to have played a key role in the BCCA's decisions. According to Justice Griffin:3
It makes no sense ... from a policy perspective that we would remove the deterrent of a class action claim seeking relief under the Privacy Act from the risk-benefit analysis of a potentially reckless data custodian who is considering whether it is worthwhile to incur the cost of reasonable security measures... the behavior modification effect of class action damages may be significant.
Additionally, the Court did not appear concerned that the decision could result in a flood of claims for damages against organizations for an innocent mistake in securing data in their custody. Instead, the Court concerned itself with crafting an "adequate" legal response to the "flood of unprotected personal information flowing out of the control of the persons whose information it is, and into the hands of bad actors".4
The Court's decision is a call on legislators to increase privacy protections and enforcement mechanisms to motivate organizations to protect personal information vulnerable to cyberattacks. Most of Canada5 lags behind remedies in other jurisdictions. Notably, Data Protection Authorities in Europe have been more seriously regulating and enforcing cyber-security under GDPR. The real threat of enforcement, fines and penalties in Europe has clearly motivated many organizations to address privacy and security in a more sophisticated way than in Canada. While arguably not as active, the Federal Trade Commission in the United States has more substantial means to enforce security standards for various organizations handling personal information.
Of the laws in Canada, BC's privacy laws arguably provide some of the fewest enforcement powers. For example, Alberta's Protection of Information and Privacy Act and the federal Personal Information Protection and Electronic Documents Act both include reporting requirements when an organization's data is subject to a breach.6 In Quebec, regulators can impose fines and penalties.7
Broadening Charter Privacy Rights to the Civil Context
The BCCA also appears to happily adopt a broad approach to the Charter's s.8 protection of privacy by bringing it into the civil context. Section 8 of the Charter protects against unreasonable search and seizure. While "search and seizure" is typically considered in the criminal context, recent decisions have discussed its protection in the civil context and as protecting privacy rights more broadly.
Like the recent York District School Board decision from the Supreme Court of Canada (discussed here), the BCCA found s.8 to be relevant outside the criminal context. York involved a school principal's search of a private log on two teachers' work laptops. Even though s.8 wasn't squarely before the Court as it was in York, the BCCA held that s.8 and Charter jurisprudence could potentially inform the civil breach of privacy tort.
The Charter's relevance in this case was limited to interpreting the Privacy Act and whether the tort could capture an organization's failure to take reasonable measures to safeguard private information in its custody.8 The Court held that the Privacy Act's purpose was to ensure constitutionally-recognized privacy interests, particularly in the era of technology, did not go without a remedy.9
The elevation of a privacy right to a quasi-constitutional status supports the BCCA's policy approach of ensuring organizations are answerable to harms arising from a cyberattack. In taking this approach the BCCA has weighed in on the question of whether the existing legal regime appropriately recognizes and protects the privacy rights of individuals by saying "no" and encouraging class-actions to ensure individuals have a remedy to address their constitutionally recognized privacy interests.
Footnotes
1 Campbell v. Capital One Financial Corporation, 2024 BCCA 253
2 G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252
3 Translink, Para 138
4 Translink Para 137
5 Quebec's Law 25 is the real exception in Canada.
6 34.1(1) of PIPA and 10.1(1) of PIPEDA
7 90(1) of P-39.1
8 Translink Para 68
9 Translink Para 114
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.